Dear All I agree that this may not be the right forum to post this. There are a lot of authentication failures for some accounts and the sources are two Linux servers. Checked with the user, they didn't enter incorrect credentials these many times. For sure, this is some process or job. However, I would like to understand why are these attempts failing. And if these are counted as failed attempts, why these attempts don't lock out the account (considering we have an account lock-out policy) Can someone help me to understand how are these attempts generated?

How to eliminate duplicate rows before transaction command. Because of which I am getting wrong calculation. eg scenario: calculating downtime based on events Query is    index="winevent" host IN (abc) EventCode=6006 OR EventCode="6005" Type=Information | eval BootUptime = if(EventCode=6005,strftime(_time, "%Y-%d-%m %H:%M:%S"),null()) | eval stoptime = if(EventCode=6006,strftime(_time, "%Y-%d-%m %H:%M:%S"),null()) | transaction host startswith=6006 endswith=6005 maxevents=2 | eval duration=tostring(duration,"duration") | eval time_taken = replace(duration,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3sec") | rename time_taken AS Downtime | dedup Downtime, BootUptime | table host,stoptime, BootUptime, Downtime   Result is ::   host stoptime bootuptime Downtime abc 2022-30-01 10:39:25 2022-30-01 10:40:29 00h 01min 04sec abc 2022-09-01 09:27:53 2022-09-01 09:28:34 00h 00min 41sec abc 2021-28-11 10:52:52 2022-09-01 09:28:34 41d 22h 35min 42sec   in the result since i have duplicate in bootuptime the dowtime calculation is incorrect. How to get rid of this? Thanks in Advance

The original problem I am trying to fix is that I am not able to tag single events since they dont have a small enough field to use for the tags(only unique field was over 1024 chars). The solution for this was to create on the sourcetype we care about a field that would generate sha256 values making a unique field. What i have added in the local diretory of the TA for the sourcetype: transforms.conf [add_event_hash] INGEST_EVAL = event_hash=sha256(_raw) FORMAT = event_hash::$1 WRITE_META = true props.conf [thor] TRANSFORM-event_hash = add_event_hash and fields.conf [event_hash] INDEXED = true The result after restarting Splunk and re-importing the data is that the field is successfully created with the value we want, yet the field value is not searchable. The search generates 0 results when searching for event_hash=<hash> but only generates the correct result when using event_hash=*<hash>* any assistance would be much appreciated  

I have multiple pie charts, each showing data from a different cluster. I would like to define one generic datasource that gets the cluster name as an input.  Is there a possibility to define/set variables within a visualization block and pass it to a datasource?    { "visualizations": { "viz_pie_chart_cluster1": { "type": "viz.pie", "dataSources": { "primary": "ds1" }, "title": "Cluster 1", "options": { "chart.showPercent": true, } # I want to pass the cluster_name=cluster1 from this vizualization }, "viz_pie_chart_cluster2": { "type": "viz.pie", "dataSources": { "primary": "ds1" }, "title": "Cluster 2", "options": { "chart.showPercent": true, } # I want to pass the cluster_name=cluster2 from this vizualization } }, "dataSources": { "ds1": { "type": "ds.search", "options": { "query": "... cluster_name=$cluster_name$ ..." }, "name": "ds1" } } }  

Hello, Our Customer lost access to support but we need to open ticket. We have name of Customer, invoice etc.... How to retreive account/password or simply transfer supported instances into my account? Regards

I was trying to get the latest time from index=index1 sourcetype=source1 Below is the string: | tstats latest(_time) as lastTime where index=index1 sourcetype=source1 | eval lastTime=strftime(lastTime,"%x %X") I will use this lastTime as the time-picker to have the table display for data inside source1. The purpose is to always get the data from last time query log in source1. Could anybody to tell me how to continue the string to make it?

Is it possible to revert the KV store storage engine migration in a standalone environment with SE 8.x.  Example: If I am migrating the KV store storage engine from MMAP to WiredTiger. Can I revert this change i.e. migrate from WireTiger to MMAP.   If it is possible what are the steps to do so. Is there any doc for this? I can see doc/command for migrating from MMAP to WiredTiger  splunk migrate kvstore-storage-engine --target-engine wiredTiger Need similar steps for the reverse condition. Please help.

Hi Guys, I have a string say example : abc this string I want to lookup and match the presence in a lookup table  | lookuptable test.csv test.csv has value Number  Value 1 xyz 2 abc 3 mnp 4 wgf   I want to check the presence of my search string abc in lookup table and shows me yes or no in result table Like if found in lookuptable should result me as Yes else NO example abc is present in lookuptable so my output should be Search string Presence abc Yes   my search string abc | inputlookup test.csv| table value | rename value AS V1 | eval x="searchstring" | eval y="v1" | eval match=if(match(x,y),1,0) | where match=1 | table Searchstring, Yes   I tried this but didnt get result Kindly help me ! Thanks in advance

Hello! The CSS code below works when I put it directly in my dashboard but not with an external sheet.     <panel depends="$visible$"> <html> <style> div[data-test-panel-id^='relative'], div[data-test-panel-id^='realTime'], div[data-test-panel-id^='date'], div[data-test-panel-id^='dateTime'], div[data-test-column-id^='past'], div[data-test-panel-id^='advanced'], div[data-test^='real-time-column'] { display: none; } </style> </html> </panel>     I call the sheet like this:     <form stylesheet="time.css">     What is wrong please?

Hello, everyone! I need help. I configured DB connect app on heavy forwarder and connected database input. I can view DB logs on Heavy forwarder, but I want to forward this data to indexers. How can I configure it?

We are receiving a log from the host(host=abc) and we have one interesting field named Ip_Address. In this field, we have multiple IP's and event is indexing for each 5 min of an interval like(Ping success for Ip_Address=10.10.101.10 OR Ping failed for Ip_Address=10.10.101.10).   FYI, if I am getting events like(1:00pm ping failed and 1:05pm ping success) in this case we are not considering as failed percentage. So, basically if count of failure is more than one time(means Continuously like 1:00pm ping failed and 1:05pm ping failed ) then only it will be considered as failure.   I am using below query to calculate the success and failed percentage of all ip's for an interval of time like 1 month or something but it is not fulfilling my requirement as I want to achieve for all ip's in a single query. It will be more useful if it shows in the dashboard visualization. index=unix sourcetype=ping_log "Ping failed for Ip_Address=10.101.101.14" (earliest="01/04/2022:07:00:00" latest="1/07/2022:18:00:00") OR (earliest="01/10/2022:07:00:00" latest="1/14/2022:18:00:00")OR (earliest="01/17/2022:07:00:00" latest="1/21/2022:18:00:00")OR (earliest="01/31/2022:07:00:00" latest="1/31/2022:18:00:00") | timechart span=600s count | where count=2 | stats count | eval failed_min=count*10 | eval total=failed_min/9900*100,SLA=100-total,Ip_Address="10.101.101.14" | rename SLA as Success_Percent | table Success_Percent Ip_Address  

It occurs 3-4 hours after starting splunk.  These are the logs found in splunk/var/log/splunk/mongod.log I CONTROL [signalProcessingThread] got signal 15 (Terminated), will terminate after current cmd ends I NETWORK [signalProcessingThread] shutdown: going to close listening sockets... I REPL [signalProcessingThread] shutting down replication subsystems I REPL [signalProcessingThread] Stopping replication reporter thread I REPL [signalProcessingThread] Stopping replication fetcher thread I REPL [signalProcessingThread] Stopping replication applier thread