When I checked the lookup command with "WILDCARD", the command doesn't work if the file size becomes large. Does anyone know some related settings or something? I'm using splunk version "8.2.2.1". The situation is shown below. transforms.conf       [lookup_test] batch_index_query = 1 case_sensitive_match = 0 filename = lookup_test.csv match_type = WILDCARD(field) max_matches = 1       lookup_test.csv     field "*.example.com" "*.example.com" . . .     (I used the same word repeatedly for checking.) search query I just want to match domain with "WILDCARD"       | makeresults annotate=true | eval _raw="domain aa.example.com" | multikv forceheader=1 | table domain | lookup lookup_test field as domain OUTPUTNEW field as field_result      So the expected result is below domain field_result aa.example.com *.example.com   If the "lookup_test.csv" is 620,000 lines(file size is about 9.5MB), the WILDCARD match works fine. But if the "lookup_test.csv" is 630,000 lines(file size is about 9.7MB), the WILDCARD match doesn't work. I mean the "field_result" value becomes blank. And it only match "EXACT". domain field_result aa.example.com   *.example.com *.example.com   I also tried other words(ex. "*.aexample.com"). If the lookup file size becomes larger than about 9.5MB, the "WILDCARD" match doesn't work and only match "EXACT". So I think this related to lookup file size, but I couldn't find any documents.

I am pretty new to Splunk and trying to figure out how alert notification and adding a script to it works. My alert will basically return a line from  a log stream every time it matches my search criteria, which will be something like this"   process completed for config some_name having RUN_ID 1129 (it could be multiple lines) my goal is to get the "config_name" part from here and send it as a column name into a sql query that either I put it in a bash or python script:   select "config_name" from table; how are the alert result and the script  connected? can someone bring an example? saw few posts (https://community.splunk.com/t5/Alerting/how-to-pass-custom-strings-from-a-Splunk-Alert-into-a-python/m-p/322664) but not quite getting it.... any help would be appreciate it!     

Hi splunk community! Im new to splunk here so im not very clear on the consequences of updating indexes 1. For example, if index1 indexes from file1, but if in the future i want to change it to index from file2 instead, will there be any implications if i just update the stanza in input.conf file to direct to file2  instead of file1? or do i need to delete the current index and create a new one and then direct to file2? 2. If i want to add more fields to the stanza of the indexed file, will i need to recreate the index? or can i just add the field to the stanza thank you in advance!

Hi All Already created a custom Vizualisation. Having an issue with the drilldown.  In XML set the drilldown option:  <option name="drilldown">all</option> inside drilldown:  <drilldown> <set token="test1">$click.value$</set> <set token="test2">$click.field$</set> </drilldown> Also set the title of the panel to:  <title>Test1: $test1$, test2: $test2$</title> JS in the custom viz: var payload = { action: SplunkVisualizationBase.FIELD_VALUE_DRILLDOWN, data: {} };   payload.data[field] = value; this.drilldown(payload);   The on click the drilldown sets the tokens to $click.value$ and $click.field$ (the strings) Any help ?  

Hi,  I'm having an issue with my deployer and search head cluster while upgrading enterprise security.  In step 8 of the Splunk doc below, it states that ES will recognize it is being installed on a cluster during app setup. Mine displays that it is setting up on a standalone instance, the deployer. What do I need to change for the GUI to recognize I am uploading for the cluster?  See screenshot for additional detail.  Upgrading Enterprise Security in a search head cluster environment, step 8: https://docs.splunk.com/Documentation/ES/7.0.0/Install/UpgradeEnterpriseSecuritySHC Thanks

I have the following query that I am working to establish a prediction for. I am able to be the volume to predict but I wanted to also predict a failure rate for this. When I add in the failure count though I do not get any results. I confirmed the query works fine when removing the predict also. Is this a limitation on predict?     |timechart span=15m count as volume, count(eval(match(login, "failure"))) as "failures" | predict volume, failures       I also see, "Invalid time series index: 2".

Hello, how are you guys? I'm trying unsuccessfully, to give access to the Config Explorer app to a user with the Power User role.  The user is having this error when trying to enter the app in the UI: insufficient permission to access this resource   Maybe is a capabilities problem? Do someone know the needed capabilities in order to being able to enter the Config Explorer app? I know users with the admin role can enter without problems, but power users are not the case. Thanks in advance! 

Hi all, I have an issue here. I was trying to install apps through the deployment server and I noticed that the search head, cluster masters and indexers are missing on the deployment server forwarder management. The only server that's showing up is our heavy forwarder, I think they disappeared after the upgrade from 8.2.0 to 8.2.4. The heavy forwarder still has version 8.2.0 at the moment. I did a back-up before upgrading and tried to restore but it didn't work. Any assistance would be appreciated. Thank you

I have an index which searches across 10 hosts. I am comparing 2 strings and evaluating the results to see if there is an issue that needs alerting. The results are being messed up as its evaluating the 2 strings from 2 different boxes - ie string1 on hostA against string2 on hostB.  It should be string1 on host1 against string2 on host1. Then go to host2 , host3 ..... host10. How can i get my search to either sequentionally go through each host or have the results group by host to not show results that have come from 2 diff hosts.  current logic is:  index="abc" "string1 OR string2" | transaction startswith="string1" endswith="string2" | where count>2

Good Day, I am trying to come up with ideas to translate a Sumo Trasactional search with (States) Conditions to a Splunk Query.  If anyone can provide some other options, please let me know.   Here is my sample Sumo search: _sourceCategory=prod/app/m/* and "statement" and ("Search Keys" or "STATUS=ERROR" or Error) | parse "[ID=*]" as MID nodrop | transactionize MID (merge MID takeFirst, _raw join with "\n\n") | transaction on ORGID, EVENT, ORDER, FACILITY with "*A request to obtain a channel subscription failed*" as NO_SUB, with "*M cannot be discontinued*" as NO_DC, with "*Person not found*" as NO_PERSON | (NO_SUB + NO_DC + NO_PERSON) as Total | fields ORGID, EVENT, ORDER, FACILITY, Total, NO_SUB, NO_DC,NO_PERSON | sort by Total, ORGID, EVENT, ORDER //| sort by ORGID, EVENT Splunk Search so far: index=hhh_m_prod sourcetype=mirth* MID=* CID=* acctnumber=* facility=* orgid=* "Statement" ("Search Keys" OR "STATUS=ERROR" OR "Error") | fillnull value="NULL" | transaction MID | eval NO_DC=if(match(_raw, "M cannot be discontinued*"), "Yes", "No") | eval NO_SUB=if(match(_raw, "A request to obtain a channel subscription failed*"), "Yes", "No") | eval NO_PERSON=if(match(_raw, "Person not found*"), "Yes", "No") | transaction ORGID EVENT ORDER FACILITY | eval Total=sum(NO_SUB, NO_DC, NO_PERSON | table ORGID, EVENT, ORDER, FACILITY, Total, NO_SUB, NO_DC,NO_PERSON  | sort by Total ORGID EVENT ORDER | sort by ORGID, EVENT ** I am lost for ideas in running the conditional transaction statements... Should I use more eval statements, or setup a transactiontypes.conf?  

I want to provide read permission for only one app not all apps to a particular role and in my environment under apps permissions, I can see everyone(all roles) have read access. I don't want to make changes to all apps permission but wanted to manage if I can configure in one role or one app permissions so that all users under that role should only have read permission to one app and he won't be able to see other apps.

I recently inherited a newly configured Splunk Enterprise 8 environment after the former admin left. I have a basic user level knowledge of Splunk so I will describe my issue the best I can. When we try to search for a specific or wildcard event (ie: print logs) we only receive results from the Linux servers but not the Windows servers. I was suggested to check the .conf files for Windows TA, but I'm not quite sure what I should be looking for within the files. The Splunk documentation site has been helpful, however it doesn't explain why we aren't seeing events. Splunk is installed on RHEL8 and we have installed forwarders on all the servers. I do not know where to go from here. Any assistance is appreciated.  *Note: Former admin claimed that the server was fully configured in accordance with DIA's required auditable event list. The server is receiving data however it is not being disseminated properly.