Hello, I need a help with using wildcards in lookup.  I want to exclude from search results fields, which are located in lookup. Example: Search: host=*  | search NOT [| inputlookup test_lookup.csv] Lookup test_lookup.csv containts two fields: exe,comm /usr/sbin/useradd,*   I need to exclude all results which include exe="/usr/sbin/useradd" and any *comm* field. I added WILCARD(comm) in lookup definitions, but it doesn't work. transforms.conf [test_lookup.csv] batch_index_query = 0 case_sensitive_match = 1 filename = test_lookup match_type = WILDCARD(comm)   What I did wrong? Thank you.

I have an index = 'telemetry' which gets data from a local directory on standalone Splunk installation. I deleted some data from above index which came in from particular directory using command index='telemetry'  source="/data/01/*" | delete The above index has still more data from other sources (e.g. "/data/02" ..) I want to re-index the data from deleted directory i.e. "/data/01" again. Running splunk clean eventdata involves deleting entire index. I want to wipe from disk only that part of data that has been deleted above so that I can re-index it back. How can I achieve this?  

Hi, I'm facing an error where all my scheduled searches are triggered, there no logs showing any error while trying to send the email, BUT I did not receive any email. My splunk emailing system is integrated with AWS SES and I'm able to send (and receive) email using 'sendemail' command from the splunk search which tells me that the SES credentials are correct.  Below are the logs showing that no errors while trying to send email. Thanks! 2021-08-11 22:56:01,898 +0000 INFO sendemail:139 - Sending email. subject="|prod-us-west-2| SplunkAlert: TSD SES Email Alert Test ", results_link="https://aws-prod-west-splunk.tscloudservice.com/app/TsdApp/@go?sid=scheduler__admin__TsdApp__RMD5cd8884db53568853_at_1628722560_51987_FDE004B7-D863-4836-AC24-BFAEBA400C09", recipients="[u'muhammad.mufthi@example.com']", server="email-smtp.us-west-2.amazonaws.com"

I need to restrict my Splunk instance to be only accessible on localhost. To do this, I created a new web.conf file and put it in /opt/splunk/etc/system/local. The file as the following contents: [settings] server.socket_host = 127.0.0.1 When I restart splunk, I get the following: Waiting for web server at http://[random char]:8000 to be available........... Rather than seeing 127.0.0.1, I see random characters. It just sits there. What am I missing in the config file?  

I was able to build a large dashboard with 10+ panels using the loadjob command spanning the last day of any triggered results.  However, I am now looking to built the same dashboard where each panel will span a week (7-days) of any triggered results. Loadjob was the only command that minimized loading of each panel.  Is there anyway to use loadjob, or a similar command, that shows a timechart spanning 7-days? For example: | loadjob savedsearch=tech123:Residential:"name of enabled alert" artifact_offset=0 | timechart span=1d count by incident_type But I've tried using earliest=-7d in every  possible spot and I've used the time picker, but I haven't found a resolution yet... any thoughts or ideas or solutions?

Hey Everyone, I wanted to see if anyone could help me with correlation searches firing and creating a notable event on the Incident Review page  but then not producing the same 1 for 1 match when I run the search manually. What I did was  look at a specific correlation search that fired in the Incident Review page over the last 24 hrs. I then took that search and ran it in a new search with the 24 hr time frame picker. The notable events said that 77 events for that correlation search existed but the search results would return either a 0 or varying numbers if let it finish and ran over and over a few times (none of them being 77). I made sure it wasn't a count issue where an event had multiple counts that in total added up to the total number but was only shown as one row. The issue seems to be the data models. I run the searches from the index(s) and get vastly different numbers than the Incident Review page which is vastly different than the data model correlation search. Does anyone have any ideas on why I'm not getting a 1=1=1 match between the Incident Review, correlation search with data models, and the raw index searches? Any and all help/insight is greatly appreciated!

By default, when you chart by '_time', the major ticks displayed over a multiple week time span always uses Mondays in the major tick labels.  Since I am allowing people to select individual days of the week for week over week comparisons, it would be nice to show the selected day of the week as the major tick label. Is there a charting control variable that can be used for this? thanks in advance, Bob Eubanks In the attached screen shot, the user has selected 'Fridays' for comparison, yet the chart uses Mondays as the major tick label.

I'm running a tiny proof-of-concept Splunk environment across 2 VMs. SE is on VM1 (Ubuntu 20.04), version 8.1.1. The universal forwarder is on VM2 (Ubuntu 20.04) and is sending the Splunk_TA_nix add-on metric data back just fine. I have installed/configured version 7.3 of the Splunk Stream Add-On for Stream Forwarders on the universal forwarder and installed the Splunk Stream App on the SE VM, also version 7.3.  On the forwarder there are the following conf files in /opt/splunkforwarder/etc/apps/Splunk_TA_stream/local: ----inputs.conf---- splunk_stream_app_location = https://10.0.2.15:8000/en-us/custom/splunk_app_stream/ stream_forwarder_id =  disabled = 0 --------------------------- ----streamfwd.conf---- port = 8889 ipAddr = 127.0.0.1 ---------------------------- I can't get the network stream data from the forwarder into the SE search/reporting app, or the SE Stream app. The /opt/splunkforwarder/var/log/splunk/streamfwd.log is the only thing from the stream add-on on the forwarder that will place any data in SE at all and includes an error that says: (CaptureServer.cpp:2211) stream.CaptureServer - unable to ping server (<longerrorcode>): Unable to establish connection to 10.0.2.15: wrong version number 8.1 should be compatible with the 7.3 installs of either stream app. Additionally I haven't seen anything mandating a specified version number anywhere.  Things I have tried: I can successfully ping SE at https://10.0.2.15:8000. Tried modifying the .conf files in apps/default on the forwarder, which the docs say you're not supposed to do. Didn't work. Tried all manner of switching port numbers in the .conf files. Restarted many, many times.  I am out of ideas. Someone please help?