Hi There,   Any guidance on how to find common values starting with similar values from two different sources?   exp:   Source: 1 field:SerialId value: 123_abc Source:  2 field: SerialId value: 123_abcde   so if the values start with the first common 6 letters and numbers-find those matching.   any advice on how to approach this?

I'm trying to use a key across three sourcetypes to show unique non-multivalue rows using a stats by clause that has a different field in each of the sourcetypes i.e. Sourcetype A NumberA(Key) Date (by clause) Sourcetype B NumberB(Key) Username (by clause) Sourcetype C NumberC(Key) Version (by clause) if you use the number field, which is the key across the sourcetypes, as the stats by clause and add the different sourcetype fields as values, it produces multivalue fields (e.g. a number may have multiple dates, or users), where I'm looking for unique rows to show number, Date, Username, Version e.g. sourcetype=A OR sourcetype=B OR sourcetype=C eval number=coalesce(NumberA, NumberB, NumberC) stats values(sourcetype) values(Date) values(Username) values(Version) by number I would have thought that you could add the different fields to the stats by clause after the key, but it's not returning anything- e.g. sourcetype=A OR sourcetype=B OR sourcetype=C eval number=coalesce(NumberA, NumberB, NumberC) stats values(sourcetype) by number Date Username Version Would this make sense, and is possible?

    index=IndexName | table username ip_address_new id_new desti | lookup file.csv user as username OUTPUT user id_old ip_address_old | where NOT (id_new = id_old AND ip_address_new = ip_address_old AND username = user)   Can I combine "where" and "if" command together Or do something like this need to write something like this if  id_new != id_old:      | eval match_id = not match id elif username != user:      | eval match_user = not match user elif ip_address_new != ip_address_old:       | eval match_ip = not match IP address  else:       | eval ....

Hi all, I am trying to change the behavior of legend, I am trying to make it NOT clickable. I have below properties related to bar chart. <option name="charting.chart">column</option> <option name="charting.drilldown">all</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="trellis.enabled">0</option> <option name="refresh.display">progressbar</option> Any suggestions please? I am not seeing any other options related to legend in splunk docs.

I'm writing Python script that assigns multiple roles to a user, but having difficulty understanding what the  'roles' data structure needs to look like. According to the REST documentation for authentication/users/{name}: To assign multiple roles, pass in each role using a separate roles parameter value. For example, -d roles="role1", -d roles="role2". In Postman, I can successfully construct a request with multiple 'roles' parameters to produce the result I want, which is to assign multiple roles to the user.  In Python, my code looks like this:   (response, content) = h.request(HOST + URL + OUTPUT_MODE, 'POST', headers=HEADERS, body=urllib.parse.urlencode({'roles':'admin','roles':'user'}))   But the end result is that the user is only assigned the 'user' role, presumably because the 'body' data structure ends up being a dictionary with a single key: {'roles':'user'} Anybody know what is the right Python data structure to pass to urlencode so that I can add multiple roles to the user in a single POST?

Hi I have several file in "myindex", when I set date "yesterday" I expect show just yesterday files , but it return older than yesterday files somtimes! e.g today is 10/31/2020, and I run this spl (time set to yesterday)   command: | metadata type=sources index=myindex output: /app/20211031/server1.20211031.zip /app/20211031/server2.20211031.zip /app/20211025/server2.20211025.zip   FYI: modify date of this file server2.20211025.zip belong to 20211025   Any idea? Thanks,

Search head , Intermittenly  search quaries are not completing and failed to fetch the data , The error show that search that can't be created  and bellow warnings 1. Expected common latest bundle version on all pears after  sync replication , found none,Reverting  old behavior-using most recent bundle on all. 2. Unable to distribute peer named  gbl20051204  at uri:https:// because replication was unsuccessful .Replication status;Failed -Failure-Info:Failed _because_HTTP_Error_Code_,Verify connectivity to search peer ,that search peer ,that search peer is up  and that an adequate  level of system resource are available  

Hi! My setup has a log archive account using AWS Landing zone where all the CloudTrail and VPC Flow Logs from multiple accounts get aggerated and stored in an s3 bucket. I want to send both of the logs to a Splunk HEC. Which is the best suited architecture pattern for this?   

Hi I have field that call "servername" that return this: ...| table servername server1 server2 server3 need spl that when I give list of my servername, return which servername not exist expected output: ...|search server1 OR server2 OR server3 OR server4 | table servername status servername    status server4                X   any idea? Thanks

i am trying to pull incidents resolved by each user in date wise . can any one help me how to form the below table with count User Name 10/4/2021 10/5/2021 10/6/2021 Grand Total AAAA   3   3 BBBBB 2     2 CCCCC 3 1   4 DDD 1     1

We deploying Alert Manager with a new client. Most of my alerts have a "DRILLDOWN_URL" field which contains context-specific SPL. I am trying to configure this to be a 1-click operation to run using "Drilldown Actions" but these do not work: _key name label url 6169aad5005c277d3b3788d5 Splunk search to show contributing events for this instance of this alert Contributing Events https://localhost:8000/en-US/app/alert_manager/search?q=$DRILLDOWN_SPL|u$ 6169af6f005c277d3b3788d6 Splunk search to show contributing events for this instance of this alert Contributing_Events_2 https://localhost:8000/en-US/app/alert_manager/search?q=$DRILLDOWN_SPL$     I still get no drilldowns defined in the investigation screen.

We have a standalone install which has to follow specific guidance and documentation. Without getting much into things,  I need to document each port open and if certain ones don't already have a vulnerability assessment on file I need to generate a local report on what the port is for and how its utilized in the system(s). My clients have splunk installed but don't tap into a lot of its power currently. Therefore I expect a lot of the extra ports can be turned off (at least for now) and save me a lot of paperwork. This brings me to port 8065 and 8191. 8065, a local listening port that is tied to the splunk appserver. Problem is I can't find what Splunk is using this for exactly outside "app server". If we don't utilize Splunk apps is this required? If we did what does this port provide and why would it be required? When are calls made to it? How would I turn it off in version 8 if I don't need it? 8191 is used for app kv store. If apps are not utilized, can this be turned off? If so how? If apps are not utilized this seems like it wouldn't be required.   

Hi I tried searching all over but can't seem to find a good approach to do this. Basically, I have a multiselect input that needs to be used to filter a search, on a field that an array. For instance: multiselect input can be "value1", "value2", and the field from the search be a list or array of "value1", "value2", "value3" ..etc. how can we check and filter out events with fields that do not contain all the elements from the multiselect input ? Thanks in advance.

Hi Dear Splunkers, I have three searches that display the output into a Dashboard in three different panel, but I want to combine them into one linear chart, thank you. (index=ONE) (sourcetype="ONE") (ID1="*") | eval ID1 = lower(ID1) | timechart span=1d distinct_count(ID1) (index=TWO) (sourcetype="TWO") (ID2="*") | eval ID2 = lower(ID2) | timechart span=1d distinct_count(ID2) (index=THREE) (sourcetype="THREE") (ID3="*") | eval ID3 = lower(ID3) | timechart span=1d distinct_count(ID3)

Greetings. I'm trying to rewrite (because converting didn't work so well) a dashboard I'd written in simple xml to dashboard studio that heavily relies on search base.  Whenever I try to create a map viz object in studio, it only prompts me with the option to create a new data source.  However, I've already setup a search base and built multiple search chains off of it.  I'd like to reference the search chain to feed the visualization but I haven't been able to successfully do this.  Any ideas on how to approach it?

Pulling database events with Splunk DB Connect I noticed that: 1. New (non-existing) fields are created 2. text fields containing special characters  are cut The only reason I have been able to identify consists in the presence of special characters of the kind: ( ) " : ... in fields like "SQL _Text", that by their nature can contain quotes, brackets and else. How can I escape these problem-causing characters ? This done inside Splunk - and not anywhere on the DB side, or the SQL command for pulling records. What are the characters that must be escaped? Asking the later because when working in a previous project with ingesting events from a DB to Splunk via TCP Data Input, I noticed that not all special characters where causing same problem as above - but only few of them. best regards Altin