Hi All, We want to ingest ZAP(Zero-hour auto purge) logs into Splunk. We are using Splunk Add-on for Microsoft Office 365 app. So, is there a way to ingest ZAP(Zero-hour auto purge) logs using the mentioned Splunk App. If not is there any other Splunk app that would help us in ingesting ZAP(Zero-hour auto purge) logs. Please help me with the above information.

Hi, In all snapshots > Business Transaction is showing as (Not Found(id:350432)) and all calls are shown as "stall". I have been able to disable the stall and enable it again after 10 minutes. any idea how I can fix this? ^ Post edited by @Ryan.Paredez for minor formatting

My requirement is to get the rate of change of a certain parameter if its corresponding alert gets triggered. To add more details, we have a log file that logs the backlog of database. Once the backlog crosses a certain threshold we trigger an alert, however it could be a false positive since the system may be undergoing maintenance and hence backlog grows. So I want the alert to trigger another query that captures rate of growth over the last 'x' hours. This will give more context about what is happening in the system. How to achieve this in splunk? Please share your ideas

Hello everyone, I'm pretty new to Splunk and mostly learning as I go, so please bear with me if this is a common question or an easy answer as I'm still figuring out alot of things I'm building a specific search string that will seperate 1 field of information, with 5 different unique field names, counting them, and mapping this data to build a trending chart. Our data is pulled in on a daily basis. My search query works so far (although it's probably not optimized), and I'm now moving forward into the formatting stage. What I want is to ensure my chart can work off of our main dashboard that has a time picker, so that we can see the trending of our data from day, month, year, etc. My query is working, but what I'm encountering is that in the chart the data will load in on a daily mapping no matter what filter is set. This is fine on a weekly, or daily filter, but when I want to view this with larger sets of data such as monthly or yearly, this comes out a bit messy. Is it possible to tweak the search string so that when the data is viewed with a monthly filter, it will give the the values from the month and put the highest amount on the chart instead of every day of the month? If not, I think the other solution may just be to make a separate chart for a monthly view. That's fine too, but just thought I would ask! Thank you in advance and screenshot is below  showing what I see when changing to a "monthly" view along with a snippet of the search string.     | stats count(eval(severity=="Low")) AS Low by _time | chart values(Low) over _time        

We have onboard a firewall log from Forcepoint, and they were not parsing properly in Splunk. We try to find add-on to ingest the log but we found none. Is there any way we can do to solved this issue. Here is example for our current fw log; Feb 17 10:25:09 172.XX.XX0.XX0 "2022-02-17 10:25:51","3350841932","172.XX.XXX.XXX","Packet Filtering","Notification","New connection","Allow","123.XXX.XXX.XX","113.XX.XXX.XXX","DNS (UDP)","17","52129","53","4372.39","123.XXX.XXX.XXX","17X.XXX.XXX.XX","52129","53",,"129",,,,,,,,,,,,,,"DC-Node-01",,"2097953.17",,,"2022-02-17 10:25:51","Firewall","Connection_Allowed",,,"6899901665942596693",,,,   Please advise.

Summary: When using the table command, values are dropped if { is the first character.     index=someindex host="VVV" source=somesource earliest=-24h  action           NOT( ACTION ="SUMMARY" OR ACTION="RESULT")           | dedup ID         |rename ID as "Rcrds Prcssd To Date"           | rename EVENT_DT as "Date Time" EVENT as "API EVENT"           |convert ctime(_time) as RunDate timeformat="%m/%d/%Y %H:%M %p"           |table ID,RunDate,ACTION, "API EVENT"           |SORT -ID   When the "API EVENT" field has a { starting value, the remaining values are dropped. If I replace  |table ID,RunDate,ACTION, "API EVENT" with |fields ID,RunDate,ACTION, "API EVENT" I see the { and the remaining values for "API EVENT"   Why is the table comm, and dropping values?

Query: index=xxx source=Perfmon:LogicalDisk host=$h$ ( counter="Disk Reads/sec" OR counter="Disk Writes/sec" ) | eval read_ops=IF(counter="Disk Reads/sec",Value,0) | eval write_ops=IF(counter="Disk Writes/sec",Value,0) | eval tot_ops=write_ops+read_ops | fields read_ops write_ops tot_ops | timechart max(read_ops) max(write_ops) max(tot_ops) Need to sum the read_ops and write_ops into field total ops for each time interval (1 min) for a timechart. Because the writes ops and read ops values are in separate rows per time interval. example below: 2/16/22 5:29:59.000 PM   02/16/2022 17:29:59.224 -0500 collection=LogicalDisk object=LogicalDisk counter="Disk Writes/sec" instance=_Total Value=27.222955244825506 Collapse     2/16/22 5:29:59.000 PM   02/16/2022 17:29:59.224 -0500 collection=LogicalDisk object=LogicalDisk counter="Disk Reads/sec" instance=_Total Value=5.316598854323969 Collapse  

I would like to list results from two events that are linked via common field (system_id), but searched via value only found in one event. Event1: client phone_number request_type system_id Event2: client_bank bank_request response_code system_id Both events share the same system_id, however, I only know the phone_number and need to use that to list both events. Any help would be greatly appreciated.

Hi , I am facing a weird issue - where on a Splunk indexer I am trying to filter out log events using props and transforms file.  I have noticed that filtering of log events works perfectly fine for sourcetypes which are not defined or do not exsist in Splunk default config. For example Okta, Jenkins,fluentd etc. As soon as I try to filter IIS/Catalina sourcetype - it never works .  For example this is my props - which is filtering journald sourcetype but not iis Props  [iis] TRANSFORMS-routing = setnull [journald] TRANSFORMS-routing = setnull Transforms  [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue  

Does anyone know where I can find some already created Splunk use cases for github webhook logs? I am having a really hard time googling for a dump of github based splunk searches because of the keyword github. I am trying to look for commits in github with no approvals. I have identified the search for all commits and the search for finding approvals for those commits but I am unsure how to stich them together in a single query to produce actionable results. The commit log and the approval log are separate logs but both have a unique identifier for the commit. More info: Here is the query for the approval and the corresponding log. These logs are heavily redacted and I am only including what is relevant. Logs come in through HEC so they are JSON. index=github action=submitted review.state=approved pull_request.head.sha!="" { action: submitted pull_request: { head: { sha: <commit-id> } } review: { state: approved } } Here is the log of the merge, it has no action so I'm using this query: index=github after!="" { after: <commit-id> before: <previous-commit-id> enterprise: {} head_commit: {} organization: {} pusher: {} repository: {} sender: {} } I've been trying to create a table that includes both of these logs with no luck. index=github after!="" [search index=github action=submitted review.state=approved pull_request.head.sha!="" |table pull_request.head.sha review.state | rename pull_request.head.sha as commit-id] |table after |rename after as commit-id So I am essentially looking for commit logs with no approval and trying to link the tables together with after/pull_request.head.sha as both of these values are unique commit ID's. Ideally I would want to alert on each occurrence of an unapproved merge.

Below is the usual Splunk Search line in addressVal is not equal to outAddressVal. I tried below Search but it did not help index= * addressVal outAddressVal| where (rtrim(ltrim('addressVal ')) != rtrim(ltrim('outAddressVal'))) Content line is like below addressVal = WV ,outAddressVal= RA addressVal = CA,outAddressVal= RA addressVal = WV ,outAddressVal= RA addressVal = WV ,outAddressVal= RA

Hi I want to understand how the _time set using App: Microsoft Azure Add-on for Splunk source type azure:eventhub cat ./etc/apps/TA-MS-AAD/default/props.conf [azure:eventhub] SHOULD_LINEMERGE = 0 category = Splunk App Add-on Builder pulldown_type = 1 #################### # Metrics ####################   [splunk@ilissplsh04 ~]$ cat ./etc/apps/TA-MS-AAD/local/props.conf [azure:eventhub] TRUNCATE=0 [splunk@ilissplsh04 ~]$ I got an event with old _time even the event got indexed today ( indextime)