I have a JSON object value as timetaken= 63542 in milliseconds, I  need to convert the stats max(timetaken) value which is in ms to seconds tried as like below  but it is not working out.  search envId = *  message=PostLogin* | stats min(timetaken),max(timetaken), Avg(timetaken) | eval max_time=round((max(timetaken)/1000),2) , min_time = round((min(timetaken)/1000),2) | table max_time,min_time,Avg(timetaken)   But the above is producing the values in same ms even we convert it to seconds    

Hello all,   I have been facing problem with the below extraction where the extraction is working on a few events and not on others. Please help on how this can be fixed.   Below are the different kind of alerts:   The extraction is working as expected on the below alert: 50271234,00004105,00000000,1600,"20210901225500","20210901225500",4,-1,-1,"SYSTEM","","psd217",46769359,"MS932","Server-I ジョブ(Server:/新基幹_本番処理/値札発行/04_値札指示データ連携_午前1TAX/V9B01_B:@5V689)を開始します(host: UXC510, JOBID: 56620)","Information","User","/App/App/Server","JOB","Server:/新基幹_本番処理/値札発行/04_値札指示データ連携_午前1TAX/V9B01_B","JOBNET","Server:/新基幹_本番処理/値札発行/04_値札指示データ連携_午前1TAX","User:/新基幹_本番処理/値札発行/04_値札指示データ連携_午前1TAX/V9B01_B","START","20210901225500",""   The same extraction is not working on the below alerts and is extracting the underlined red fields which is not expected and need to extract the green marked fields. 50271233,00004125,00000000,1600,"20210901225500","20210901225500",4,-1,-1,"SYSTEM","","psd217",46769358,"MS932","KAVS0278-I ジョブ(AJSROOT1:/新基幹_本番処理/値札発行/04_値札指示データ連携_午前1TAX/V9B01_B:@5V689)のサブミットを開始します","Information","User","/App/App/Server","JOB","Server:/新基幹_本番処理/値札発行/04_値札指示データ連携_午前1TAX/V9B01_B","JOBNET","Server:/新基幹_本番処理/値札発行/04_値札指示データ連携_午前1TAX","User:/新基幹_本番処理/値札発行/04_値札指示データ連携_午前1TAX/V9B01_B","START","20210901225500","" 50271226,00004106,00000000,3088,"20210901225446","20210901225446",4,-1,-1,"SYSTEM","","psd240",316413750,"MS932","Server-I ジョブ(Server:/新基幹_本番処理/MCS/監視/09_注文送信未更新項目チェック/EDI送信情報リスト_HULFT送信:@50R6189)が正常終了しました(host: PSC666, code: 0, JOBID: 88039)","Information","User","/App/App/Server","JOB","Server:/新基幹_本番処理/MCS/監視/09_注文送信未更新項目チェック/EDI送信情報リスト_HULFT送信","JOBNET","Server:/新基幹_本番処理/MCS/監視/09_注文送信未更新項目チェック","AJSROOT1:/新基幹_本番処理/MCS/監視/09_注文送信未更新項目チェック/EDI送信情報リスト_HULFT送信","END","20210901225446","20210901225446","0"   Please help in resolving this.

Howdy, Been researching on how to give time for the next sequential event to occur, but have not found a way. Lets say field X occurred and the next event to take place is field Y, but field Y is null  if under 24 hrs give Length_of_Time in min once Y happens. Issue is if its the same day and Y still has not occurred following X -- , give X 24 hours to happen from the time field Y  happened before marking it as failure of error... So far this is what I have...      | eval X = strptime(StartTime,"%Y-%m-%d %H:%M:%S.%q"), Y =strptime(EndTime,"%Y-%m-%d %H:%M:%S.%6N") note: 86400 is 24 hrs in seconds | eval Length_of_Time = if(isNull(Y)AND Y-X < 86400 AND 86400<=X,round((X-Y)/60,0))      

Hey all. We're evaluating Splunk SOAR and are looking at highly automated configuration management. Part of the setup is creating tenants, but I can't seem to find any documentation on using the REST API to do so. The /rest/container endpoint documentation makes reference to a /rest/tenant endpoint, but there is no actual information on /rest/tenant. Am I looking in the wrong place or is there documentation hidden away? Thank you.

anyone have a splunkbase app that will perform this function?     I wish to email a CSV file (possibly ZIPPED too) into Splunk to be consumed into splunk.   Is this possible at all? thanks!  Mike B

Hello  wonder if anyone got this app working for rss feeds?.  https://splunkbase.splunk.com/app/2646/#/details Broad feed support: the input supports all of the major feed types (RSS, ATOM, RDF) and will automatically determine the type of the feed and import it automatically   was only able to ingest BBC news, cisco webex status feed . the ones i am interested in fail with error   But these fail to be ingested ;  the error is same for all the feeds tested https://www.csoonline.com/in/index.rss https://feeds.feedburner.com/securityweek http://krebsonsecurity.com/feed/ https://threatpost.com/feed/ https://www.darkreading.com/rss/all.xml https://feeds.feedburner.com/TheHackersNews https://www.theregister.com/security/headlines.atom https://nvd.nist.gov/feeds/xml/cve/misc/nvd-rss.xml https://www.bleepingcomputer.com/feed/ https://www.infosecurity-magazine.com/rss/news   Does not look like a dns error as it works for bbc & webex url.  same error from test machine fully open to the internet.    Supported Splunk Versions: 7.2, 7.3, 8.0, 8.1, 8.2 ;    http TRACE: Request URL: https://www.csoonline.com/in/index.rss Request Method: GET Status Code: 200 OK Remote Address: 172.22.59.131:80     ERROR TRACE:     2021-11-16 19:25:53,176 ERROR Unable to get the feed, url=https://www.infosecurity-magazine.com/rss/news Traceback (most recent call last): File "/opt/splunk/etc/apps/syndication/bin/syndication.py", line 350, in run results, last_entry_date_retrieved = self.get_feed(feed_url.geturl(), return_latest_date=True, include_later_than=last_entry_date, logger=self.logger, username=username, password=password, clean_html=clean_html) File "/opt/splunk/etc/apps/syndication/bin/syndication.py", line 167, in get_feed d = feedparser.parse(feed_url) File "/opt/splunk/etc/apps/syndication/bin/syndication_app/feedparser/api.py", line 241, in parse data = _open_resource(url_file_stream_or_string, etag, modified, agent, referrer, handlers, request_headers, result) File "/opt/splunk/etc/apps/syndication/bin/syndication_app/feedparser/api.py", line 141, in _open_resource return http.get(url_file_stream_or_string, etag, modified, agent, referrer, handlers, request_headers, result) File "/opt/splunk/etc/apps/syndication/bin/syndication_app/feedparser/http.py", line 200, in get f = opener.open(request) File "/opt/splunk/lib/python2.7/urllib2.py", line 429, in open response = self._open(req, data) File "/opt/splunk/lib/python2.7/urllib2.py", line 447, in _open '_open', req) File "/opt/splunk/lib/python2.7/urllib2.py", line 407, in _call_chain result = func(*args) File "/opt/splunk/lib/python2.7/urllib2.py", line 1241, in https_open context=self._context) File "/opt/splunk/lib/python2.7/urllib2.py", line 1198, in do_open raise URLError(err) URLError: <urlopen error [Errno -2] Name or service not known>       https://lukemurphey.net/projects/splunk-syndication-input/wiki/Troubleshooting   Troubleshooting If you experience problems with the input, run the following search to see both the output from the input and the modular input logs together in order to see if the logs indicate what is wrong: (index=main sourcetype=syndication) OR (index=_internal sourcetype="syndication_modular_input") If you have debug logging enabled, then you can see details with the following: index=_internal sourcetype="syndication_modular_input" | rex field=_raw "(?<action>((Skipping)|(Including)))" | search count>0 OR action=Including | table date latest_date title action count    

what's the best way to set a sedcmd in props to remove spaces and add a " _ " in just the a cvs header line? for example- I have a csv header like this; field 1, field 2, filed 3 and I want the fields to be field_1, field_2, filed_3 but just for the header, not for the data in the fields.  I see this in a old post but, it will change everything with a space even the data: inputs.conf [monitor://c:\temp\sed-csv.log] disable=false index=sedcsv sourcetype=sedcsv props.conf [sedcsv] SEDCMD-replacespace = s/ /_/g https://community.splunk.com/t5/Splunk-Search/CSV-Field-Extraction-with-spaces-in-field-name/m-p/245974 

Hello. I've noticed that in many solutions when there is a need for a value from previous row, streamstats with window=1 is used. For example - https://community.splunk.com/t5/Splunk-Search/Unable-to-subtract-one-days-hours-from-previous-days-to-create/m-p/575093/highlight/true#M200392 In similar cases I tended to use autoregress which behaves more or less the same. The question is - what are pros/cons of each of those commands? Do they have some non-obvious limitations? Is any "better" than the other?

Hello,   I am trying to figure out how many good IP addresses vs bad IP addresses there are based on Tenable Security center results (severity=low, medium, high, critical).  A good scan should show multiple severity level results vs a bad scan would not show as many severity level results.   I would like to get as many fields filled based on SPL query.  More importantly I would like to get the good vs bad scan results (credentialed scans) from Tenable Security Center (ACAS).  What I mean by this is that when a scan has been initiated, you know a good scan vs a bad scan, where a good scan can pull multiple vulnerabilities based on the severity levels.  Where as for a bad scan does not pull as many vulnerabilities and the severity levels are very low or close to nothing at all.  I created a SPL query that provides the 26 data standard fields:  IP repository.dataFormat  netbiosName dnsName AWS hostname macAddress OS_Type, OS_Version operatingSystem SystemManufacture SystemSerialNumber SYStemModel AWSAccountNumber AWSInstanceID AWSENI passFail plugin_id pluginName repository.name, cpe low, medium, high critical total Country lat lon SPL Query earliest=7d@d index=acas sourcetype="tenable:sc:vuln"  | rex field=operatingSystem "^(?P<OS_Type>\w+)\.(?P<OS_Version>.*)$" | rex field=dnsName "^(?P<hostname>\w+)\.(?P<domain>.*)$" | rex field=system "^(?P<manufacture>\w+)\.(?P<serialnumber>.*)$" | rex field=pluginText "\<cm\:compliance-result\>(?<status>\w+)\<\/cm\:compliance-result\>" | eval AWS=if(like(dnsName,"clou%"),"TRUE","FALSE") | iplocation ip | eventstats count(eval(severity="informational")) as informational, count(eval(severity="low")) as low, count(eval(severity="medium")) as medium, count(eval(severity="high")) as high, count(eval(severity="critical")) as critical by ip | dedup ip | eval total = low+medium+high+critical | table ip, repositiory.dtatFormat, netbiosName, dnsName, AWS, hostname, macAddress, OS_Type, OS_Version, operatingSystem, SystemManufacture, SystemSerialNumber, SystemModel, AWSAccountNumber, AWSINstanceID, AWSENI, passFail, plugin_id, pluginName, repository.name, cpe, low, medium, high, critical, total, Country, lat, lon