Hi all, i need to create a table that count for every product how many events are accepted or rejected. In addition to this fields the latest event date should be shown with the count. Table should be like this Product Latest Accepted Total Accepted Latest Rejected Total Rejected Bike 10/11/2021 35 12/11/2021 14 Skate 11/11/2021 99 13/11/2021 5   the first part of the query is pretty easy: ...| stats count(eval(action="accepted)) AS "Total Accepted" count(eval(action="rejected)) AS "Total rejected" by product | rename product AS Product I'm not able to retrieve the latest date for every  kind of action, tried with latest(_time) without success. Many thanks  

I am trying to create a Timechart that will list out the TotalHours of that day and then subtract the previous days TotalHours to see the Hours difference in each day. This needs to span 14 days   Basically I just need the Total Hours difference from One day to the next spanned across a timechart  This is the data and Query I have so far (not much) -------Search----- | where TotalHours != "0" AND _time>relative_time(now(), "-14d@d") | dedup PROJECT_NUMBER _time | table PROJECT_NUMBER TotalHours _time | sort by PROJECT_NUMBER  

Hello Everyone,   I'm trying to extract usernames from the logs of a proftpd. An event looks like this: 2021-11-16 16:17:43,866 HOST proftpd[28071] 10.10.10.10 (11.11.11.11[22.22.22.22]): USER ASD-ASDASD: Login successful.   Simple usernames (ASDFG) works fine, also usernames with _ like ASD_ASD. But as soon as the username contains - character, its only extract the first part ASD-ASDASD How do I circumvent this? How can I extract strings that contains - ?    

Hi, MS ADFS will write inside WinEventLog:security and Splunk_TA_windows is watching that log and enriching with lookup. Issue here is that AD FS have same ID's like some other. Example: EventCode=516 should be "The following user account has been locked out due to too many bad password attempts. Additional Data Activity ID: %1 User: %2 Client IP: %3 nBad Password Count: %4 nLast Bad Password Attempt: %5" while Splunk_TA_windows will enrich it to: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits how can I override default Splunk_TA_windows lookup if Provider Name='AD FS Auditing' is AD FS Auditing, so then I can enrich with ADFS table else use default lookup.

Hi, I am trying to create an alert that triggers when more than 5 files are deleted in less than 3 minutes from the app we monitor.  For some reason, the alert only works for single file deletion but does not work when I set it for. a number of events. any idea why? would love to get some help

Hello everyone,   I'm trying to apply an Ontologicall indexing as it was described in the conference "Bridging the Data Divide To Solve Social and Environmental Challenges" at .conf21. If you have any idea please tell me. I attached the photo in order to describe my objective in a visual way. Thomas.

Hello. I have just enabled powershell logging and am now getting completely spammed with splunk forwarders running powershell scripts, so i am trying to filter that out. It is a distributed setup, with: 1 deployment/license server 1 indexer 1 search head On the indexer i have added  splunk/etc/apps/windowsServers/local/props.conf         [WinEventLog:Microsoft-Windows-Powershell/Operational] SHOULD_LINEMERG = false MAX_TIMESTAP_LOOKAHEAD=300 detect_trailing_nulls = auto TIME_PREFIX = "\clock\": KV_MODE = json AUTO_KV_JSON = true TRANSFORMS-set = setnull         and transforms.conf         [setnull] REGEX = (?mi)SplunkUniversalForwarder DEST_KEY = queue FORMAT = nullQueue           On the deployment/license server i have added the same transforms.conf as above On the Search head i have added props.conf:         [WinEventLog:Microsoft-Windows-Powershell/Operational] SHOULD_LINEMERGE = false detect_trailing_nulls = auto KV_MODE = json AUTO_KV_JSON = true           A log entry that i would like filtered out could look like this:         11/16/2021 01:38:27 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4103 EventType=4 Type=Information ComputerName=********* User=SYSTEM Sid=S-1-5-18 SidType=1 TaskCategory=Executing Pipeline OpCode=To be used when operation is just executing a method RecordNumber=16918098 Keywords=None Message=CommandInvocation(Select-Object): "Select-Object" ParameterBinding(Select-Object): name="ExpandProperty"; value="UserProcessorTime" ParameterBinding(Select-Object): name="InputObject"; value="System.Diagnostics.Process (WmiPrvSE)" Context: Severity = Informational Host Name = ConsoleHost Host Version = 4.0 Host ID = c939e89c-c7f2-468c-b351-295154efdf43 Host Application = powershell.exe -command & {get-content C:\Windows\TEMP\\input51852c9500841041.tmp | c:\Program` Files\SplunkUniversalForwarder\bin\splunk-powershell.ps1 c:\Program` Files\SplunkUniversalForwarder 51852c9500841041} Engine Version = 4.0 Runspace ID = bb969a43-cc4d-4f2c-b4ec-80b7ed2ff7d7 Pipeline ID = 1 Command Name = Select-Object Command Type = Cmdlet Script Name = C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell-common.ps1 Command Path = Sequence Number = 104739 User = ****** Shell ID = Microsoft.PowerShell User Data:         They all contain the SplunkUniversalForwarder which is why i tried to use that in the regex When i add all these things, all logs from the sourcetype disappear. What am i doing wrong?

Hi, I am currently working on developing a logger  in Python that would send Syslog data into Splunk. So, I want to create a logging interface or an abstract class that would create a logging class for the Syslog data, e.g. log -> write_log. The log->write_log is then overrides the abstract method with the concrete method for syslog->write_log. How can I start this task? What Python library would I need? Like splunklib or splunk_handler? Thanks!

Hello Folks , Need help. Every day new file generates with a FileSizeBytes value, I need to compare the yesterday's FileSizeBytes value with today's FileSizeBytes value. and store the result value on a new field. Ex:      _time                                                                        FileSizeBytes             2021-11-13 02:21:51.327                             116786105            2021-11-12 02:15:18.357                              116757352 Job runs from Tue- Sat

I am looking to identify specific assets that have not been logged into in over a set time. I am fairly new to all of this and trying to learn in a more hands on way. I was wondering what would be the best way to accomplish this? I was thinking something like this but I don't think this is right: EventCode=4624 AND [|inputlookup append=t Computers.csv] NOT [inputlookup append=t Dont_search.csv] | dedup host | table _time,host,user | sort host Computers.csv - Specific computers that I want to track. Dont_search.csv - Accounts that I DO NOT want to track.  I am hoping to show all computers on my list regardless of whether they were logged in too. Any help would be greatly appreciated!!!

Hi all, I'm testing multisite indexer clustering with below configuration and found an undesired behaviour in the case of a site failure. available_sites = site1,site2 site_replication_factor = origin:2,site1:2,site2:2,total:4 site_search_factor = origin:1,site1:1,site2:1,total:2 As you can see I have configured the replication factor "origin:2,site1:2,site2:2,total:4" so that I will have 2 replicas in both sites. But, in the case of a site failure, I am observing that splunk will try to replicate locally in the site that is up and complete the 'total:4' condition. I think this can be a problem when the available disk space on the machines is less. Let's say site2 indexer machines are at 80% disk space usage and site1 fails - now when splunk tries to create 4 replicas in the same site (site2) due to site failure, it can easily exhaust the disks. As per update from splunk support, this is default behaviour, but I feel there needs to be additional control over this. Any advise or suggestions around this issue will be really helpful. Thank you.

10.40.x.x 10.4.x.x 13.x.x.x KB: Windows  aXXXX field3    Apply Security XXX. server user server   I have a table output of  a search  which look similar to the one shown above Is it a possible way to conver this to the desired format mentioned   10.40.x.x KB4571719: Windows 7 aXXXX field3    Apply Security XXX. server 10.4.x.x KB4571719: Windows 7 aXXXX field3    Apply Security XXX. user 13.x.x.x KB4571719: Windows 7 aXXXX field3    Apply Security XXX server