Hi what is the spl command to extract users. Here is the sample: 2021-09-12 21:40:03,938 ERROR [APPNAME] User H83952 invalid: javax.security.auth.login.LoginException: 2021-09-12 21:40:03,938 ERROR [APPNAME] User 83944 invalid: javax.security.auth.login.LoginException: 2021-09-12 21:40:03,938 ERROR [APPNAME] User A_Frok invalid: javax.security.auth.login.LoginException: expected output: H83952 83944 A_Frok Thanks,

Hello Team, As we are parsing logs from Linux machine to Splunk indexer via Splunk Universal Forwarder in Linux machine, from monitor input paths "var/logs" am getting data in indexers but am not getting data from this path "monitor:///opt/apps/mule-runtimes/mule-ee-runtime-1/logs" please help what to do, for reference please check the below snap.

Hello all, I am struggling with customizing my Splunk ES's Incident Review panel. I have integrated Suricata IDS logs to ES (using Splunk CIM and TA-Suricata) and I would like to output Suricata alerts as notable events in Splunk ES. Facts: 1. I have created a Splunk Correlation search in Content Management "Suricata Medium Severity Alert" which has a custom search:   index=suricata sourcetype=suricata event_type=alert alert.severity=2   2. In Adaptive Response Actions I added a Notable with the following custom settings: Title: $signature$  (in order to output the Suricata Alert Signature Title) Description: A medium severity alert ($signature_id$) was triggered on $src$ Notes: - Search runs every 5minutes. - I save and enable the Correlation search and I see that a Saved Search "Threat - Suricata Medium Severity Alert - Rule" is created. What is the problem: - In the Incident Review console though the new Notable's "Title" has the Saved Searches' title ("Threat - Suricata Medium Severity Alert - Rule") and not the custom title ($signature$) (ET POLICY SMB2 NT Create AndX Request For an Executable File) set on the Notable action event. - Description: is "unknown"   Notes: - The Notable event is successfully created and it contains all variable fields (src, signature, signature_id). - All fields are shown on Additional info on the notable, but the point is that variables do not show Troubleshooting done so far: - Deleted and recreated Corellation searches and Saved Searches - Restarted Splunk - Rebooted OS Splunk Version: 6.2.2 (Distributed Environment) Splunk ES: 6.6.0 Splunk CIM: 4.20.0 Any help would be appreciated. Regards, Chris

Hi all,    I have two chart queries to get the success count and error count which are working as expected.  Now I want to add the both and get the total count from both columns.  Query 1:  index=dev | rex "\"tracePoint\\\\\"\s:\s\\\\\"(?<tracePoint>[^\\\]+)" | rex "\"correlationId\\\\\"\s:\s\\\\\"(?<correlationId>[^\\\]+)" |search app="project1" OR app="project2" OR app="project3" OR app="project4" |where tracePoint="EXCEPTION" |chart count(app) over app by dc(correlationId) Query 2:  index=dev | rex "\"tracePoint\\\\\"\s:\s\\\\\"(?<tracePoint>[^\\\]+)" | rex "\"correlationId\\\\\"\s:\s\\\\\"(?<correlationId>[^\\\]+)" |search app="project1" OR app="project2" OR app="project3" OR app="project4" |where tracePoint="END" |chart count(app) over app by dc(correlationId) I tried with 'appendcols', but it is not working, can anyone help me on this.  Thanks in Advance.

Hi All We have a distributed environment (no cluster). Splunk Enterprise Version 8.1.3 Is there a way to create a dashboard for all search peers (indexers), where I can see there CPU, Memory and Disk Usage?

Hi Splunk team, I would like to receive your dedicated help.  I have a string field, the field's structure is name_timestamp.  The name contains underscores between words, after the name, there is another underscore. Finally, there is a full date. for example: this_is_an_example_09_13_2021. My goal is to extract the name from this field. for this example, I would like to receive this_is_an_example.  Is it possible? Thanks in advance! 

So I'm trying to change a token when i click a button. Tried it like this: require([ 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!' ], function ( $,mvc,TableView) { var tokens = mvc.Components.get('default'); var sub_tok = mvc.Components.get("submitted"); $(document).on("click","#testbtn",function(){ tokens.set("btnClick", "Click"); sub_tok.set("btnClick", "Click"); }); }); And like this: require([ 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!' ], function ( $,mvc,TableView) { var tokens = mvc.Components.get('default'); var sub_tok = mvc.Components.get("submitted"); $("#testbtn").on("click",function(){ tokens.set("btnClick", "Click"); sub_tok.set("btnClick", "Click"); }); }); But its not working. When i try the code in jsFiddle it works as intended. (leaving out the splunk stuff) It's just a jQuery click event, so I don't know what I'm doing wrong. Further more when I try the whole think with a slider, it works. require([ 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!' ], function ( $,mvc,TableView) { var tokens = mvc.Components.get('default'); var sub_tok = mvc.Components.get("submitted"); $("#slider-range").on("input change", function () { tokens.set("slider_value", $(this).val()); sub_tok.set("slider_value", $(this).val()); }); });  Here ist the xml code: <dashboard script="testscript.js" theme="dark"> <label></label> <fieldset submitButton="false"> <html> <label>Slider</label> <input type="range" id="slider_input" value="10" min="0" max="20" step="1"/> <button id="testbtn">ghfhfhfhfh</button> </html> </fieldset> <row> <panel> <title>$slider_value$____$btnClick$</title> <table> <search> <query>|makeresults | eval slider_value=$slider_value$</query> <earliest>-1h@h</earliest> <latest>now</latest> </search> <option name="refresh.display">progressbar</option> </table> </panel> </row> </dashboard> I there is a simple solution to this and thanks in advance.