I would like to create an alert when new QID from qualys is published.  For that I'm using FIRST_FOUND_DATETIME field and comparing it with today's date. The date format for that field result is in GMT. I want in PST. Also whenever the FIRST_FOUND_DATETIME  is current date it should trigger the alert or list QIDs associated to today's date. 

Hi, Currently, my query produces the correct results but they are all aggregated into single cells, and I would like to have them separated depending on the results found. What I would like is to have "Offers/Redeemed/Take_Rate"  listed and calculated for each unique combination of results found for pointBank/merchant.   So: offers  Redeemed  Pointbank   Merchant   Take_Rate 2               1                    A                       A                 50 3               1                    A                       B                 33.3 6               3                    B                       A                 50 5               1                    B                       C                 20 My current query is: host="server" source="/home/xyz.log" earliest=-1@d latest=now | fields "promotionAction" "pointBankCode" "merchantCode"| search (promotionAction="*") pointBankCode="*" merchantCode="*" | stats count(eval(promotionAction= "OFFERED")) AS Offers count(eval(promotionAction= "ACCEPTED")) as Redeemed values(pointBankCode) as PointBank values(merchantCode) as Merchant | eval Take_Rate=((Redeemed)/(Offers)*100)

  I could retrieve the list of the transactions as a single event below. Transactions start with "Dashboard Load:" and end with "Total Dashboard Load Time"   | rex "Account: (?<account>[^\,]*), SiteID: (?<siteID>[^\s]*) - (?<duration_in_ms>[^\s]*) milliseconds on Requestor: (?<requestor>[^\,]*)" | transaction agent endswith="Total Dashboard Load Time" | eval duration_in_sec=round(avg(duration_in_ms)/1000,2) | table agent account siteID flow duration_in_sec     I could find the delta between each event as multiple events with below   | rex "Account: (?<account>[^\,]*), SiteID: (?<siteID>[^\s]*) - (?<duration_in_ms>[^\s]*) milliseconds on Requestor: (?<requestor>[^\,]*)" | streamstats current=f last(_time) as last_time2 by agent | rename _time as current_time2 | eval delta= last_time2 - current_time2 | eval last_time =strftime(last_time2, "%m/%d, %H:%M:%S.%6N") | eval current_time =strftime(current_time2, "%m/%d, %H:%M:%S.%6N") | table agent account siteID flow duration_in_sec last_time current_time delta     I'm looking to see if I can find a delta between events in a single transaction. The transaction starts with "Dashboard Load" and ends with "Total Dashboard Load Time" Expected Result Format:   agent, account, siteID, list of flow (all 5 Dashboard Load actions), duration_in_sec, list of event times, list of delta between event time   agent - the name of the agent account - account # siteID - site# list of flow - all action flows durations_in_sec - Total Dashboard Load Time list of event times - List showing all event time list of the delta between event time - List showing 4 delta times between each flow   Below are a sample of 2 data of 5 events   2021-12-16 05:30:43,834 alpha - Dashboard Load: User Clicked on New 2021-12-16 05:30:46,498 alpha - Dashboard Load: User Clicked on AccountSearch 2021-12-16 05:31:05,420 alpha - Dashboard Load: User Clicked on Search with String abcdef 2021-12-16 05:31:08,557 alpha - Dashboard Load: User clicked on Searched Result 123456 2021-12-16 05:31:12,234 alpha - Total Dashboard Load Time for Account: 000111222, SiteID: 123- 3438.0 milliseconds on Requestor: xoxoxo     

Lines in my sourcetype are not being picked up correctly at all.  Each event is being split into dozens of lines.  Also, when I go into the Settings in the UI for sourcetypes, I see all of the configs matching what I have set except for SHOULD_LINEMERGE = true.  This comes up as false.  I try resetting it in the UI and it still comes up as false even though that should not be set anywhere.  Btool shows it should be set to true, but it still comes up as false. Btool shows these settings [kube:container:applicationservice-app] BREAK_ONLY_BEFORE_DATE = true LINE_BREAKER = (\d{2}\:\d{2}\:\d{2}\.\d{3})(?:\s\[Thread) MAX_TIMESTAMP_LOOKAHEAD = 128 SHOULD_LINEMERGE = true TIME_FORMAT = %H:%M:%S.%Q  

I am working on a dashboard where my source have values like /opt/commands/abc.env, I want to print XYZ in ConfigType if my source contains commands. Right now I am using regex | rex field=source "(?<ConfigType>commands)" and it's printing ConfigType=commands but I need to print ConfigType=XYZ

I have a dashboard with four pie charts across the top. I've set up drill downs for these that open up a new tab. However, I'm wondering if it is possible to put and events panel below them and depending upon the pie chart that is clicked dynamically build the SPL for the events panel. The four pie charts have very different searches and drill downs, so I cannot simply just populate some tokens for use with the events panel. I would need to actually dynamically build the SPL and pass that to the events panel. Is that even possible? Thanks.

Hi - I have a Splunk UF monitoring many directories on a rsyslog (receiver) server. One of the directories populated with logs as expected. However, the input stanza had the incorrect sourcetype and the data/logs did not index. Now after removing the sourcetype, I need to reset the UF to re-monitor the log files in that single directory "only".   I do NOT want to re-index everything the UF monitors. Please advise the best way to handle this... Thank you

Hi could you please give me an advice how to edit a call to the Splunk Rest API with the following parameter: search | inputlookup mylookup.csv The goal is to use another APP, not the user default one. I tried the following but it gave me same result: | inputlookup mylookup.csv | eval app_name = $env:MyNewApp$    Thanks a lot!

Hi -  Let's say you have a scheduled query / report that runs daily (at mid-night) looking over a time range of Last 24 hours.  And you summarize the results to index=summary_index_foo. There was a "foo" data source outage for a couple days, however you were able to backfill the data to index=foo. What is the best to re-run the query without creating a lot of duplicates.   I am pretty sure if you use "collect" that will create duplicates. But will re-scheduling a one-time clone of the report over the outage days and summarizing results create duplicates if the time range overlaps into the data (before and after the outage)? In other words, the outage time frame was not to the minute, hour, or day exactly.  When you re-schedule/re-summarize the query will that create duplicates if the same data/event exists in the summary index for that time?    Or will Splunk drop duplicates when using the summary index?    I am guessing duplicates will still be created but need a sanity check. Thank you  

Hello splunkers, i need to understand the best way to forward my data in multisite indexer cluster for Disaster Recovery management: For example, we have: On Site A 1 manager node (active) 3 peer nodes [IDX_1A, IDX_2A, IDX_3A ] (active) 1 search head (active) 2 Heavy Forwarder [HF_1A, HF_2A] (active) On Site B 1 manager node (stand by) 3 peer nodes [IDX_1B, IDX_2B, IDX_3B ] (active) 1 search head (stand by) 2 Heavy Forwarder [HF_1B, HF_2B] (standy By) On HF_1A and HF_2A the outputs.conf have to configure to send data to: 1) ALL site A and site B indexers (IDX_1A, IDX_2A, IDX_3A, IDX_1B, IDX_2B, IDX_3B) we suppose that HF can comunicate with all OR 2) Only site A IDX? (IDX_1A, IDX_2A, IDX_3A) OR 3) Any other way? Thanks in advance