Hello , sorry for this another noob question. Is there a way that we can set a search result to a token in js ? For example:  <row> <panel depends="$panel_show$"> <single> <search> <query>|makeresults|eval result=1016</query> <done> <set token="mytoken">$result.result$</set> </done> </search> <option name="rangeColors">["0x006d9c","0xf8be34","0xf1813f","0xdc4e41"]</option> <option name="rangeValues">[100,200,300]</option> <option name="underLabel">cool number</option> <option name="useColors">1</option> </single> </panel> </row> "<done> <set token="mytoken">$result.result$</set> </done>" is there a way to transfer this to js ?  thank you

I have upgraded to Splunk 8.2.3 recently in a test environment. The last step in upgrading our slightly outdated environment is to migrate the KVStore. I don't understand the directions. What system are we going into "the server.conf in the $SPLUNK_HOME/etc/system/local/ directory." Is it in the Deployer? Cluster Master? Any of the search heads we have? If that file is edited in one system, how is it being pushed to the search heads?  Also could we leave the variable storageEngineMigration=true in that file or does it have to stay as false when not migrating?  Thank you! @https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/MigrateKVstore

I'm trying to extract a number that may not always be formatted the same way every time. Examples:     OK: Process matching httpd is using 0% CPU OK: Process matching httpd is using 1.1% CPU OK: Process matching httpd is using 24.1% CPU       It's the "0%" that is tripping me up. This will work for numbers with a decimal but not for a percentage that is just "0".     rex "using\s(?<CPU_util_perc>\d+.\d+)\%"       Any help is greatly appreciated.

I wanted to join services (part of same index) with common field and show chosen fields from both searches.. Index=test service=serv1 Name RecordID Version Index=test service=serv2 State RecordID Version wants to combine two searches by RecordID from Service2  (meaning to optimize query needs to first take RecordID from Service2 and match with Service1)... and notice fieldname Version is common both services. so hence wants to rename version field in service2 to version2.  And final result is Name Version1 Version2  SQL Query: Select A.Name, A.version, B.version from Service1 A, Service2 B where B.RecordID = A.RecordID  

Hello, I don't understand why a file coming from a windows based UF does not get indexed properly.  By this I mean that some fields contain newlines that are interpreted by Splunk as event delimiters thus turning a single event into multiple events.  I can index that same file manually or from a folder input on a unix filesystem without issue. I am using Splunk Enterprise 8.0.5 with UF 8.0.5 running on Windows 10 VM.  I am trying to index ServiceNow ticket data contained in an ANSI encoded CSV file. Scenarios that work and do not work: I upload the CSV manually through the "Add Data" wizard specifying the sourcetype and it works I deposit the CSV in a local folder on the same VM Splunk Enterprise is installed, configured with the same sourcetype, and it works I deposit the CSV in a local folder on the same VM the UF is installed, configured with the same sourcetype, and it does not work I have no idea why this last scenario does not work.  Here is a simple diagram outlining the second and third scenarios (the third one doesn't work and is highlighted in red): Here is the file I am trying to index (contains one ticket):     "company","opened_by","number","state","opened_at","short_description","cmdb_ci","description","subcategory","hold_reason","assignment_group","resolved_at","resolved_by","category","u_category","assigned_to","closed_by","priority","sys_updated_by","sys_updated_on","active","business_service","child_incidents","close_notes","close_code","contact_type","sys_created_by","sys_created_on","escalation","incident_state","impact","parent","parent_incident","problem_id","reassignment_count","reopen_count","severity","sys_class_name","urgency","u_steps","closed_at","sys_tags","reopened_by","u_process","u_reference_area","calendar_duration","business_duration" "XXX4-S.A.U.R.O.N","Jane Doe","INC000001","Closed","2021-06-01 08:34:04","Short description","SYS","Dear All, For some reason this data doesn't get indexed incorrectly. There are two LF characters between this line and the previous one: THIS ON THE OTHER HAND HAS A SINGLE LF ABOVE Manual upload works, but input from windows does not... Thank you for your help and assitance. Jack","ERP","","ABC-123-ERB-SWD-AB-XXX","2021-06-10 10:19:14","Jack Frost","SOFTWARE","Query","Raja xxxxxx","Jack Frost","3 - Moderate","XXXXXX@DIDI.IT","2021-06-15 23:00:02","false","AWD Services","0","closure confirmed by XXXXX@fox.COM ","Solved (Permanently)","Self-service","XXXXX@fox.COM","2021-06-01 08:34:04","Normal","Closed","3 - Low","","","","1","0","3 - Low","Incident","1 - High","0","2021-06-15 11:00:11","","","DATA","DATA","783910","201600"     here is the props.conf stanza which has been positioned exclusively on the indexer:     [snow_tickets] LINE_BREAKER = ([\r\n])+ DATETIME_CONFIG = NO_BINARY_CHECK = true MAX_EVENTS = 20000 TRUNCATE = 20000 TIME_FORMAT = %Y-%m-%d %H:%M:%S TZ = Europe/Rome category = Structured pulldown_type = 1 disabled = false INDEXED_EXTRACTIONS = csv KV_MODE = SHOULD_LINEMERGE = false TIMESTAMP_FIELDS = sys_updated_on CHARSET = MS-ANSI BREAK_ONLY_BEFORE_DATE =     here is a screenshot of the data coming from the local folder (works): here is what it looks like when it comes from the windows UF: as you can see, it treats a newline as a new event, and does not seem to recognise the sourcetype. Is there any blatantly obvious thing that I've missed?  Any push in the right direction would be great! Thank you and best regards, Andrew

Hello,  Thank you for taking the time to read/consider my question, it's very much appreciated.  I'm revamping a legacy Splunk deployment for a mid-size company that I work for and have recently deployed IT essentials work to monitor the health of both Windows and *nix hosts in our environment, this app has many wonderful features and visualizations, even though some/most are locked behind the ITSI paywall.  What I'm wondering (mainly from a security perspective), is if there's equivalent apps that Splunk (or third parties, or even individuals) have developed to visualize network & authentication data that is collected from Windows and Unix endpoints. I know network bandwidth is included within the ITE suite, which is terrific, but doesn't help me identify which processes are linked to remote network connections, or track lateral movement across the network.  Do people usually just develop apps internally that take care of this? If that's the case than that's totally fine and I completely understand admins not wanting to share that outside of their own organization, but I can't help but feel that I'm not the only one in this boat, and there must be others with this conundrum as well. As far as I know this is something that used to be dealt with rather well by the purpose built apps by Splunk for Windows and *nix systems, but now that these are going to be deprecated this year I'd like a long-term solution to this problem.  If these types of visualizations are typically reserved for EDR/EPP apps like Crowdstrike, Cylance, S1, Sophos, etc. I also get that, but I'm not actually sure if these apps all have dashboards that would allow you to filter by host, user, process, etc to identify suspicious remote network connections, or authentication attempts across a wide swath of monitored systems.  Again, I'd like to reiterate my appreciation for you taking the time to consider my question. I'm sure there's a simple solution to this that I just have not thought of or stumbled across in my research, but rather than waste another week or two trying to find what everyone else is doing for this I figured I'd just ask the experts myself.  Thanks again!

I have seen a couple of answers about use of proxies by "curl" where it is stated that it is not possible to specify a specific proxy for each request, but it was not clear to me whether it is possible to use a proxy configured at the system level. I see in the code that you write "### Doesnt use the HTTP_PROXY or HTTPS_PROXY defined in splunk-launch.conf". But is there a way to get the "requests" call to pick up another proxy config, e.g. in Splunk's server.conf/proxyConfig or in Linux's /etc/environment? In short is there any way to get TA-webtools curl to use a proxy? Thanks