Hi all, I have a multiple json files. The format is like as below. { "ID": "123", "TIME": "Jul 11, 2021, 08:55:54 AM", "STATUS": "FAIL", "DURATION": "4 hours, 32 minutes", } From these json files i want to use the DURATION field and convert the value into hours. After that i want to use these values of all the json files to plot a graph. I have used regex to extract the value, but its not working. Below is the query that i have used. | rex field=DURATION "(?<duration_hour>\d*)hours, ?(?<duration_minute>\d*)minutes" | eval DURATION=duration_hour+(duration_minute)/60 can anyone please tell me what is mistake here?

My data source can't seem to negotiate TLS v1.2.  So, I am trying to "downgrade" HEC.  But no matter how I change inputs.conf, only TLS 1.2 is supported on port 8080. In fact, default sslVersions for splunk_httpinput app is already *:       $ cat etc/apps/splunk_httpinput/default/inputs.conf [http] disabled=1 port=8088 enableSSL=1 dedicatedIoThreads=2 maxThreads = 0 maxSockets = 0 useDeploymentServer=0 # ssl settings are similar to mgmt server sslVersions=*,-ssl2 allowSslCompression=true allowSslRenegotiation=true ackIdleCleanup=true       openssl s_client can only negotiate within TLS 1.2, nothing lower.  If I use, say -tls1_1, splunkd.log shows "error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher", the same error my data source triggers.  Is there some way to "downgrade"? The data source in question is Puppet Inc's splunk_hec module used by Puppet Report Viewer (Splunk base app 4413 ).  I am testing it with Puppet Server 2.7.0. (Splunk is 8.2.0.) My colleague suspects that the Jruby version (ruby 1.9) may be too old to support TLS 1.2. (I can invoke splunk_hec report in native Ruby 2.0 successfully.) Update: JRuby version is probably the problem, although it does support TLS 1.2; the problem is (still) in cipher suites mismatch.  I used tcpdump and wireshark to analyze TLS exchange.  Puppet server sends the following:     Transport Layer Security TLSv1.2 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 223 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 219 Version: TLS 1.2 (0x0303) Random: c1221d62f8911dc203ac02cf12c7cf7a71093cd5141a0f56e7bad2429d4e1095 Session ID Length: 0 Cipher Suites Length: 12 Cipher Suites (6 suites) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)     Even adding extended ciphers illustrated in default inputs.conf, i.e.,   cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA   they still cannot match. I am unfamiliar with how Splunk represents these suites.  Is there a supported cipher suite that can match one of those sent by splunk_hec?

Hi , I have a clustered environment of Slunk setup. How can I find the all reports and alerts with email address. Actually I  need to correct the email domains again and I didn't found any correct way to check all reports with email address. Is there any search query and specific method to find out.

HI, I have configured an alert to get the email when my query gives greater than 0 search results. I am able to see the alert but if search results are 3 I am getting 3 different emails as below. In the above screenshot, we can see that all 3 different emails are triggered at the same time.  want all these results to be in one email alert. Can someone please help me with how can we get all the search results of a single alert? Also in my alert trigger conditions, I have something like  does that mean my Splunk alert expires after 24 hours? If it is so how can I change the settings to work the alert forever and if I need to stop the alert I will disable it.   Thanks in advance, Swetha. G

Hi, As mentioned in the subject, I wanted to perform a simple subtraction operation on individual values/elements within a multivalue field.  So for example, I have a MV 23 79 45 23 38 I will iterate over the items, and perform the subtraction to get the following: Iteration 1 diff = 0 (since it's the first element) Iteration 2 diff = abs(79 - 23) Iteration 3 diff = abs(45 - 79) Iteration 4 diff = abs(23 - 45) Iteration 5 diff = abs(38 - 23)   So far, here's what I did: | makeresults | eval a1="23,79,45,23,29" | makemv delim="," a1 | mvexpand a1 | eval start=0 | eval i=0 | foreach a1 [ eval tmp='<<FIELD>>' | eval diff=if(start==0, 0, "subtract_element[i+1]_with_subtract_element[i]") | eval i=i+1 | eval start=1 ] dummy query I haven't implemented the subtraction logic yet, since obviously, I am having a challenging time in doing it. I've spent almost 3 hours already experimenting, but no luck. Another weird thing (for me), which I can't explain, why the variable "i" is not incrementing even if I'm updating it within the foreach block. Hope my question makes sense, and as usual, thank you very much in advance. Any ideas are greatly appreciated

We have a number of saved searches (configured as alerts) that make use of custom search commands we wrote. It can happen that those custom commands fail to execute. This would cause the saved search to fail with an error message, which can be seen if you would run the search in the Splunk UI. We would like alerts to be triggered if this happens to the saved search. In the Alert configuration, this type of trigger is not an option.  Is there any way we can get an alert triggered when one of our saved searches fails with an error? PS: we are running our app on a multi-tenant platform, so we do not have access to the internal logs, thus we cannot run a search like: index=_internal sourcetype=scheduler status!=success | table _time search_type status user app savedsearch_name   

Hi all,  I am trying to highlight a particular column if the values in that column are no all the same. For instance, say I have a table such as the following: User  Place Version Mark London 1 Sally US 2 Will Africa 2   I would specifically like to highlight the version column red because the values are not all the same on that column (the values are not all 2) , so that it looks like this (underline = should be highlighted) User  Place Version Mark London 1 Sally US 2 Will Africa 2   I understand the first step is to turn the Version column into a multi-value field and add "RED" in each cell along that column but unsure as to how to do that. I'd imagine that logic is something like if (count(Version uniq) >1 )) then add RED. But again not sure how to implement something like that.   Any help would be hugely appreciated!

Hi Splunkers. I'm looking for a way to delete a correlation search that has been created with the wrong name (as ES doesn't let you rename them). The CS is currently disabled but I don't see a way to actually delete it. I see some previous answers here but they involve direct access to the .conf file which isn't an option in this particular environment, so looking for a way to do this from the SH. Thanks.