Hello, we have around 1200 systems that have UF's on them.  They are a mixture of both Windows and Linux devices.  I'm curious if it's possible to use a platform like Tanium or SCCM to push the UF .MSI down to those systems to initiate the upgrade that way? Your input is GREATLY appreciated.  Thanks.

Hello guys, does someone know, whether it is possible, to do a matching of search results with previous results of the same search? I have a machine, that can enter different modes. Just for the example lets say, the machine can enter mode A, B or C. I receive an heartbeat every few seconds of hundred of these machines, which leads to a very large dataset. But I am not interested in the heartbeat, I am interested in the transition of the modes. Example: Time Machine_ID Mode 10:00:00 1 A 10:00:01 2 C 10:00:02 2 C 10:00:03 1 B 10:00:04 2 B   So what I am basically interested in here is the transition of machine 1 from mode A to B and of machine 2 from C to B.  In other words: I am searching for heartbeats, where the mode is different than the mode of the previous heartbeat of the same machine_ID. At the end, my result would look something like this _time _time_old_Mode machine_ID new_mode old_Mode 10:00:03 10:00:00 1 B A 10:00:04 10:00:02 2 B C   I have tried subsearches, but I was not sucessful. The simplified search for getting the heartbeat is currently: index="heartbeat" | rex field=_raw "......(?P<MODE>.......)"| fields _time ID MODE Performance is not crucial, as it is planned to run this at night for a summary index. Thanks in advance!  Best Regards

Hello!   Is there any information if virtual BOTS at .conf '21 would be organised for other timezones than AMER? I am mostly interested in EMEA one. I could find only one date and time and that is 1AM in here, not too convenient time to play CTFs.   Regards, Damian

I'm very stuck, how can I have a streamstats function accumulate a total and reset at 9.00am every day?  It's straightforward if I have an event at 9.00am, but if the last event was at say 8.55am, then the next event is at 9.15am, the reset occurs, however, it will continue to reset for all events which occur between 9.00am and 9.59am as the statement remains true throughout the hour below in my example. index=main | eval Hour=strftime(_time,"%H") | streamstats reset_after="("Hour==09")" sum(Result) as Total I tried to experiment with specifying the minute, but the same situation exists if the 9.00am minute does not exist. index=main | eval Hour=strftime(_time,"%H%M") | streamstats reset_after="("Hour==0900")" sum(Result) as Total I think I need to either make a lookup to create an event every 9 am for each day, but I couldn't figure that out if the time range was greater than one day. I experimented with makeresults to create an event, but this needed an append which messed up all of my other parts of the query. I think the most elegant way to do this is to have an event created for every 9 am before the query is made, but I can't figure it out, any advice/ideas are welcomed!   Dave

I get below result when use Chart count over field-A by Field-B We can see there are cell with value 0, is there any solution to replace these 0 with SPACE? Thanks. Over field value by field value1 by field value2 by field value3 by field value 4 by field value5 Total Over value 1 0 0 1 0 0 1 Over value 2 0 0 0 603 0 603 Over value 3 0 0 12 0 0 12 Over value 4 0 0 0 600 0 600

Hi, I have a firewall log in which some of the destinations do not have SNI, but I have their IPs. I want to create/extract a new field from destination to get the destination details, for example the Resolve Host or the Organization. Can someone please advise if this is possible and how? Thank you in advance.

I searched if someone had done this already but haven't found a good solution. So I wrote my own and thought I'd share it Sometimes you get some stats results which include columns that have null values in all rows. It's a typical result of | rest calls if you're trying to list some splunk objects. It's not that uncommon that out of several dozens or even hundreds of columns you get in your results, many of them are completely empty. So I thought I'd clean the results so they're easier to browse (and a bit lighter on the internet browser you're using).

I have the following SPL and I want to show table below. The value of Total must be equal to count of events (1588).  How can I pur the total count of events into Total variable? index=abc  | stats count as Count by reason_code | where reason_code != "false" | addtotals col=t labelfield=reason_code label="Retrieval task cancelled" fieldname="Percentage" | eval "Percentage"= round((Count/Total) * 100,2)."%"