Hi, The following is my search: index=pace ERROR OR FATAL OUI=* Number=* | stats count by OUI Number | sort -count   After executing the above search i get the following results:   OUI Number count 9C3DCF 4W12757WA51F6 18 80CC9C 4W15177LA0AD1 10 0836C9 4W150B70A3837 4 100C6B 4W15077PA0682 3 80CC9C 4W151778A0A39 3 80CC9C 4W15177GA0A5D 3 Note: The number column are the results I am interested in. I have a separate table named subsdeviceextract.csv as per the following: MAC Model OUI Post Code Serial Number 08:36:C9:9A:F4:6C V6510 0836C9 2775 4W150B70A012A 08:36:C9:9B:5C:FE V6510 0836C9 6437 4W150B70A07A8 08:36:C9:9C:A8:20 V6510 0836C9 2641 4W150B70A110A I would like to look up the Serial number to get the Model Number Please help me, thank you

I have a base search: index=oswin EventCode=19 SourceName="Microsoft-Windows-WindowsUpdateClient" earliest=-10d ComputerName=*.somedomain.com | rex "\WKB(?<KB>.\d+)\W" The result populates field ‘KB’ with a list of values similar to: 5007192 5008601 890830 I need to test if ‘KB’ contains one of the following: “5008601”, “5008602”, “5008603”, “5008604”, “5008605”, “5008606” If a match is found, populate field HotFixID (new field) with the matched value. If no match is found, populate field HotFixID with “NotInstalled”. Using search KB IN (5008601,5008602,5008603,5008604,5008605,5008606) results in matched values only. Case function works only if the matched value is the last one evaluated, otherwise it returns "notInstalled" even though a match is present.

Greetings, Has anyone successfully connected to Azure SQL with DB Connect with Azure Active Directory? I have installed the driver for MSSQL JDBC version 9.4 which Azure supports. I am using the following connection string:     jdbc:sqlserver://<instance_url>:<instance_port>;database=<db>;encrypt=true;trustServerCertificate=false;hostNameInCertificate=<instance_domain>;loginTimeout=30;authentication=ActiveDirectoryPassword      I am getting error: Failed to load MSAL4J Java library for performing ActiveDirectoryPassword authentication.  Thanks in Advance

Hello, I have a dashboard with a text input that has id "text_input".  With JavaScript I am listening to changes to that input, and when that happens I just want to read the new value into a variable.  Instead of reading the newly inserted value, though, it reads the previous value.  The following code gives an idea of what I am doing:   var def_tok = mvc.Components.get("default"); var sub_tok = mvc.Components.get("submitted"); ... $("#text_input").on('change', function () { console.log("Change Detected"); var sub_tok_input = sub_tok.get("text_input"); var sub_tok_input_form = sub_tok.get("form.text_input"); var def_tok_input = def_tok.get("text_input"); var def_tok_input_form = def_tok.get("form.text_input"); console.log("sub_tok_input: " + sub_tok_input); console.log("sub_tok_input_form: " + sub_tok_input_form); console.log("def_tok_input: " + def_tok_input); console.log("def_tok_input_form: " + def_tok_input_form); });   When I fill in the first value from blank the first print reads blank instead of the value.  Then when I update the value it reads the first value, and so on...   What I am doing wrong and how can I ensure that I get the newly inserted value instead of the previously inserted one?   Thanks! Andrew

I am looking to see if anyone knows how to do this or if it is possible. I am trying to have splunk read to the Active directory groups that hold the certain subnets for different locations and we use it to lock down certain people being able to see these specific subnets. It is a pain to update all these subnets in splunk and the AD group since it is 2 different parties working this. I am asking if anyone knows how I can get rid of the Subnets that I am searching for in Splunk and just have to route to the AD groups that we have set up. This would eliminate the need to update Splunk dashboards and the AD groups. 

Hi All, We have recently upgraded our splunk enviornment from 7.X to 8.X and we want to compare splunk performance before and after the upgrade. One of the parameter we want to track is time taken by cluster to complete the fix up tasks. Can you please guide if there is any way we can monitor the time taken by the fix up tasks and rolling restart to complete. Thanks & Regards, Rahul Bhatia

We've got the Splunk App for Infrastructure inputs for Windows  metrics deployed to our universal forwarders. Metrics are all working fine except in one situation; if any performance counter value is 0 then Splunk isn't recording the value. For example, if a disk free space counter reaches 0, it'll drop off all charts. Likewise application pool request queues don't record a 0 value if there's nothing in them. I've got plenty of custom metrics I've done (faking statsd protocol) that can write 0 just fine, it seems to only be the perfmon metrics from SAI that have the issue. Has anyone else encountered this and know what the fix is?

Hello, I'm using Splunk App for Web Analytics version 2.3.0, it working well. I used 1 site to monitor, and I have data I need, but, when I added another log to monitor, The site name it use is the folder name. I did index=iislogs | dedup site | table site, and I see the 2 sites,  but I want to change the name of ome of them. How Can I change the site name. I tried to change it on the "configure website" but it's not updated. Thenk you, Dov

Hello Community. I am trying to solve a problem and I can't see a solution. Hope you can help me! I am working with a metrics index. My final goal is to get average of two metrics, but with two differente filters based on a dimension from that metric index, and get a final calculation from these calculated fields, something like this: | mstats avg(metric1) as result1 avg(metric2) as result2 where index=my_metric_index AND filter_field=filter_list_1 | mstats avg(metric1) as result3 avg(metric2) as result4 where index=my_metric_index AND filter_field=filter_list_2 | eval Final_Result_1=result3-result1, Final_Result_2=result4-result2  I also created a search (which I pretend to use as subsearch in the middle of previous search) to get both lists, filter_list_1 and filter_list_2, something like this: |mcatalog values(values1) as values1 values(values2) as values2 where index=my_metric_index AND filter1 AND filter2 AND filter3 BY values1, values2 {...some modification stuff here...} | table filter_list_1, filter_list_2  Both filter_list_1 and filter_list_2 can be returned as a column list or a multivalue field (created with join command from column list). The chalenge here is how to pass these filter_list_x to both from a subsearch to the main (or precedence) search to use as filter in mstats command. The best I've got was to make subsearch sent back one of the filter list, named as the field I need to filter in main search with, and subsearch formated field_list (automatically, I don't know how it did) as a bunch of "OR statements with all values of the filter_list filed to use with mstat command. But I only could o this with one mstat command, not both. I don't know if I get myself to be well-explained How can I achieve my "final and complicated" goal? Some like this:   | mstats avg(metric1) as result1 avg(metric2) as result2 where index=my_metric_index AND filter_field=filter_list_1 | mstats avg(metric1) as result3 avg(metric2) as result4 where index=my_metric_index AND filter_field=filter_list_2 [|mcatalog values(values1) as values1 values(values2) as values2 where index=my_metric_index AND filter1 AND filter2 AND filter3 BY values1, values2 {...some modification stuff here...} | table filter_list_1, filter_list_2] | eval Final_Result_1=result3-result1, Final_Result_2=result4-result2   Any help will be very appreciated. Thanks in advance for your help. Regards, Carlos M