Hello, In the video provided on the Splunk site, there is a portion that shows a 3D scatter plot visualization. https://www.splunk.com/en_us/resources/videos/explore-your-data.html Can you please provide the app where this can be found/ details on how to build this? Thanks  

Hello, I'm currently exploring Splunk Phantom or Splunk SOAR. When I try to create a new playbook or copy and save any existing playbook I'm getting the following error. Please advise. failed to communicate with platform component: phantom_decided   Thanks.

In my current setup, I want to forward only internal logs to Indexers in myOrg, whereas, some non-internal logs to Indexers of an external Org. Below is my current outputs.conf, however, its not working as intended. I am seeing forwarder attempting to forward non-internal logs to myOrg's indexers as well.     [tcpout] defaultGroup = Internal_indexers #disable default filters forwardedindex.0.whitelist = forwardedindex.1.blacklist = forwardedindex.2.whitelist = forwardedindex.3.whitelist = #Enable these forwardedindex.4.whitelist = (_audit|_introspection|_internal|_telemetry) [tcpout:Internal_indexers] server = index01:9997 [tcpout:OrgA_indexer] server = y.y.y.y:9997   Update: Below is inputs.conf for non-internal log [monitor://some_source.log] index = abc sourcetype = syslog _TCP_ROUTING = OrgA_indexer  

In my current setup, I am routing  some data (only non-internal indexes) from our current environment to two different Indexers outside of my Org and I dont have access to them. Is there a way to figure out what stream of data is going to which indexer ?  

Hello , I need to frame the search query for <drilldown_search> for the following type : "drilldown_search": "| from datamodel:\"Authentication\".\"Authentication\" | search src=$src|s$" Currently in my results have value for src, how Do I escape this '|s' in the query string.   Thanks, Mahalaxmi   

Hello. I have an input lookup csv file with a single column named “Domain” that has a list of domain names in that column. I would like to loop through all those domain names and check if there are any events (from multiple indexes where I don’t want to worry about finding what Splunk field matches to “domain”) that include any of the domain names from my inputlookup csv. How would I build this search? 

Hello, Here is the whole context and question: https://community.splunk.com/t5/Splunk-Search/Aggregate-query-help/m-p/560663/highlight/true#M159340 As a next step from the search query would like to showcase the result on dashboard, where from a drop down when we select a particular attribute it will show the count of total and RecordOutRange on y-axis in time span of every15min on x-axis. Thanks,

Hi @gcusello , We've been asked to upgrade our existing Splunk version(7.1.3) to 8.1. So for that we are now upgrading our apps that are not compatible with the version 8.1.x. I've started with the Symantec App. Its current version is 1.0.3 which is NOT supported by Splunk now and I seek your help to upgrade this app( I've downloaded its higher version ) but I am stuck as I don't know how to configure . Regards, Rahul Gupta   

Hi Splunkers! I currently use 3 indexers in order to ingest my data and respond to search jobs. We use ES in our deployment. My indexers' hardware is 3 DL38 G7 with 12 physical core and 128GB of RAM. The daily ingested data is 500GB/day although sometimes the ingested data was been over 1.5 TB/day! but this has happened very few times. I have problems with my ES as the correlation searches always get delayed because of the lack of CPU on my indexers. Now my company has decided to upgrade the indexers. They suggest me 2 DL560 G10 with 192 physical core and 1.5TB of RAM. That's great! Isn't it? My only concern is that in my current deployment if one of my indexers goes down I have 2 indexers to ingest data and responding to search jobs but if I replace the old servers with new servers then if one of my indexers goes down I just have one indexer. So what's your professional recommendation in my circumstances?  

Hi I am trying to search two strings in message like "Stopped successfully" and "connected" from 6 host names. Please help me am writing like below Source="WinEventlog:applicaiton" |rex "message\s(?<message>.*).*" |search host like "host1" OR host Like "host2" | search message="stopped succesfully" OR "Connected" |table _time, host, message

I have a single algorithm with 2 methods. Each method produces the same type of data but with different fields names to keep them separated. The dashboard charts depend on which method the user selects in a menu. Essentially I create interim results for both methods but desire to change the names to the field names used in the subsequent code. [Q] What is a more efficient method of performing the "Big Switch" in the run anywhere code below?   | makeresults 5 | rename comment AS "-----------------------------------------------------------------" | rename comment AS "User Menu Selection" | eval switch="A" | rename comment AS "-----------------------------------------------------------------" | rename comment AS "Algorithm element2" | eval calcMethod1_field1="1" | eval calcMethod1_field2=2 | eval calcMethod1_field3=3 | eval calcMethod1_field4=4 | eval calcMethod1_field5=5 | rename comment AS "-----------------------------------------------------------------" | rename comment AS "Algorithm element2" | eval calcMethod2_field1="1sub" | eval calcMethod2_field2="2sub" | eval calcMethod2_field3="3sub" | eval calcMethod2_field4="4sub" | eval calcMethod2_field5="5sub" | rename comment AS "-----------------------------------------------------------------" | rename comment AS " Big Switch " | rename comment AS "-----------------------------------------------------------------" | rename comment AS "This is the big switch before entering a stats command" | rename comment AS "Intent is to rename several fields depending on switch value" | eval fieldnameforstats_field1=case(switch=="A",calcMethod1_field1,switch=="B",calcMethod2_field1) | eval fieldnameforstats_field2=case(switch=="A",calcMethod1_field2,switch=="B",calcMethod2_field2) | eval fieldnameforstats_field3=case(switch=="A",calcMethod1_field3,switch=="B",calcMethod2_field3) | eval fieldnameforstats_field4=case(switch=="A",calcMethod1_field4,switch=="B",calcMethod2_field4) | eval fieldnameforstats_field5=case(switch=="A",calcMethod1_field5,switch=="B",calcMethod2_field5) | fields - _time | table fieldnameforstats_field*  

I have created a multiselect dashboard which has a City and Address. If I select ABCadd from City i can see multiple addresses in Address, but when i add another BBCadd from City which now have two selection in 1st multiselect, i can only see 1st selected City addresses but when I select ALL and search i can see both two address. I want to have both selection shown in second multiselect where i can select only wanted address. I am using csv file and inputlookup for multiselect. here is my xml.  <input type="multiselect" token="City " searchWhenChanged="true"> <label>City </label> <fieldForLabel>City </fieldForLabel> <fieldForValue>City </fieldForValue> <search> <query>|inputlookup aaa.csv | dedup City | table City </query> <earliest>-15m</earliest> <latest>now</latest> </search> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter> OR </delimiter> <choice value="*">All</choice> </input> <input type="multiselect" token="ShopName" searchWhenChanged="true"> <label>Shop Name</label> <choice value="*">ALL</choice> <fieldForLabel>ShopName</fieldForLabel> <fieldForValue>ShopName</fieldForValue> <search> <query>|inputlookup aaa.csv | search City =$City$| dedup ShopName| table ShopName</query> <earliest>-15m</earliest> <latest>now</latest> </search> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter> OR </delimiter> </input> <search> <query>index=*  City =$City $ ShopName=$ShopName$ |stats values(ShopName) as ShopName, count by Address</query> <earliest>$Timer.earliest$</earliest> <latest>$Timer.latest$</latest> </search>

in search, w/ rex command I can specify which field I want to apply the Regex as following example | rex field=event "My Custom regex...." But if I want to register the same regex in Field Extraction option (to have it reusable object w/ my team) I don't see any option to specify the field. I assume it register it to entire _raw as default.  Any idea if I can specify the field when I create a Field with "Field Extraction" ?

Hi All,  I have a use case to align two stacked graphs side by side. So, there are 4 columns with values for any particular date. X Axis will have the date values. There should be 2 bars for each date and each bar has 2 columns' data stacked. I hope I have made the question clear, Can someone please help.  Thanks in advance!

Hi How can I parse iso 8583 messages in Splunk? Here is the sample iso 8583 message that exist in my log: 10:10:00 Message [0200323A40010841801038000000000000000004200508050113921208050420042251320720000010000001156040800411 01251146333156336000299] I want to parse message and extract fields in it. Like this website that parse sample message https://licklider.cl/services/financial/iso8583parser/ more info: https://en.wikipedia.org/wiki/ISO_8583 http://www.lytsing.org/downloads/iso8583.pdf any idea? Thanks