Hi, Currently I have few network devices sending logs via syslog to splunk and sourcetype is Cisco:ios  and present we are testing on only one device please guide me, what is the search string to get alert for availability and interface utilisation (for one device and more device).

Need help with a Splunk query  to display % failures for each day during the time range selected % failures = A1/A2 *100 A1= Total number of events returned by the below query: index="abc"  "searchTermForA1"   A2= Total number of events returned by the below query: index="xyz"  "searchTermForA2"   Expected Output: -------Date-------|--------A1-------------|------A2----------|-----% failures------- Separate rows in the result set for date 1-Jul, 2-Jul, 3-Jul, 4-Jul, 5-Jul, 6-Jul and 7-Jul, for time range selected as 1Jul to 7-Jul. Please help with the query. Thanks!

Dear Splunkers, can you please advise or direct my to right place on following question: we need to send notification to collaborators when any changes are done to some investigation. Is there possibility to create e.g. alert or there is a build-in functionality to notify users when someone updates investigation with their finding? Thanks in advance!

Hi. We have some IBM DB2 systems running primarily on AIX and now our Security team has tasked us with collecting the audit log in Splunk. I tried just creating an input, monitor-stanza pointing it to the right directory, but nothing, I then changed to look at subfolders, and I got some data. I have looked at the DB2 documentation, and there is a very cumbersome process described (https://www.ibm.com/docs/en/db2/11.1?topic=facility-storage-analysis-audit-logs). Does anybody have some experience collecting DB2 audit logs and how did you do it (file monitor or DB-Connect)?   Kind regards las

Hi all, I have a row of a pivot table as shown in the picture. However, is there a way to make it so that if the values are different when comparing the last four rows, it will highlight the row? If possible an even better solution would be to highlight the cell that is different AND has the least frequency number. For instance, say in the last 4 columns when looking at one row, the values are shown as '4', '4', '5', '4' - only highlight the cell that has the 5 in it because yes it is different but it also shows up the least number of times.  Any help would be hugely appreciated. Please let me know if there are any issues with seeing the image.

Hi, I am using python SDK to search with this configuration: query_kwargs = {'earliest_time': earliest, 'latest_time': latest, 'results_preview': False, 'search_mode': 'normal', 'status_buckets': 2 } job =splunk_client.jobs.create(query, **query_kwargs) As the Splunk documentation (https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/howtousesplunkpython/howtorunsearchespython/) I do the follow: while True: while not job.is_ready(): pass stats = { 'isDone': job['isDone'], 'doneProgress': job['doneProgress'], 'scanCount': job['scanCount'], 'eventCount': job['eventCount'], 'resultCount': job['resultCount'] } progress = float(stats['doneProgress'])*100 scanned = int(stats['scanCount']) matched = int(stats['eventCount']) result_count = int(stats['resultCount']) if verbose: status = ("\r%03.1f%% | %d scanned | %d matched | %d results" % (progress, scanned, matched, result_count)) sys.stdout.write(status) sys.stdout.flush() if job["isDone"] == "1": if verbose: sys.stdout.write("\n") break time.sleep(2)  Then once the job is finished I do this: offset = 0 max_event_count = 50000 total_results = [] first_50k_results = self.get_results(job, offset, max_event_count) total_results.extend(first_50k_results) while offset <= number_of_results: offset += max_event_count intermediate_result = self.get_results(job, offset, max_event_count) total_results.extend(intermediate_result) def get_results(self, job, offset, max_event_count): logger.info("collecting results,please wait . . ") results_list = [] kwargs_paginate = {"count": max_event_count, "offset": offset} for result in results.ResultsReader(job.results(**kwargs_paginate)): results_list.append(result) return results_list   The issue is that the number of events that the python search return is different from the number of events that the search in the Splunk console return. Can you please advise what I am doing wrong? Please note that I am using explicit index= in my search  

I have created remediation action to run one unix script when the health rule violation occurs as per the document but it is not working. I have given path of the script and required permission and restarted the machine agent but still not working. can someone guide me how do i achieve this.

I am running into some issues with the ServiceNow app in Phantom. When I run my playbook in our production environment, I continue to get an error stating that my parameters are blank. If I run the same playbook in our development environment and on the same event, it runs without issue. Could this be an issue with the ServiceNow app? The playbook is exactly the same as we are using a GitHub repository to commit all changes. I have tried deleting the assets, uninstalling then reinstalling the app and still have the same issue. I am attaching a screenshot of the error message presented in the debug log.

Hi, My Jenkins sends my testresults data for the same job (Automation regression tests job)  to Splunk in multiple events. For example,  Results of single search query - One event has my job details like job duration, job_start_date etc, another event has my test results details like testcasename, test status etc. Now I would like to fetch job_start_date and job_duration from one event and introduce this as new fields along with my second events. So that I can have one table with all details. These are the data I have, both these results are linked to each other through job_name. Now I would like to have job_Start_Date and job_duration for each of my test case. I tried to use Joins (this would not give me job_duration, job_Start_Date for every record in my table), eval also did not work. Is there any other command that would help in this case ? Can someone guide please.  Thanks.  

I have a dbxquery which pulls some  applicationdata which includes servername. Also I have a inputlookup which fetches the server details from my server inventory. My goal is to match the dbquery server name data with inputlookup data servername to show server status.Using the join type=left. I can see few are matching and returning the server status but others not. I tried to search servername in inputlookup which is not matching and can see the data there .Checked if any space issue but not. Kindly help on this.