Hello Splunk team, do you know if it's possible to do a splunk search in a python script? taking into account the selection of the desired period (last week, last month ...). for example for a simple search : | append [search sourcetype=ESP_Histo env="Web" service="Application" apps="Web Sharepoints" fn="*" managed_entity="*- URL" sampler="SHAREPOINT - URL" ID_EVENT | eval Applications=case( apps like "%Web Sharepoints%","WEB SHAREPOINTS") | `transactions` ] | eval max_time=if(info_max_time == "+Infinity", now(), info_max_time) | eval min_time=if(info_min_time == "0.000", 1577836800, info_min_time) | eval periode1=max_time-min_time | stats sum(duration) AS durationindispo by Applications, periode1 | outputcsv append=true override_if_empty=false web_search

Hi everyone,   I am trying to remove partial duplicate in the same field, but couldn't find a solution yet. For instance I have for the same field these values: http://www.g http://www.go http://www.google.com   I would like to only keep the value (http://www.google.com), I tried to use dedup and mvfilter: eval url_in_parameter=mvfilter(!url_in_parameter LIKE url_in_parameter*) I am still a begginer on Splunk and couldn't find any similar topics on internet.   Thanks for your help and have a good day.

Our Splunk deployment is on-prem and we have automated deployment based on app updates. Users create a PR, make updates and push to bitbucket. Automated tests are done and if everything is OK the changes are in production in the hour. We are considering the move to Splunk Cloud but are worried about the manual app vetting process. That process seems cumbersome and might mean that the 5-10 changes across multiple apps we have each week will form an endless backlog. How are you finding the app vetting process? Is it working OK or are you finding it painful? This is a question aimed at large corporates who have moved from on-prem or BYOL to Splunk cloud.

I have the following log !!! --- HUB ctxsdc1cvdi013.za.sbicdirectory.com:443 is unavailable --- !!! user='molefe_user' password='molefe' quota='user' host='002329bvpc123cw.branches.sbicdirectory.com' port='443' count='1' !!! --- HUB 002329bvpc123cw.branches.sbicdirectory.com:443 is unavailable --- !!! host='005558bvpc5ce4w.za.sbicdirectory.com' port='443' count='1' !!! --- HUB 005558bvpc5ce4w.za.sbicdirectory.com:443 is unavailable --- !!! host='41360jnbpbb758w.za.sbicdirectory.com' port='443' count='1' !!! --- HUB 41360jnbpbb758w.za.sbicdirectory.com:443 is unavailable --- !!! host='48149jnbpbb041w.za.sbicdirectory.com' port='443' count='1' !!! --- HUB 48149jnbpbb041w.za.sbicdirectory.com:443 is unavailable --- !!! user='pips_lvl_one_user' password='pips_lvl_one' quota='user'   I have above log and I'm struggling to extract the colored items ctxsdc1cvdi013.za.sbicdirectory.com = as workstation ID is unavailable = as  status molefe = as quota

I am trying to control ingest rate into Splunk Cloud. I have some firewalls that are very chatty. The firewalls themselves can only point to a single Syslog destination.  For security and compliance issues, I need to retain and store ALL logs for one year. We have an appliance that forwards to our SOC and it basically has unlimited storage. For reporting and alerting, I need to send most messages into Splunk Cloud. Logging is controlled by ACL and in the syslog messages, you see ACLs. Based on how my firewall is configured, there are a few ACLs that are chattier than others, for example, the implicit deny ACL is CONSTANTLY chatting. The only time I really need to see this ACL in Splunk logs, is when I am troubleshooting however the SOC wants to see this ACL all the time. The implicit deny rule accounts for about 30% of all syslog data generated. Ideally I when I write to disk on the Syslog-NG server, I would like to drop the implicit deny logs so that when the Universal Forwarder reads the log, it won't be sending that unneeded 30% overhead (the implicit deny rule accounts for about 20-50 gigs of ingest a day alone).  My initial log_path statement looks like the following:       log { source(s_udp514); filter(f_device); destination(d_socappliance); destination(d_disk); flags(final); };         I then tried 2 different log path statements to try and separate the traffic so that I can apply the message drop filter:       filter f_device { ( host("192.168.1.1") or host("fqdn.device.com") ) }; filter f_device_msgdrop { ( not match("aclID=0" value(MESSAGE)); ) }; log { source(s_udp514); filter(f_device); destination(d_socappliance); flags(final); }; log { source(s_udp514); filter(f_device);filter(f_device_msgdrop); destination(d_disk); flags(final); };         aclID=0 is the ACL ID of the implicit deny rule. The concept here is that if the string "aclID=0" exists in the syslog message, I don't want to write it to disk and therefore the Universal Forwarder never sees in in the log file and it doesn't get sent to the cloud.  When I use the method above, I end up disabling logging to disk. I haven't verified if logging to the SOC appliance stops as well. Any thoughts on how to tackle this? 

I am building a search that will based on a table of products with different versions. I need to run an initial search that will return the version with most hosts ("Mainstream") and use that version to compare everything else against in order to determine if its less than/greater than (older/newer). I am currently using a foreach command to send each category of product to a subsearch which then grabs mainstream and return it so I can compare each event's version to this mainstream version. I am having extreme difficulty passing the field to the subsearch and filtering out the category by using something like a Where command without setting off confusing errors that don't really make any sense. ("Eval command malformed"). The logic of the query works when I am not using a '<<field>>' token but soon as I try pass a token with a where command within subsearch, it falls apart. I am a Splunk newbie so maybe I am missing something obvious, please advise:   | inputlookup Lookup_Table.csv | eval Category = OSType. "-" .ProductName | stats values(ProductVersion) AS Version values(LifeCycleStatus) AS Status by Category | foreach Category [eval newLifecycleStatus=case(Version< [| inputlookup Lookup_Table.csv.csv | eval Category = OSType. "-" .ProductName | where Category =='<<FIELD>>' | sort -product_count | head 1 | eval Version="\"".ProductVersion."\"" | return $Version], "Declining")]    I changed this code to something like this with no luck because I cant filter the results without a where statement:   | inputlookup Lookup_Table.csv | stats values(ProductVersion) AS Version values(LifeCycleStatus) AS Status by ProductCode | foreach ProductCode [eval newLifecycleStatus=case(Version==[| inputlookup Lookup_Table.csv | eval NewProductCode=tostring('<<FIELD>>') | sort -product_count | head 1 | eval ProductVersion="\"".ProductVersion."\"" | return $ProductVersion], "Emerging")]