Hi Champions, In this below mentioned dataset. I want to create a conditional splunk query.  Ex: I want to check first whether rsyslog service is stopped, if it stopped then who stopped it, in which server, then display the results in a table.  Can you please help ? Oct 25 16:30:06 keybox sudosh: KHYJS6PxEI64zG Henry: service rsyslog start Oct 25 16:30:02 keybox sudosh: KHYJS6PxEI64zG Joseph: #011service rsyslog stop Oct 25 15:15:30 keybox sudosh: ssNjFZca22OvaB Henry: service rsyslog stop Oct 25 15:08:26 keybox sudosh: ssNjFZla22OvaB Henry: #011service rsyslog start Oct 25 15:07:46 keybox sudosh: ssNjFZla22OvaB Joseph: service rsyslog status Oct 25 15:06:21 keybox sudosh: ssNjF0la22OvaB Asher: service rsyslog statutss Oct 25 14:49:57 eqc-03-tpp sudosh: gkrMz1dLey0CS1 John: cat /etc/red#011#177#177#177#177#177#177#177#177#177#177#177#177#177#177#177r#177#177#177#177#177#177#177#177#177#177#177#177#177sys#177#177ervice rsyslog status Oct 25 14:48:26 keybox sudosh: VSjTDhPH3iM5MY Ahser: service rsyslog status Fields are: Date and Time = Oct 25 16:30:06 host = keybox index = sudosh_app sourcetype = sudosh I tried with the below mentioned query, but unable to create a conditional query.  index = sudosh_app_protected  host = * |eval "Critical Logging Events:" = "Rsyslog was Stopped on " + host, "Date and Time" = MonthDateTime, "User" = UserName, "Source" = sourcetype |table "Date and Time","Critical Logging Events:" , "User", "Source" Please help. Thank you in advance. 

Hi Experts, |search filed1=Enabled OR "Enabled" OR "Disabled" OR Disabled The above search is returning four rows. If i try to sum them based on the status ,still its returning four rows. |stats sum(dc(servers)) by Status Status---> dc(servers) Enabled--> 10 Enabled--> 3 Disabled-> 23 Disabled->6 Thank you.    

I have a rather complicated query that go like this:     index=* source=* earliest=-4mon@mon latest=@mon RESPONSE_CODE="0" | bin _time span=1mon | stats count AS MonthTotal1 SUM(AMOUNT) AS MonthTotal BY MERCHANT_CODE, SUBMERCHANT_CODE, _time | eval lastMonthStart = relative_time(now(),"-mon@mon") | stats sum(eval(if(_time>=lastMonthStart,MonthTotal,0))) AS 1M_Total sum(eval(if(_time>=lastMonthStart,0, MonthTotal))) AS 3M_Total values(eval(if(_time>=lastMonthStart,MonthTotal1,null()))) AS Transaction sum(eval(if(_time<lastMonthStart,MonthTotal1,null()))) AS THREE_MONTHS BY SUBMERCHANT_CODE, MERCHANT_CODE | eval 3M_Total_avg = round(3M_Total/3,2) | eval RATE_Total = round((1M_Total/3M_Total_avg)*100,2) | search RATE_Total>=200 OR RATE_Total=0 | join MERCHANT_CODE [search index = * | dedup MERCHANT_CODE | table MERCHANT_CODE, BANK] | table MERCHANT_CODE SUBMERCHANT_CODE, BANK, 1M_Total, RATE_Total       It seem complicated but the gist is I have to compare the lastest month total value of transaction to the average of 3 months before it for each sub-merchant, if the rate is >200%, show it in a table. The typical event go like this (I'll omit some unnecessary parts):     2021-10-25 13:52:33 TRANSACTION_ID="144479283"AMOUNT="10000", MERCHANT_TRANSACTION_CODE="17797161285", RESPONSE_CODE="0",MERCHANT_CODE="MOMOCE", SUBMERCHANT_CODE="22312"     Something to note: - Each MERCHANT can have several SUBMERCHANT, or don't have one at all, so the field SUBMERCHANT is not always exist in events. - Each MERCHANT have a BANK associate to it, but in another table.  I have a query just for SUBMERCHANT as a baseline to compare results, but somehow the query above, and even if I use (eventstats) instead of (stats), all show all different results than the baseline.  Does anyone have anyideal to untangle this mess, I'll really appreciate!

Dear Splunk community, In Splunk, I am looking for logs that say "started with profile: [profile name]" and retrieve the profile name from found events. Then I want to use the profile name to look for other events (from a different source) and if one error or more are found, I would like to let it count as one found error, per platform. To make things more clear I have the following search query (query one):   index="myIndex" "started with profile" BD_L* | table _raw, platform, RUNID | eval Platform=case(searchmatch("LINUX"),"LINUX",searchmatch("AIX"),"AIX",searchmatch("DB2"),"DB2", searchmatch("SQL"),"SQL", searchmatch("WEBSPHERE"),"WEBSPHERE", searchmatch("SYBASE"),"SYBASE", searchmatch("WINDOWS"),"WINDOWS", true(),"ZLINUX") | stats count by Platform | rename count AS "Amount"   The events found from above query contains the following (raw) :   Discovery run, 2021101306351355 started with profile BD_L2_Windows   The above query will return a list of events containing the raw data above and will result in the following table. This is a table with the amount of Discovery runs per platform: Using the following piece of code I can extract RUNID from the events. RUNID is what I need to use in a second search when looking for errors:   | rex "Discovery run, (?.+) started with profile"   Using RUNID I can look for errors (query two):   index="myIndex" source="/*/RUNID/*" CASE("ERROR") CTJT* | dedup _raw | stats count | rename count AS "Amount"   Now, I am looking for a way to combine the above two queries into one and count the amount of platforms that have at least one error. So lets say we have the following simulation: - Two runs (one Windows and one Linux) - Windows run has 0 errors (none found in query 2) - Linux has 6 errors (found in query 2) This should result in the following results:   Platform | Amount Linux | 1   I need to find some way to return true or one from query 2 and use that in query 1 to group the results, but I am unable to due to lack of experience. I have not yet found anything similair to my question and hope anyone here can help me out. Thanks in advance.                    

index=pan* dvc_name="*" sourcetype="pan:traffic" OR sourcetype="pan:system" how can I trigger an email alert if example 1 or multiple devices are not sending traffic logs after 24hrs. I tried using the alert with condition number of results but it's not sending logs. because splunk counts the result not by device and by logs it added all the results.

Hello I have a dashboard with 2 panels, in the second one i have a drilldown with link to search i'm trying to configure token but it is not working this is what i tried to do: <init> <set token="TransactionId">$TransactionId$</set> </init> and this is what im getting once clicking on the link: TransactionId=$TransactionId$ what am i missing ? thanks

Dear community, I have been trying to integrate splunk for my scripting purpose for some time now and it's time to reach out for some help. Design based on <form> and I have tried to implement this with 2 ways: to run the search with custom python command from the drilldown, not sure how NOT run it automatically and to take those inputs as args: I have 3 input fields: Here is one version of my XML ( in the search "| pullssp" is my python script that requires above inputs) :   <form script="button.js">/*<init><set token="hostname"></set><set token="username"></set><set token="password"></set>*/</init> <label>submit button</label> <fieldset submitButton="false"></fieldset> <row depends="$hide$"> <panel> <html> <style> .btn-search{ color: #fff; padding: 6px 15px; font-weight: 500; background-color: #5cc05c; border: transparent; display: inline-block; height: auto; line-height: 20px; font-size: 14px; box-sizing: border-box; margin-bottom: 0; text-align: center; vertical-align: middle; cursor: pointer; border-radius: 3px; white-space: nowrap; } .btn-search:hover{ background-color: #40a540; border-color: transparent; color: #fff; box-shadow: inset 0 -2px 0 rgba(0,0,0,.1); text-decoration: none; text-shadow: none; filter: none; } </style> </html> </panel> </row> <row> <panel> <input type="text" searchWhenChanged="false" id="host" token="hostname"> <label>Server</label> <default>https://192.168.1.10</default> </input> <input type="text" searchWhenChanged="false" id="user" token="username"> <label>Username</label> <default>admin@admin.com</default> </input> <input type="text" searchWhenChanged="false" id="pass" token="password"> <label>Password</label> <default>Admin123</default> </input> <html> <input type="button" value="Search" id="submit_host" class="btn-search"/> </html> <table> <search> <query>| pullssp $hostname$ $username$ $password$</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </form>   Ideally I would like this not to run automatically just when I submit my inputs with search button. JS button with this version, constantly adjusting as I do not know js:   require([ "jquery", "splunkjs/mvc", "splunkjs/mvc/simplexml/ready!"], function($, mvc) { var defaultTokenModel = mvc.Components.get("submitted"); $( "#submit_" ).click(function() { var hostname= $('#host input[type="text"]').val(); var hostname= $('#user input[type="text"]').val(); var hostname= $('#pass input[type="text"]').val(); defaultTokenModel.set("hostname",hostname); defaultTokenModel.set("username",username); defaultTokenModel.set("password",password); }); });   Here is another way I'm thinking how to try to pass this to js script and run command from there:   <form script="get.js" hideSplunkBar="1" hideFooter="1" hideEdit="0" isDashboard="0"> <label>Update</label> <fieldset submitButton="false" autoRun="false"> <input type="text" token="field1"> <label>Server</label> </input> <input type="text" token="field2"> <label>Username</label> </input> <input type="text" token="field3"> <label>Password</label> </input> </fieldset> <row> <panel> <html> <fieldset submitButton="true"> <button class="btn btn-primary button1"> <span>Update STUFF</span> </button> </fieldset> </html> </panel> </row> </form>   General idea of how js script should reflect action upon button1 click:   require([ "jquery", "splunkjs/mvc/searchmanager", "splunkjs/mvc/simplexml/ready!" ], function( $, SearchManager ) { var mysearch = new SearchManager({ id: "mysearch", autostart: "false", search: "|pullssp $field1$ $field2$ $field3$" }); $(".button1").on("click", function (){ var ok = confirm("Are you sure?"); if (ok){ mysearch.startSearch(); } }); });   How can I use default token model to grab those tokens and pass further to my search to use with python script command please? Could not find any examples on it. @vnravikumarseen couple of your posts and I think you might be able to help ? Many Thanks in advance all

I have configured an automatic lookup, however when I try to do a search it gives a message " Could not load lookup=LOOKUP-auto_prices [subsearch]: Could not load lookup=LOOKUP-auto_prices " Can someone help me,please?

Hi All, I am trying to create a dashboard panel in trellis view. I have used the below query: (my search query) | stats count | eval Result=if("count"="0","Ok","Error") | fields - Exception,count With this I can get the dashboard panel as  Please look into the source below: <option name="colorBy">value</option> <option name="colorMode">block</option> <option name="drilldown">none</option> <option name="numberPrecision">0</option> <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option> <option name="rangeValues">[0,30,70,100]</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trellis.enabled">1</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="useThousandSeparators">1</option> </single> </panel> Here I have a requirement to change the color of the trellis box. I want it to be green when "Ok" and red when it is "Error".  Please help guide me to achieve the desired output.   Thank you..!!

I have got a complicated task of consolidating two standalone search heads and a single search head cluster (4 nodes) all into a single search head cluster of 3 nodes.   Can someone please advise what would be the most efficient and correct method to accomplish this ?