Hi, I am trying to convert the result of applying the CorrelationMatrix algorithm which is given in a confusion matrix form like:         AA     BB     CC AA   1        0.1    0.2 BB    0.1     1      0.3   CC   0.2     0.3    1 And I would like to convert it to a tabular form like: AA BB 0.1 AA CC 0.2 BB AA 0.1  BB CC 0.3 .... So far I tried with the untable command without success. Below you can see a sample of the code I have.     index="someIndex" | timechart span=1m count by someField | fillnull value=0 | fit CorrelationMatrix method=pearson * | untable a, b, c       Any help would be much appreciated,  Thanks!  

I am currently in the process of building out a custom application which will include an adaptive response action that uses a python script to update a system's group based on events that come into our incident review page. I have all of the logic working (Correlation search identifies an event, creates a notable, from there I can select the AR action, input this systems GUID into the text box and it will go from there). My issue is that I cannot get the correct configuration to have this field prepopulated when the menu is brought up based on the event in the notable. The configuration files I believe need to be updated are the alert_actions.conf, alert_actions.conf.spec, savedsearches.conf.spec, and <alert_action_name>.html files. I have found some similar posts about this but nothing that gives details about the syntax needed for each file: https://community.splunk.com/t5/Splunk-Enterprise-Security/Does-the-service-now-integration-work-as-an-ad-hoc-adaptive/m-p/437270 https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Is-it-possible-to-prepopulate/m-p/251952 In my various config files I have the following lines: alert_actions.conf: param.hostname = $result.hostname$ param.connector_guid =$result.connector_guid$ alert_actions.conf.spec param.hostname = <string> param.cguid = <string> savedsearches.conf.spec param.hostname = <string> param.cguid = <string> <alert_action_name>.html <form class="form-horizontal form-complex"> <div class="control-group"> <label class="control-label" for="custom_app_hostname">Hostname <span class="required">*</span> </label> <div class="controls"> <input type="text" name="action.custom_app.param.hostname" value="$hostname$" id="custom_app_hostname"/> <span class="help-block">Verify this is the correct hostname, if not then input from the alert.</span> </div> </div> <div class="control-group"> <label class="control-label" for="custom_app_cguid">Connector GUID <span class="required">*</span> </label> <div class="controls"> <input type="text" name="action.custom_app.param.connector_guid" value="$connector_guid$" id="custom_app_cguid"/> </div> </div> </form> Below is the screenshot of the menu I am referring to needing to be prepopulated:  

Hi all, I have a question about macros: suppose I must use, inside a search, multiple macros. Those macros can be related between them by simple logical condition like AND and OR; what is the right syntax to tell to search to use more than one macro? Is the append command or other? UPDATE Let me modify the post, after @ITWhisperer explaination. The current desiderd behavior is to perform security check with rules that uses multiple macros. We don't know if it is the best way and/or absolutely required by customer, but at writing time is our guideline. We have the following situation: 1. Two or more macros linked with AND operator. Consider the following macros: `remote to local` = | eval (All_traffic.src) as src from datamodel="Network traffic"| eval (All_traffic.dest) as dest from datamodel="Network traffic" |where ( src!=10.0.0.0/8 AND src!=172.16.0.0/12 AND src!=192.168.0.0/16) AND ( dest=10.0.0.0/8 OR dest=172.16.0.0/12 OR dest=192.168.0.0/16) set to use Data Model instead of raw events and that evaluate if the connection is from internet to local network. The other one is the following: `successfull communication` = | eval(All_traffic.bytes_in/All_traffic.packets_in) as input_rate from datamodel="Network traffic" | eval(All_traffic.bytes_out/All_traffic.packets_out) as output_rate from datamodel="Network traffic" | where input_rate > 80 and output_rate > 80 which try to understand if the communication between source and dest works fine counting the bytes/packets rate. What about if, in my  rules, I have to use them linked with AND and used as filter? I mean, the final rule structure is something like that: <my search>....| where `remote to local` AND `successfull communication` 2. The Macros should be putted togheter with OR. This becaus the rule try multiple way to understand if something is happening or not. Consider this macros: `IRC Check with Firewalls`=|tstats count values(All_traffic.src) as source by source from datamodel=Network_Traffic|where All_traffic.protocol = tcp AND All_traffic.action = allowed | search All_traffic.dest = NOT [| inputlookup WhiteListIP.csv | table dest] All_traffic.dest_port IN [| inputlookup IRCPorts.csv | table dest_port]  that try to check if a IRC server is in execution checking some network data, like firewall pass, tcp protocol, destination port present in IRCPorts.csv file and excluding some authorized server putted in WhitelistIP.csv. Then, we must make a macros that try to find if an IRC client is in execution; currently we don't know how to realize this, so let me put here simply its name:  `IRC Client Detected` So, the final search whant use this 2 macros as filter and trigger if one of them is true; something like: <some search>...| where `IRC Check with Firewalls` OR `IRC Client Detected`   3. Any combination between AND and OR. Using the above macros, something like: <some search>...| where `remote to local` AND (`IRC Check with Firewalls` OR `IRC Client Detected`)  

I have this query:   my search | rex field=line ".*customerId\":(?<customer_id>[0-9]+)" | dedup customer_id | table customer_id   That returns multiple rows and generate a table:   customer_id ----------- 1 2 3 4 5   I also have another query  that returns a single row with an array  of ids:   Synced accounts: [ 1, 3, 5 ]   My questions are : 1) How can I convert the row from query 2 into a table with the ids  2) how can I do left join between the results ( that I will see on the table only the ids from query 2)?   customer_id ---------- 1 3 5   Thanks in advance  Elad

I have a field message which have values has json format need to extract all the values in the json.   { [-] guessedService: ejj logGroup: /aws/ejj/cluster logStream: kube-apt-15444d2f8c4b216a9cb69ac message:{"kind":"Event","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/jej/endpoints/eji.com-aws-eji","verb":"update","user":{"username":"system:serviceaccount:efs:efs-provisioner","uid":"ab5d27b4c-71a4f77323b0","groups":["system:serviceaccounts","system:serviceaccounts:eji","system:authenticated"]},"sourceIPs":["10.0.0.0"],"userAgent":"eji-provisioner/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"endpoints","namespace":"edd","name":"dds.com-aws-edds","uid":"44ad8-899f-fbc1f4befb2f","apiVersion":"v1","resourceVersion":"8852157"},"responseStatus":{"metadata":{},"code":200}}   here from message field need to extract kind, stage, requestURI... and these fields inside json are dynamic(it can be more in other event). need help in extracting these fields in index time using props and transforms   Thanks

I was trying to install the UF in one of the windows server but it’s getting failed 11-17-2021 10:18:53.591 +0300 FATAL HTTPServer - Could not bind to port 8089 deploymentclient.conf :  [target-broker:deploymentServer] targetUri = x.x.x.x:8089 [deployment-client] clientName = xxxxx

Hi I write the Splunk query below to monitor server log index="abc" sourcetype="abc" login "response.status"=200 source="abc.log" | timechart span=2m count | timewrap d series=short | addtotals s* | eval daysAvg=round(Total/14.0,0) | eval yesterday_time=strftime(_time,"%H:%M") | table _time, yesterday_time, s0, daysAvg,s6 | outputlookup openapi_login_last_days_lam.csv   However, my query is rely on time range to count daysAvg value, for example in this case time range is 14 day so eval daysAvg=round(Total/14.0,0). I want to calculate daysAvg dynamic. That means I don't need to change time range value when I apply other range. To achieve that, I wrote code to calculate time range like this index="abc" sourcetype="abc" login "response.status"=200 source="abc.log"    | stats earliest(_time) as earliest_time    | eval latest_time=now()    | eval difference=floor((latest_time-earliest_time)/(3600*24))    | table earliest_time, latest_time, difference   Finally, I combine two search like this index="abc" sourcetype="abc" login "response.status"=200 source="abc.log" | timechart span=2m count | timewrap d series=short | addtotals s* | append     [ search index="abc" sourcetype="abc" login "response.status"=200 source="abc.log"         | stats earliest(_time) as earliest_time         | eval earliest=earliest_time     ] | eval latest_time=now() | eval daysAvg=round(Total/14.0,0) | eval yesterday_time=strftime(_time,"%H:%M") | table _time, yesterday_time, s0, daysAvg, s6, latest_time, earliest   But earliest from subsearch did not pass to outer search. Please help me. Thank you