My query , index=s_New sourcetype IN (Compare,Fire) | stats values(*) as * values(sourcetype) as sourcetype by sysid _time | fillnull value="" | eval Status=if(Fire_Agent_Version = "" AND Compare_Agent_Version = "","Not Covered","Covered")  | search OS="*" Group="*" Name="***" Environment="*" | timechart span=1d count by Status | addtotals | eval "Covered %"=round((Covered/Total)*100,2) | eval "Not Covered %"=round(('Not Covered'/Total)*100,2) | fields _time "Covered %" "Not Covered %" The above search not providing expected count as i get i get for Status count  as below , iindex=s_New sourcetype IN (Compare,Fire) | stats values(*) as * values(sourcetype) as sourcetype by sysid  | fillnull value="" | eval Status=if(Fire_Agent_Version = "" AND Compare_Agent_Version = "","Not Covered","Covered")  | search OS="*" Group="*" Name="***" Environment="*" | stats count by Status | eventstats sum(*) as sum_* | foreach * [ eval "Status %"=round((count/sum_count)*100,2)] | rename count as Count | fields - sum_count | sort - Count I think i am missing  something in timechart search .How to get he exact count for timechart as in below search using stats alone.  

Hello,  I'm trying to filter one lookup with the values of an other lookup. This is the situation: Lookup roles.csv contains the field with the security roles I would like to check for: Role  role1 role2 role3 role6 Lookup AssignedRoles.csv contains a field with all the assigned roles  User Role User1 role2 role5 User2 role6 User3 role9 role8 User4 role7 role4 User5 role1 role2   Now I want to return a table with all the users in AssignedRoles.csv that have an assigned Role from Roles.csv Can anybody help me with an example query, if it is at all possible? Thanks, Robin

Hello team,    I am facing an issue while trying to extract the below events. Please help in this.   Event: 150022 High 2021.11.22 03:32:44 App Proxy: Utilization of preprocessing manager processes over 80% prd-Server06 1.2.3.4 Utilization of preprocessing manager internal processes, in % 100 %   Extraction used: ^(?:[^:\n]*:){2}\d+\s+(?P<field1>[^\t]+)(?:[^\.\n]*\.){3}\d+\s+(?P<field2>[^ ]+)(?:[^ \n]* ){7}\%\s(?P<field3>.+)   Although all other fields are extracted as expected. The field2 is unable to extract the highlighted/underlined field. Please let me know how I may fix the field2 here.

Hi! I have a setup where I must clone and forward data to a third party. Can somebody clarify if I disable useACK that even though a destination is unreachable that the flow to other outputs does not stall? If I look at the spec of outputs.conf, for me it's not fully clear what happens when I write to the socket and the destination is unreachable:   * When set to "false", the forwarder considers the data fully processed when it finishes writing it to the network socket.   Thanks in advance!

Hi I  need to find 5 "Errors" peak points by server and sort by date   here is my spl: index="myindex" err* | rex field=source "\/data\/(?<product>\w+)\/(?<date>\d+)\/(?<servername>\w+)" | eventstats count as Errors by servername     expected output: servername                               Time                                                           peak points Errors count server1                                       2021-11-19 02:00:00,000          500                                                             2021-11-19 10:00:00,000         450                                                           2021-11-19 18:00:00,000        300                                                           2021-11-19 20:00:00,000        800                                                           2021-11-19 23:00:00,000         9000   server2                                       2021-11-19 01:00:00,000         250                                                           2021-11-19 03:00:00,000       480                                                           2021-11-19 08:00:00,000        30000                                                           2021-11-19 09:00:00,000        463                                                           2021-11-19 10:00:00,000      100  

Hello, I have a situation where there are 25 different groups  of people and each group of people uses different sets of data (i.e. there are 25 different sets of data, one for each group). We need to create a single dashboard and also need to assign access role in a way that each group can only have access to their data set using the same dashboard.   How I would assign the access role for those 25 different groups.  Should I create 25 different indexes - one for  each group  and assign access role to those indexes? Is it possible to create 25 different sourcetypes and assign access role to those sourcetypes  - one for each group and keep all sourcetypes under one index? Or are there any other ways? Thank you so  much, any help will be highly appreciated.     

We stopped receiving data from tenable a few days ago. When I went to investigate I could find nothing that changed. But now we cannot add/edit our tenable accounts without getting "No Tenable.sc Instance at <fqdn:443>". Things I was able to do: Log into tenable with the credentials just fine. Perform a test-netconnection <FQDN> -Port 443 nslookup was good able to ping Things I tried but failed: Use the FQDN and IP address. The app is installed on our Heavy Forwarder which has the Search Head and KVStore roles. Splunk Enterprise versions is 8.2.2.1, Windows server 2019. We were running TA-tenable version 5.0.1 and it wasnt working. I upgraded to TA-tenable 5.2.1 and got the same error. From our logs:     python.log 11-19-2021 07:20:52.558 -0800 ERROR AdminManagerExternal [8132 TcpChannelThread] - Unexpected error "<class 'splunktaucclib.rest_handler.error.RestError'>" from python handler: "REST Error [400]: Bad Request -- No Tenable.sc Instance at <fqdn>". See splunkd.log/python.log for more details. splunkd.log 11-19-2021 07:20:52.558 -0800 ERROR AdminManagerExternal [18606 TcpChannelThread] - Stack trace from python handler:\n Traceback (most recent call last):\n File "/opt/splunk/lib/python3.7/site-packages/splunk/admin.py", line 151, in init\n hand.execute(info)\n File "/opt/splunk/lib/python3.7/site-packages/splunk/admin.py", line 636, in execute\n if self.requestedAction == ACTION_CREATE: self.handleCreate(confInfo)\n File "/opt/splunk/etc/apps/TA-tenable/bin/ta_tenable/splunktaucclib/rest_handler/admin_external.py", line 40, in wrapper\n for entity in result:\n File "/opt/splunk/etc/apps/TA-tenable/bin/ta_tenable/splunktaucclib/rest_handler/handler.py", line 113, in wrapper\n for name, data, acl in meth(self, *args, **kwargs):\n File "/opt/splunk/etc/apps/TA-tenable/bin/ta_tenable/splunktaucclib/rest_handler/handler.py", line 82, in wrapper\n check_existing(self, name),\n File "<string>", line 21, in validate\n File "/opt/splunk/etc/apps/TA-tenable/bin/ta_tenable/splunktaucclib/rest_handler/endpoint/__init__.py", line 82, in validate\n self._loop_fields('validate', name, data, existing=existing)\n File "/opt/splunk/etc/apps/TA-tenable/bin/ta_tenable/splunktaucclib/rest_handler/endpoint/__init__.py", line 78, in _loop_fields\n model.fields,\n File "/opt/splunk/etc/apps/TA-tenable/bin/ta_tenable/splunktaucclib/rest_handler/endpoint/__init__.py", line 77, in <lambda>\n lambda f: getattr(f, meth)(data, *args, **kwargs),\n File "/opt/splunk/etc/apps/TA-tenable/bin/ta_tenable/splunktaucclib/rest_handler/endpoint/field.py", line 51, in validate\n raise RestError(400, self.validator.msg)\nsplunktaucclib.rest_handler.error.RestError: REST Error [400]: Bad Request -- Please enter valid Address, Username and Password or configure valid proxy settings or verify SSL certificate.\n ta_tenable_securitycenter.log 11-19-2021 07:20:52.55,558 ERROR pid=5980 tid=MainThread file=v1.py:_request:497 | Requests Error: HTTPSConnectionPool(host='<fqdn>', port=443): Max retries exceeded with url: /rest/system (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1106)')))      I've been troubleshooting this the last few days and any help would be appreciated.