I have a search query that looks like this:   index="myindex" sourcetype="mysource" earliest=@d latest=now | append [ search index="myindex" sourcetype="mysource" earliest=-1mon@mon latest=@mon | stats avg(Price) as past_avg by ID ] | stats values(*) as * by ID | table Date, ID, Price, past_avg This gives me: what I'm trying to do is display only those values in the Price column that are smaller then past_avg,  does anyone know how I could achieve that?

I'm trying to write a search that will return a table where all average values of the field price grouped by Ids are lower then 1 month ago. This is my attempt:   index="myindex" sourcetype="mysourcetype" earliest=-1mon@mon latest=@mon | stats avg(Price) as avg by ID | where avg > [search index="myindex" sourcetype="mysourcetype" earliest=@d | stats avg(Price) as new_avg by ID | return $new_avg] | table * This, however, always returns 0 results even though there are events in these time periods. I even tried subtituting the subsearched with a fixed number and that produces a table. Does anyone now why this isn't working and maybe how to fix it? 

Hi! Been struggling a lot with a pretty simple problem but my SPLUNK REX skills are insufficient for the task. I want to match and list ANY value containing both letters, digits and characters between parenthesis at the end of line/end of string - examples: bla bla bla (My Value0/0) bla bla blb (My OtherValue0/1) bla blb blc (My thirdValue0/0/0/0) As you can see - the text BEFORE the ending value inside parenthesis can be what ever. There can also be MULTIPLE similar values also within parenthesis along the string but I ONLY want to match the one at end of line ($). The match must be every letter, space, number or typically "/" characters between the parenthesis. Using other regex dev tools I get a fairly decent result with a simple string like this: \(.*\)$ \( matches the character ( with index 4010 (2816 or 508) literally (case sensitive) . matches any character (except for line terminators) * matches the previous token between zero and unlimited times, as many times as possible, giving back as needed (greedy) \) matches the character ) with index 4110 (2916 or 518) literally (case sensitive) $ asserts position at the end of a line   I also have used variants of this and they all end up working very well in regex testers and dev tools and also in LINUX (when pasting the entire table of messages into a file and applying them. But not in SPLUNK - I believe there is a big coin drop along my SPLUNK use path when everything will make sense to me, unfortunately not there yet. Please help me out!

Hello, We recently upgraded our controller to version 21.4.8-1411. After the upgrade however, our SMS alerts are not working.  According to the health rule's Evaluation Events > Actions Executed, it says "SMS Message Sent" but we're not getting any text alerts. Is this a known issue?

Hi All, I had this error at it took a while to understand and fix it. Here my environment: Splunk 8.0.5 Splunk DB Connect 3.6.0 Java /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.275.b01-0.el6_10.x86_64/jre/bin/java Red Hat Enterprise Linux Server release 6.10 (Santiago) Target DB is PostgreSQL We have several query all properly running, just one was giving the error. The query is the following:   index=myindex sourcetype=mysourcetype etc… | dbxoutput output=my_stanza   “my_stanza” refers to one present on db_outputs.conf The error in Splunk Search Head was:   rx.exceptions.OnErrorNotImplementedException at rx.internal.util.InternalObservableUtils$ErrorNotImplementedAction.call(InternalObservableUtils.java:386) at rx.internal.util.InternalObservableUtils$ErrorNotImplementedAction.call(InternalObservableUtils.java:383) at rx.internal.util.ActionSubscriber.onError(ActionSubscriber.java:44) at rx.observers.SafeSubscriber._onError(SafeSubscriber.java:153) at rx.observers.SafeSubscriber.onError(SafeSubscriber.java:115) at rx.exceptions.Exceptions.throwOrReport(Exceptions.java:212) at rx.observers.SafeSubscriber.onNext(SafeSubscriber.java:139) at rx.internal.operators.OperatorBufferWithSize$BufferExact.onCompleted(OperatorBufferWithSize.java:128) at rx.internal.operators.OnSubscribeMap$MapSubscriber.onCompleted(OnSubscribeMap.java:97) at rx.internal.operators.OperatorPublish$PublishSubscriber.checkTerminated(OperatorPublish.java:423) at rx.internal.operators.OperatorPublish$PublishSubscriber.dispatch(OperatorPublish.java:505) at rx.internal.operators.OperatorPublish$PublishSubscriber.onCompleted(OperatorPublish.java:305) at rx.internal.operators.OnSubscribeFromIterable$IterableProducer.slowPath(OnSubscribeFromIterable.java:134) at rx.internal.operators.OnSubscribeFromIterable$IterableProducer.request(OnSubscribeFromIterable.java:89) at rx.Subscriber.setProducer(Subscriber.java:211) at rx.internal.operators.OnSubscribeFromIterable.call(OnSubscribeFromIterable.java:63) at rx.internal.operators.OnSubscribeFromIterable.call(OnSubscribeFromIterable.java:34) at rx.Observable.unsafeSubscribe(Observable.java:10327) at rx.internal.operators.OperatorPublish.connect(OperatorPublish.java:214) at rx.observables.ConnectableObservable.connect(ConnectableObservable.java:52) at com.splunk.dbx.command.DbxOutputCommand.process(DbxOutputCommand.java:161) at com.splunk.search.command.StreamingCommand.process(StreamingCommand.java:58) at com.splunk.search.command.ChunkedCommandDriver.execute(ChunkedCommandDriver.java:109) at com.splunk.search.command.AbstractSearchCommand.run(AbstractSearchCommand.java:50) at com.splunk.search.command.StreamingCommand.run(StreamingCommand.java:16) at com.splunk.dbx.command.DbxOutputCommand.main(DbxOutputCommand.java:100) Caused by: java.lang.NullPointerException at java.math.BigDecimal.<init>(BigDecimal.java:809) at com.splunk.dbx.service.output.OutputServiceImpl.setParameterAsObject(OutputServiceImpl.java:288) at com.splunk.dbx.service.output.OutputServiceImpl.setParameter(OutputServiceImpl.java:270) at com.splunk.dbx.service.output.OutputServiceImpl.processInsertion(OutputServiceImpl.java:216) at com.splunk.dbx.service.output.OutputServiceImpl.output(OutputServiceImpl.java:76) at rx.internal.util.ActionSubscriber.onNext(ActionSubscriber.java:39) at rx.observers.SafeSubscriber.onNext(SafeSubscriber.java:134) ... 19 more     Looking at search.log from job inspector:   12-03-2021 17:26:18.187 INFO DispatchExecutor - END OPEN: Processor=noop 12-03-2021 17:26:18.188 ERROR ChunkedExternProcessor - stderr: Exception in thread "main" java.lang.IllegalStateException: I/O operation on closed writer 12-03-2021 17:26:18.188 ERROR ChunkedExternProcessor - stderr: at com.splunk.search.command.AbstractWriteHandler.checkValidity(AbstractWriteHandler.java:100) 12-03-2021 17:26:18.188 ERROR ChunkedExternProcessor - stderr: at com.splunk.search.command.AbstractWriteHandler.flush(AbstractWriteHandler.java:228) 12-03-2021 17:26:18.188 ERROR ChunkedExternProcessor - stderr: at com.splunk.search.command.ChunkedWriteHandler.flush(ChunkedWriteHandler.java:69) 12-03-2021 17:26:18.188 ERROR ChunkedExternProcessor - stderr: at com.splunk.search.command.AbstractWriteHandler.close(AbstractWriteHandler.java:233) 12-03-2021 17:26:18.188 ERROR ChunkedExternProcessor - stderr: at com.splunk.search.command.ChunkedCommandDriver.execute(ChunkedCommandDriver.java:120) 12-03-2021 17:26:18.188 ERROR ChunkedExternProcessor - stderr: at com.splunk.search.command.AbstractSearchCommand.run(AbstractSearchCommand.java:50) 12-03-2021 17:26:18.188 ERROR ChunkedExternProcessor - stderr: at com.splunk.search.command.StreamingCommand.run(StreamingCommand.java:16) 12-03-2021 17:26:18.188 ERROR ChunkedExternProcessor - stderr: at com.splunk.dbx.command.DbxOutputCommand.main(DbxOutputCommand.java:100)     I solved in this way (adding fillnull):   index=myindex sourcetype=mysourcetype etc… | fillnull value=0.00 mbytes_in | fillnull value=0.00 mbytes_out | dbxoutput output=my_stanza     There were 2 records in the extraction having "mbytes_in" and "mbytes_out" fields without any value. I am sure before upgrading to Splunk DB Connect 3.6.0 it was working properly. The target DB is a PostgreSQL and the table is defined as below, as you can see "mbytes_in" and "mbytes_out" can accept NULL values (and I can see several records in the PostgreSQL DB populated in the past with "mbytes_in" and "mbytes_out" having NULL values) Here the table definition in PostgreSQL:   CREATE TABLE myschema.mytable ( field01 integer NOT NULL, field02 character varying(6) NOT NULL, field03 character varying(6), field04 character varying(15) NOT NULL, field05 timestamp(6) with time zone NOT NULL, mbytes_in numeric(12, 2), mbytes_out numeric(12, 2), field06 character varying(15) NOT NULL, field07 character varying(50), field08 character varying(50), field09 character varying(50) NOT NULL, field10 character varying(255) NOT NULL, field11 character varying(15) NOT NULL, field12 character varying(255), field13 date NOT NULL, field14 character varying(255) NOT NULL, CONSTRAINT my_pkey PRIMARY KEY (field01) ) WITH ( OIDS = FALSE ) TABLESPACE mytablespace; ALTER TABLE myschema.mytable OWNER to myuser; GRANT ALL ON TABLE myschema.mytable TO myuser;     The log error that pointed me to a solution was the following: at com.splunk.dbx.command.DbxOutputCommand.main(DbxOutputCommand.java:100) Caused by: java.lang.NullPointerException at java.math.BigDecimal.<init>(BigDecimal.java:809)   By the way no valuable logs were present in Splunk _internal index, usually when some SPL query fail to insert into our PostgreSQL DB I find valuable information like SQL codes and SQL errors. This time it was not present. I hope this post will help someone having the same issue. Best Regards, Edoardo