I have the following data in the table.   I need to get the duration of the batch running time, I have the start & end time of each date. I need to calculate Batch_End-Batch_Start.  Normal eval is not giving me any output. Hence I was thinking of converting the timestamps in epoc & then doing eval Duration=(End_epoc-Start_epoc). For this I need to convert timestamp like 2021-12-09 11:46:50.000069 to epoch time. Please help.  

Hi there, I've got a basic search to provide the most recent timestamp for a successful backup using wineventlog data:   index="wineventlog" source="WinEventLog:Application" SourceName="Symantec System Recovery" host=*grp* | search Message=*6C8F1F7E* OR Message=*6C8F1F7D* OR Message=*6C8F1F7A* | dedup host | table host, _time   However, I'm really struggling to come up with a search that shows me all the *grp* hosts whether they have the successful backup strings in the Message field  (*6C8F1F7E* or *6C8F1F7D* or *6C8F1F7A*) or not. My closest attempt seems to be this:   index="wineventlog" source="WinEventLog:Application" SourceName="Symantec System Recovery" host=*pgrp* | eval success = case(Message like "%6C8F1F7E%",1,Message like "%6C8F1F7D%",1,Message like "%6C8F1F7A%",1,Message like "%",0) | stats sum(success) as Successes by host | where Successes < 1   My hope is for a table with the following columns: Host Last successful backup date/time or "N/A" if there was no successful backup in the selected timerange Days since last backup Any help or advice would be greatly apprecated! Cheers

I have a JSON payload that's ingested through a REST API input on a heavy forwarder, with the following configuration in props.conf (on the heavy forwarder, not on the indexer):     [json_result]     INDEXED_EXTRACTIONS = json     KV_MODE = none     DATETIME_CONFIG = CURRENT     SHOULD_LINEMERGE = false     TRUNCATE = 200000 The ensuing event in Splunk looks like this (minified): {"totalCount":3,"nextPageKey":null,"result":[{"metricId":"builtin:synthetic.http.resultStatus","data":[{"dimensions":["HTTP_CHECK-02B087D58EC18C33","SUCCESS","SYNTHETIC_LOCATION-2CD023FA5F455E28"],"dimensionMap":{"Result status":"SUCCESS","dt.entity.synthetic_location":"SYNTHETIC_LOCATION-2CD023FA5F455E28","dt.entity.http_check":"HTTP_CHECK-02B087D58EC18C33"},"timestamps":[1639254360000],"values":[1]},{"dimensions":["HTTP_CHECK-02B087D58EC18C33","SUCCESS","SYNTHETIC_LOCATION-833A207E28766E49"],"dimensionMap":{"Result status":"SUCCESS","dt.entity.synthetic_location":"SYNTHETIC_LOCATION-833A207E28766E49","dt.entity.http_check":"HTTP_CHECK-02B087D58EC18C33"},"timestamps":[1639254360000],"values":[1]},{"dimensions":["HTTP_CHECK-02B087D58EC18C33","SUCCESS","SYNTHETIC_LOCATION-1D85D445F05E239A"],"dimensionMap":{"Result status":"SUCCESS","dt.entity.synthetic_location":"SYNTHETIC_LOCATION-1D85D445F05E239A","dt.entity.http_check":"HTTP_CHECK-02B087D58EC18C33"},"timestamps":[1639254360000],"values":[1]}]}]} The text in red reflects what I'm trying to extract from the payload; basically, it's three fields ("Result status", "dt.entity.synthetic_location" and "dt.entity.http_check") and their associated values. I'd like to have three events created from the payload, one event for each occurrence of the three fields, with the fields searchable in Splunk. I've tried this approach in props.conf to get what I'm looking for...     [json_result]         SHOULD_LINEMERGE = false     LINE_BREAKER = },     DATETIME_CONFIG = CURRENT     TRUNCATE = 0     SEDCMD-remove_prefix = s/{"totalCount":.*"nextPageKey":.*"result":\[{"metricId" :.*"data":\[//g     SEDCMD-remove_dimensions = s/{"dimensions":.*"dimensionMap"://g     SEDCMD-remove_timevalues = s/,"timestamps":.*"values":.*}//g     SEDCMD-remove_suffix = s/\]}\]}//g ...but I'm only getting one set of fields to show up as an event in Splunk: And, the fields aren't showing up as "interesting fields" in the left navbar (possibly because the props.conf is not on the indexer?). Any assistance would be greatly appreciated. UPDATE: I referenced this post that's pretty close to what I'm trying to accomplish: https://community.splunk.com/t5/Getting-Data-In/How-to-split-a-json-array-into-multiple-events-with-separate/m-p/139851 The format of the JSON payload cited in this post is different than the format of the payload I'm using, though...so I'm guessing that some additional logic would be necessary to accommodate my format.

Hi, This question is related to CVE-2021-44228.  As far as we could see/scan, Splunk binaries, including Universal Forwarders ones, do not rely on or use the Log4j library but we wanted to get some sort of "official confirmation" of this. Thanks if you can point any public document regarding this and regarding to Splunk potential exposure to this particular CVE.  Best Regards.

Hello! Could somebody please suggest if it is possible to do a map search search more effectively? What I am trying to do: 1. there are events with client transactions. A huge list (thousands every second). 2. I search for transaction chains, which are suspicious by some conditions for last hour 3. If a transaction chain is suspicious, I make a longer search (last 3 weeks) because some operations do not fit into the last hour. I basically do the same calculations, but with longer time interval and with more strict conditions The following search works, but it takes several minutes and sometimes cancelled due to timeout:           <MY_SEARCH> | stats first(orgCode) AS orgCode first(accountId) AS accountId sum(amount) AS totalAmount sum(controlAmount) AS totalControlAmount by transactionChainRef | where totalControlAmount>0 and totalControlAmount<totalAmount | map search="search <MY_SEARCH> AND message=\"*transactionChainRef\\\":$transactionChainRef$*\" earliest=-3w | eval orgCode=$orgCode$ | eval accountId=$accountId$ | eval totalControlAmount=$totalControlAmount$ | stats first(orgCode) AS orgCode first(accountId) AS accountId sum(amount) AS totalAmount first(totalControlAmount) AS totalControlAmount by transactionChainRef | where totalControlAmount<totalAmount " maxsearches=9999           Unfortunately I cannot make query right away for the last 3 weeks because there will be still transaction chains, which may go outside of the 3 weeks (a chain has finished, say, 2.5 weeks ago; its start may be 5.5 weeks ago). My idea currently is to make a map search by chunks, for example, by 100 transactionChainRefs Thanks in advance!