Hi, I have an use case where I have an if condition involving multiple comparisons. Based on its outcome, I  want to re-assign values in multiple fields. Consider below example: My fields are: A1, B1, C1, A2, B2, C2 and few other fields I have an if condition and when it is true to assign value as below and if false do nothing: A1=A2 B1=B2 C1=C2   Now my query is, right now if I want to do this, I would have to write 3 different eval commands like below doing exact same comparisons: | eval A1=if(<condition>, A2, A1)  | eval B1=if(<condition>, B2, B1)  | eval C1=if(<condition>, C2, C1)    Is there a way so that if I only use if once and when true, all three fields would get assigned value in one go. If there is a way, in terms of performance is above still better, I would be running this for more than hundred thousand records ?

Hi I install rss app on splunk   https://splunkbase.splunk.com/app/278/ https://splunkbase.splunk.com/app/2646/ FYI: seems not compatible with splunk version 8, i am using splunk version 8 After installation completed, when I open app i’ve got this error: 2021-07-22 16:37:00,416 INFO [60f95f64637f60d7ebff50] startup:139 - Splunk appserver version=8.0.4 build=767223ac207f isFree=False isTrial=False 2021-07-22 16:37:00,646 WARNING [60f95f64637f60d7ebff50] appnav:404 - An unknown view name "home" is referenced in the navigation definition for "rssjava". 2021-07-22 16:37:00,647 WARNING [60f95f64637f60d7ebff50] appnav:404 - An unknown view name "hosts" is referenced in the navigation definition for "rssjava". 2021-07-22 16:37:00,647 WARNING [60f95f64637f60d7ebff50] appnav:404 - An unknown view name "metrics" is referenced in the navigation definition for "rssjava". 2021-07-22 16:37:00,648 WARNING [60f95f64637f60d7ebff50] appnav:404 - An unknown view name "settings" is referenced in the navigation definition for "rssjava". 2021-07-22 16:37:00,653 INFO [60f95f64637f60d7ebff50] error:321 - Masking the original 404 message: 'Splunk cannot find the "None" view.' with 'Page not found!' for security reasons   any idea?  Thanks 

Hi I have the following JSON object. I would like to be able to ultimately create a bar chart with the following:   X-Axis: Animal type ie dog, cat, chicken..... Y-Axis: The length of animal's array, this example, dog=2 cat=3 chicken=1     { "data": { "animals": { "dog": [{"name": "rex", "id": 1}, {"name": "tom", "id": 2}], "cat": [{"name": "rex", "id": 3}, {"name": "tom", "id": 4}, {"name": "sam", "id": 5}], "chicken": [{"name": "rex", "id": 6}] } } }       I'm new to Splunk so apologies but I'm not sure where to even begin   Thanks in advance for any help

Hi Guys, I have a requirement where I need to monitor some URLs for healthCheckapi using splunk. Tried creating a input like the one below in a Website Monitoring app: [web_ping://PROD - SERVER_NAME APP_NAME] host = SERVER NAME index = prod_website_monitoring interval = 15m title = PROD - SERVER_NAME APP_NAME url = http://server:8092/api/healthCheckapi but it is not working. I am getting an error Cannot GET /healthCheckapi which suggests that this need to use POST instead of GET request. Can someone help me with the inputs? Thanks,

Hi All, I am trying to understand if the standard integration to ServiceNow method would also include the tags assigned to the AppD entity. I have read the docs and KB but cannot find if that is the case? Regards, Ray.

I'm searching for the updated Business Value webinar.  Unfortunately, the link for session by Doug May is no longer available, even if you register with an acceptable business email. The session addressed: How your peers are messaging the business value of Splunk software in their companies How free and easy-to-use tools can help you document your Splunk business value How to speed adoption, increase business impact, and highlight your efforts Any suggestions on related webinars?

If I run the below query for last 7 days, and if there is no data in logs matching condition index=abc "searchTerm" for day1, then the results are showing for day2 to day7. But I want a row in resultset for day1 as well, if no data then with TotalResults as 0 for day1. index=abc "searchTerm"  | bucket _time span=1d | stats count as TotalResults by _time | makecontinuous _time | fillnull TotalResults Please help  

Hi, I'm reviewing the documentation of signal fx api, and the get chart by id api will give a lot of chart properties also with programText. /api/charts/latest#endpoint-get-chart-using-chart-id And I'm wondering if signal fx provides some ways that we can use these properties and the data we fetched by execute the programText to generate a chart, or will signal fx provide some ways to export the chart in html/image format, or will it provide framework like splunk js stack so we can easily bring what we want to our web apps. Thanks!

hi phantom team, I have a simple use case to rename a filename in vault. As its immutable, I copied the contents to vault temp dir and renamed it there. And before adding the renamed file into vault, I did vault delete for existing vault id. Still I get aka : [ old name , new name] in vault info for new file added to vault. And strange thing is it gets the same vault id. Thanks, Sunil

Hey Everyone,  I am trying to search for a field to see how much a customer is spending but there is a letter in front of it. e.g. "cost" : "C1000" showing they spent $1000.  So for example I want to search when the user spends between C1000 and C20000.  is there a way to remove the C and search the numbers of the result? this is what I have so far index="silverprod" source=*finance* ("Lambda" "Payload") NOT (lambda-warmer) *topup*  

The env is a search head cluster with 3 search heads.  Whenever I need to add a new transforms-extract, or a new props-extract, I need to modify the file /opt/splunk/etc/apps/search/local/props.conf, copy it over to all search heads, and then do a rolling restart. The copy part isn't a problem (just run a script), but the rolling restart is disruptive to the production environment and every time it causes a long wait. Is there a smoother way to  modify props.conf and transforms.conf and replicate their contents in a search head cluster environment?

I have two data sources (Syslog and Netflow) which I am collecting on a dedicated host, where I have installed a Universal Forwarder. It is acting as an intermediate forwarder.  I have to route this data to Indexers of two different organisations on their respective indexes. E.g OrgA Syslog needs to go to index=syslog_A Netflow needs to go to index=netflow_A Indexer is IndexerA:9997 OrgB Same Syslog as above needs to go to index=syslog_B Same Netflow as above needs to go to index=netflow_B Indexer is IndexerB:9997 MyOrg Only Splunk internal logs to IndexerMyOrg Because this routing is based on metadata, I believe, I should be able to achieve this using universal forwarder. Can someone please advise how I can achieve this ?  

Good afternoon,  I can't make sense of why I can't extract a definition from a particular csv.  I doublechecked permissions and verified that all of my columns are appearing via | inputlookup file.csv | table loopback, device the output recognizes both the custom device data as well as loopback but if I attempt to table the info "device" is not recognized.  index=index "syslog message" | rex field=_raw "peer (?<neighbor>\d+.\d+.\d+.\d+.)" | dedup neighbor | lookup xo-access-loopback loopback as neighbor output device | table device, neighbor I get neighbor output but not device.  csv looks like -  Any ideas? device loopback routername x.x.x.x