I am pulling data from multiple locations and a new field threshold has been introduced. The issue is threshold  is common but has different values depending if it is cpuPerc or memoryCons  etc.. There are 4 of them.   | mstats min("mx.process.cpu.utilization") as cpuPerc min("mx.process.threads") as nbOfThreads min("mx.process.memory.usage") as memoryCons min("mx.process.file_descriptors") as nbOfOpenFiles min("mx.process.up.time") as upTime avg("mx.process.creation.time") as creationTime WHERE "index"="metrics_test" AND mx.env=http://mx20267vm:15000 span=10s BY pid cmd service.type host.name service.name replica.name component.name threshold     On option I have if i want to display all the thresholds differently is to write a 3 joins - but this is heavy on CPU.   | mstats min("mx.process.cpu.utilization") as cpuPerc WHERE "index"="metrics_test" AND mx.env=http://mx20267vm:15000 span=10s BY pid cmd service.type host.name service.name replica.name component.name threshold | rename service.name as service_name | rename threshold as T_cpuPerc | join _time service.name replica.name [| mstats min("mx.process.threads") as nbOfThreads WHERE "index"="metrics_test" AND mx.env=http://mx20267vm:15000 span=10s BY pid cmd service.type host.name service.name replica.name component.name threshold | rename service.name as service_name | rename threshold as T_nbOfThreads ] | join _time service.name replica.name [| mstats min("mx.process.memory.usage") as memoryCons WHERE "index"="metrics_test" AND mx.env=http://mx20267vm:15000 span=10s BY pid cmd service.type host.name service.name replica.name component.name threshold | rename service.name as service_name | rename threshold as T_memoryCons ] | join _time service.name replica.name [| mstats min("mx.process.file_descriptors") as nbOfOpenFiles WHERE "index"="metrics_test" AND mx.env=http://mx20267vm:15000 span=10s BY pid cmd service.type host.name service.name replica.name component.name threshold | rename service.name as service_name | rename threshold as T_nbOfOpenFiles ]   I am trying this way but I am not sure how to merge the rows by time in the end - any ideas.   | mstats min("mx.process.cpu.utilization") as cpuPerc min("mx.process.threads") as nbOfThreads min("mx.process.memory.usage") as memoryCons min("mx.process.file_descriptors") as nbOfOpenFiles min("mx.process.up.time") as upTime avg("mx.process.creation.time") as creationTime WHERE "index"="metrics_test" AND mx.env=http://mx20267vm:15000 span=10s BY pid cmd service.type host.name service.name replica.name component.name threshold | rename service.name as service_name | search service_name IN (*cache*) | eval threshold_nbOfThreads=if(isnull(nbOfThreads),"",$threshold$) | eval threshold_memoryCons=if(isnull(memoryCons),"",$threshold$) | eval threshold_nbOfOpenFiles=if(isnull(nbOfOpenFiles),"",$threshold$) | table _time threshold threshold_nbOfOpenFiles threshold_memoryCons threshold_nbOfThreads   The issue is the data is now on different rows  - where I need them to be on the same by _time. SO in the image below, we have 3 lines for each time. How can i get them to merge per timestamp?    

I am new to splunk cloud and I would like to install an enterprise security app  ( below screenshot) on my splunk.  and after open the app its should be like below  and finally, I should be able to see the below screen. Can anyone please help me with this - If you have any doubts about my question please let me know Thanks in advance.

Hi here is the log: 23:50:26.698 app module1: CHKIN: Total:[100000] from table Total:[C000003123456] from PC1 23:33:39.389 app module2: CHKOUT: Total:[10] from table Total:[C000000000000] from PC2 23:50:26.698 app module1: CHKIN: Total:[100000] from table Total:[C000000000030] from PC1 23:33:39.389 app module2: CHKOUT: Total:[10] from table Total:[C000000000000] from PC2 need to sum values in brackets. expected output: items            total1           total2                    from  CHKIN         200000       3123486           PC1 CHKOUT    20                     0                              PC2   Thanks  

Hi Splunkers,   Hopefully I am posting on the correct place, apologies if not! I have the following code/SPL from inside the XML form. It looks inside a lookup, and then gives information about a specific field (field name taken from variable "FieldName") which matches the value of SearchString (value taken from variable "SearchString").   | inputlookup $lookup_name$ | search $FieldName$=$SearchString$   Those experienced you will see that it doesn't work this way. I am assuming that to make this XML code to work and give me the search result I expect I need to expand the variables?   If so, any idea how to do that? Regards, vagnet

Hey All, I get no results found for a tag that looks for fields created by a rex. So... sourcetype=DataServices | rex "JOB: Job (?<BIMEJob><(?<=<).*(?=>)>)" i get the following field with results Now i want to bunch some field values together so i create a tag containing the field values i care about added to my search but i get no results found... sourcetype=DataServices tag=GB1_BIME | rex "JOB: Job (?<BIMEJob><(?<=<).*(?=>)>)" Greatly appreciated if someone could help?  

I'm trying to plan an, for me, large deployment. Connecting several sites to a headquarter. Each site does have from 200 to 900 clients who need to send data to the indexer. on two locations the bandwith is relatively poor so the idea is to set up a cluster of two indexers locally on those locations. in the headquarter we'd set up a cluster of three indexers for all other locations who don't have a cluster and of course for the local data that pours in.    location: within the location I thought of forwarders for the servers (obviously) and then a heavy/intermediate forwarder which collects all those logs and sends it to the index cluster in the headquarter. in locations who need their own cluster, we'd set up a two server cluster . headquarter:  there we set up a three server cluster and a master node. two searchheads (one for the technical part and one for enterprise security) and a deployment server to forward apps to all the connected clients in all locations.  the searchhead should send its requests not only to the headquarter cluster but to all locations. I've read that it is possible to forward the sh requests through multiple clusters. the clusters don't talk with each other so there is no data exchange between the headquarter cluster and the two other clusters.    for better understanding, since this is complex zu explain, I've generated a draw.io architecture view. my questions to the feasibility of this architecture are as follows:    - do we need a master node for each cluster or can a master node manage multiple clusters? provided that the locations with their own cluster don't sync with the headquarter and are only processing requests from the SHs  - is there a minimum bandwidth that should be provided? splunk docs says 1 Gbit/s but I think for this kind of deployment 10-50 Mbit/s are enough?  - Is it basically better to  just make a larger central cluster with more servers in the headquarter or what is better performing? my fear is to set all of this up and then fall on my face cause I didn't scale the servers correctly.  - is one deployment server for all locations and all servers feasible or should I set up an deployment server at least for the locations with their own cluster too?   all specs should be in the draw.io few. hope you can answer my questions. I know it's a lot, but I'm afraid I may scale it wrong and then, months into the setup, I notice what is wrong.          thanks a lot for your tipps and suggestions! question: on location with their own cluster, do they need their own master node?

Hi, Is it possible when using Global Account to customise the fields? i.e. add other fields than only Username and Password. Ideally, I would like to be able to specify an Account Name, API Key and Authorization header in the Account tab, so that when configuring each input, I can choose the Account Name from a drop-down and have it pull the API Key and Authorization Header fields. I can specify these as "Additional Parameters" for the add-on, but then I have no way of selecting these on a per-input basis when configuring each input.

Hi, I need to install the below add-on, this add-on creates indexes and required roles, we dont want the add-on to control the indexes, so indexes.conf in this add-on is taken out , and we will create the indexes.  We want 14 indexes to be created, but is it Ok to go with one index and have different sourcetypes? We do have other configs provided in the add-on, will there be any impact if we go with one index with multiple sourcetypes also during add-on update, will there be any impact?   https://splunkbase.splunk.com/app/4153/