Hi Everyone, I need to compare 2 fields with like command but I cant do it even if I tried many solutions. For Example; event1 field1="raceCar" field2="car" event2 field1="trying" field2="hello" event3 field1="splunk" field2="helloSplunkEnterprise" Desired result: event1 result=hit event2 result=miss event3 result=hit  I tried | eval results= if (match()) but didnt work Is there any suggestion about this SPL? Thanks alot for your helps

Hello all, I have an issue with my DB connect. It won't fetch rows from any table in a Postgres database, but it will show table names and rows included in the table. When I select a table, the loading bar goes to 20 percent, and it will stick there.        

Hello, I have a HF running in Linux machine. I have root access to that machine using sudo bash  as sudo - splunk or su - splunk is  not allowing me to get root access. But, when I copy files to the folders  where monitor command pointing to pickup the files,  it is not forwarding events to the SPLUNK indexer since I cannot see those events within SPLUNK. However, when I type chown -R splunk: splunk/opt/splunk and then restart SPLUNK, it's working as expected, that means I can see those events within SPLUNK. So, every time when I copy  files within HF folders, I need to use chown command and restart SPLUNK to make them available within SPLUNK. Is there anyway this can be resolved that I don't need to type chown command and restart SPLUNK to forward events.  Thank you so much.

I have a current output in the form of a table with rows representing the time spent in various checkpoints and the last row being the total time.  I would like to calculate the percentage of each row in relation to the total row "Total Duration" row.  if this is not possible, I am ok with calculated the percentage based on the sum of all the p50/p90 column values as well.  Marker                           P50         P90 ------------------------------------------- Point 1 Duration         10            20 Point 2 Duration         40            100 Point 3 Duration         50            80 Total Duration             100         200 and I would like to insert a column for the percentage like this (the 100% in the bottom row is optional) Marker                           P50         P50%             P90            P90% -------------------------------------------------------------------------------------- Point 1 Duration         10             10%              20                10% Point 2 Duration         40            40%               100             50% Point 3 Duration         50            50%               80                40% Total Duration             100         100%            200             100% Thank you very much

I've got my universal forwarders and heavy forwarders doing indexer discovery through the cluster master like so ...   ************************** * outputs.conf * ************************** [indexer_discovery:clustermaster] pass4SymmKey = {password} master_uri = https://{my cluster master}.domain.foo:8089 [tcpout:clustermastergroup] indexerDiscovery = clustermaster useACK = true [tcpout] defaultGroup = clustermastergroup   Is there any reason I could not do the same in the cluster master's outputs.conf file? Basically, it would ask itself over 8098 who the peer nodes are.

I'm trying to post REST data via HTTP to splunk.  This works when using a pre-generated token to an HEC: POST /services/collector/event HTTP/1.0\r\nHost: galaxy.xypro.com\r\nContent-Type: application/json\r\nKeep-Alive: 100\r\nConnection: keep-alive\r\nAuthorization: Splunk 1d07454b-d9ef-41b0-9450-59d8670a78c7\r\nContent-Length: 166\r\n\r\n{\"time\": 1636117458, \"host\": \"galaxy.xypro.com\", \"source\": \"test\", \"event\": { \"message\": \"2021-11-05:13:04:18.491986: Logging test message #0\", \"severity\": \"INFO\" } } HTTP/1.1 200 OK\r\nDate: Fri, 05 Nov 2021 20:05:17 GMT\r\nContent-Type: application/json; charset=UTF-8\r\nX-Content-Type-Options: nosniff\r\nContent-Length: 27\r\nVary: Authorization\r\nConnection: Keep-Alive\r\nX-Frame-Options: SAMEORIGIN\r\nServer: Splunkd\r\n\r\n{\"text\":\"Success\",\"code\":0} However, when I try to generate a session token to allow basic authorization, I see the following response, even though the user and password are correct: POST HTTPS://localhost:8089/services/auth/login HTTP/1.0\r\nHost: galaxy.xypro.com\r\nContent-Type: application/json\r\nKeep-Alive: 100\r\nConnection: keep-alive\r\nAuthorization: Basic a3B3YXRlcnNvbjpUZXN0MTIzNDU=\r\nContent-Length: 48\r\n\r\n{\"username\":\"kpwaterson\",\"password\":\"Test12345\"} HTTP/1.1 400 Bad Request\r\nDate: Fri, 05 Nov 2021 19:57:40 GMT\r\nExpires: Thu, 26 Oct 1978 00:00:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, max-age=0\r\nContent-Type: text/xml; charset=UTF-8\r\nX-Content-Type-Options: nosniff\r\nContent-Length: 129\r\nConnection: Keep-Alive\r\nX-Frame-Options: SAMEORIGIN\r\nServer: Splunkd\r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<response>\n <messages>\n <msg type=\"WARN\">Login failed</msg>\n </messages>\n</response>\n I was also investigating using receivers\simple for http messages.  Although the message is posted to splunk, a response is never received. POST /services/receivers/simple?source=NonStop&index=main&sourcetype=json_no_timestamp HTTP/1.0\r\nHost: galaxy.xypro.com\r\nContent-Type: application/json\r\nKeep-Alive: 100\r\nConnection: keep-alive\r\nAuthorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnIjoiSFM1MTIiLCJ2ZXIiOiJ2MiIsInR0eXAiOiJzdGF0aWMifQ.eyJpc3MiOiJrZW4ud2F0ZXJzb24gZnJvbSBWTS1ERVYtU1BMVU5LIiwic3ViIjoia2VuLndhdGVyc29uIiwiYXVkIjoiRGV2ZWxvcG1lbnQiLCJpZHAiOiJMREFQOi8vbWZhIiwianRpIjoiODUzMDYyZmFhZjA0NWY0Y2JlMWEyNGMxZWE3NTAyYjRmMjEwMGEyNzE0NzA1N2Q0MmUxOGVkYWRlMTYyZTlkZiIsImlhdCI6MTYzMzUyNTE5MywiZXhwIjoxNjM2MTE3MTkzLCJuYnIiOjE2MzM1MjUxOTN9.3TKSCeK52awMJDxNzfvfW4PNewsGVlKkFXSf0Vy1Dv7JH4DNH9Ogn_w5WZLkZkeNXmjJqU8opORXW7DjxA2eag\r\nContent-Length: 166\r\n\r\n{\"time\": 1636117714, \"host\":\"galaxy.xypro.com\", \"source\": \"test\", \"event\": { \"message\": \"2021-11-05:13:08:34.900042: Logging test message #0\", \"severity\": \"INFO\" } } Could you please let me know what may be the issue with generating the session key and why a response is not received from receivers/simple?  Thanks.          

My python is 3.8.5 and splunk-sdk is 1.6.16.  My Splunk developer gives me a URL and I get its search string to retrieve data as shown below. Below is my search string and additional python code: search/earliest/latest are added after copy/paste search string. SEARCH_STRING = f"""     search sourcetype="builder:payeeservice" host="JWPP*BLDR*P*" "*PayeeAddResponse" "*" "*" "*" "*" "*" "*" "*"     earliest=-1h@h latest=-0h@h     |rex d5p1:Description>(?<Description>.*</d5p1:Description>)     |eval Description = replace(Description,"<[/]*[d]5p1:[\S]*>|<[d]5p1:[\S\s\"\=]*/>", "")     |rex "GU\(((?P<SponsorId>[^;]+);(?P<SubscriberId>[^;]+);(?P<SessionId>[^;]*);(?P<CorrelationId>[^;]+);(?P<Version>\w+))\)"     |table _time,SponsorId, SubscriberId,SessionId, CorrelationId,Description     |join type=left CorrelationId [search sourcetype="builder:payeeservice" host="JWPP*BLDR*P*"  "*AdditionalInformation*" |xmlkv ]     |eval Timestamp = if((TenantId != ""),Timestamp,_time),PayeeName = if((TenantId != ""),PayeeName,""), Message = if((Description != ""),Description,Message), Exception = if((TenantId != ""),Exception,""), Address = if((TenantId != ""),Address,""), PayeeType = if((TenantId != ""),PayeeType,""),MerchantId = if((TenantId != ""),MerchantId,""),AccountNumber = if((TenantId != ""),AccountNumber,""),SubscriberId = if((TenantId != ""),UserId,SubscriberId),SponsorId = if((TenantId != ""),TenantId,SponsorId)     |table Timestamp, SponsorId,SubscriberId, PayeeName,Message,Exception,CorrelationId,SessionId,PayeeName,Address,PayeeType,MerchantId,AccountNumber """ import splunklib.results as results service = connect_Splunk() rr = results.ResultsReader(service.jobs.create(SEARCH_STRING)) ord_list = [] for result in rr:     if isinstance(result, results.Message):         #skip messages         pass     elif isinstance(result, dict):         # Normal events are returned as dicts         ord_list.append(result)   I get this error so something is wrong in my search string.  How to fix it? splunklib.binding.HTTPError: HTTP 400 Bad Request -- Error in 'SearchParser': Mismatched ']'.   Thanks.