Hello, How can I improve on my Splunk query so that only one event is counted over a 30-day span where we have 500,000,000 events matched? This is the query I have so far:     | tstats count WHERE (index=<my_index> sourcetype=json_data earliest=-30d latest=-0h) BY _time span=1mon, host, address, server     This query returns approximately 600,000,000 events, but I only need to count just one of these unique events at the host-level. Since I'm using the tstats command first to retrieve data, I made sure that indeces exist on _time, host, address, and server. My problem here is that Splunk first retreives all of the matching events and then it removes the duplicates. Is there a way to just retreive unique events by host, address, and server? For example, a host could have the following events over the past 30 days: _time host address server 2021-07-13 12:55:08 testenv1 10.10.10.10 store1 2021-07-13 12:55:08 testenv1 10.10.10.10 store1 2021-07-13 12:55:08 testenv1 10.10.10.10 store1 2021-07-13 12:55:08 testenv2 10.10.10.11 store2 2021-07-13 12:55:08  testenv2 10.10.10.11 store2 2021-07-13 12:55:08  testenv2 10.10.10.11 store2   And I want my query to do this: _time host address server 2021-07 testenv1 10.10.10.10 store1 2021-07  testenv2 10.10.10.11 store2   This is just a sample of my data. In several cases, we have unique hosts that repeat 20,000 times over a hour time span. I need my Splunk query to display this record just once, without having to retreive all other 20,000 events. I also tried to use disctinct_counts like this, but this still retrieves all of the duplicated events under the Events tab:     | tstats distinct_count WHERE (index=<my_index> sourcetype=json_data earliest=-30d latest=-0h) BY _time span=1mon, host, address, server     I've browsed multiple Splunk threads and I'm just stumped. Thank you.

All of the .splunkrc-examples out there show, how to specify user and password (unencrypted!) in the file, but our Splunk-administrators here issue authorization-tokens instead. Can those be specified in the file and/or on command-line, or does the current code not support that?

I am just wondering if others are running into this same issues. I find that some of my sourcetypes mysteriously just stop for a while. They start up again eventually, but we don't really want huge delays in our data.   The azure:aad:signin sourcetype seems to give me the most trouble. Sometimes it may stop for a few hours - but then will immediately provide data if I bounce the input. During this time, I am not even getting debug logs for "source=*ta_ms_aad_MS_AAD_signins.log."   Most recently when I had an issue I noticed a "HTTPError: 504 Server Error: Gateway Timeout for url" for my aad_risk_detection ingest, so I do suspect network issues play a part in the problem. However, that really doesn't address what is happening to the retries...   Microsoft Azure Add-on for Splunk 3.1.1 Splunk Enterprise 8.0.5

Hi,   I was wondering if I could do two things. I am new to splunk so please have mercy on me. I am looking for a query that will search inside a mailbox and look for a certain subject. Once it find that subject I would like to extract the recipients to a csv file for the last 40 days. Is this possible?  

Hello,  This is the query that I am working on. Its showing multiple time entries. How do we get it to filter down to single entry? (index=xyz source=abc) SMF30JBN=MC2DC03D SMF30JNM=JOB* SMF30STP=5 | table DATETIME SMF30JBN SMF30STP SMF30JNM SMF30STM   Thank you, Chinmay.

Greetings Splunkers, I have a dashboard that "broke" over the weekend. When I run any of the dashboard searches I see errors of: Unexpected status for to fetch REST endpoint uri=https://127.0.0.1:8089/services/storage/investigation/investigation?count=0&all=true&earliest=-700d&latest=-2d&output_mode=xml from server=https://127.0.0.1:8089 - Bad Request Failed to fetch REST endpoint uri=https://127.0.0.1:8089/services/storage/investigation/investigation?count=0&all=true&earliest=-700d&latest=-2d&output_mode=xml from server https://127.0.0.1:8089. Check that the URI path provided exists in the REST API. Learn More The REST request on the endpoint URI /services/storage/investigation/investigation?count=0&all=true&earliest=-700d&latest=-2d&output_mode=xml returned HTTP 'status not OK': code=400, Bad Request.   Looking up similar questions here leads me to believe that it might be an issue with the REST api path for investigations. Does anyone know if there is a different path for investigations for ES 6.0.2? I am sure I am missing something simple so don't be afraid to "barney" style this.  Other questions: https://community.splunk.com/t5/Splunk-Enterprise-Security/Why-do-we-get-errors-on-the-REST-command-in-the-Investigation/m-p/470951

Hello all, has anybody a running solution to integrate splunk alerts with Zabbix? I already tried this app (https://splunkbase.splunk.com/app/5272/#/details) but there is no description how the search should look like respectively the way it is descriped does not work as expected. Kind Regards, Peter

Unexpected status for to fetch REST endpoint uri=https://127.0.0.1:8089/services/storage/investigation/investigation?count=0&all=true&earliest=-700d&latest=now&output_mode=xml from server=https://127.0.0.1:8089 - Bad Request I'm having an issue with understanding and fixing my REST API. It has worked previously and there's no upgrade that I'm aware of. If I modify the above search from "latest=now" to "latest=-3d" the data returns fine. No new data is being written to this URI. Yesterday "latest=-2d" returned data today it does not. I'm probably not explaining this well but to me it appears that somewhere in the last few days this API URI broke. Any assistance would be appreciated. 

I am trying to get our Add-on that was developed for standalone Splunk to work in a SHC environment. The Add-on takes input from the user in a setup view and saves the configuration values via the REST API using the Splunk JS SDK.  I am able to replicate  our sa_our_app.conf by adding this stanza in server.conf: [shclustering] conf_replication_include.sa_our_app = true We are able to replicate the setup view in the UI across the search  head members. The Add-on also uses a custom REST endpoint during setup to write the modular alert html (stored in /data/ui/alert).  Is there a way to replicate this html across all members of the SHC?

Hello there. I noticed lately (in a kinda painful way ) that if the time field is present in json sent to a HEC collector endpoint, the timestamp is not getting parsed from the message. But since the documentation differs between 8.0 and 7.x in this regard (https://docs.splunk.com/Documentation/Splunk/7.3.9/Data/HECRESTendpoints - doesn't say a word about timestamp parsing whereas 8.0.0 gives whole paragraph about optional parameter affecting the parsing) - does anyone know whether the 7.x versions behaved the same way? I mean - did the timestamp parsing in 7.x also wasn't performed at all if the time field was present? Did the behaviour changed or was it simply that the docs were supplemented?

Good morning, all! I am trying to fill in a table based on if an IP address is in a lookup. I have a lookup table called "IPAddresses.csv" with the addresses in a column called "value", and a field in the event called addr. I want to fill a cell in a table with "In IP List" or "Not in IP List" something like this: IPAddresses.csv value Hostname 192.168.1.1 Host A 192.168.1.3 Host B 192.168.1.5 Host C 192.168.1.7 Host D   Splunk Table In IP Addresses addr In List 192.168.1.1 Not In List 192.168.1.2 In List 192.168.1.3 Not In List 192.168.1.4   I have a very immature Splunk knowledge base, so I am not even sure where to start. I would assume that it would require an eval if match statement in conjunction with a lookup, but I am not sure how to join the two. Any help would be greatly appreciated! Thank you!

Hello My client company uses Splunk and Cybereason. At first, I used the Cybereason For Splunk app 1.1.0. modified the cybereason_rest_client.py file as below. self.session = requests.session() self.session.verify = False Cybereason For Splunk 1.3.0 was released recently, upgrading the app. ERROR occurs in $SPLUNK_HOME/var/log/splunk/cybereason path with modularinput.log and restclient.log. -- modularinput.log ERROR -- 2021-07-13 15:02:21, 354 log_level=ERROR pid=11744 tid=MainThread file="cybereason.py" function="run" line_number="182" version="CybereasonForSplunk.v.1.3.0" Traceback: Traceback (most recent call last): File "/splunk/splunk_test/splunk/etc/apps/CybereasonForSplunk/bin/cybereason.py", line 138, in run events = cyb.get_time_bound_malops(earliest=chk["last_time"], latest=now) File "/splunk/splunk_test/splunk/etc/apps/CybereasonForSplunk/bin/cybereason_rest_client.py", line 420, in get_time_bound_malops raise e File "/splunk/splunk_test/splunk/etc/apps/CybereasonForSplunk/bin/cybereason_rest_client.py", line 358, in get_time_bound_malops severity_dict = self._get_mapped_serverities(earliest, latest) File "/splunk/splunk_test/splunk/etc/apps/CybereasonForSplunk/bin/cybereason_rest_client.py", line 680, in _get_mapped_serverities raise Exception(ret.content) Exception: b'<!DOCTYPE html><html><head><title>Error report</title></head><body><h1>HTTP Status 404 - Not Found</h1></body></html>' 2021-07-13 15:02:21, 354 log_level=ERROR pid=11744 tid=MainThread file="cybereason.py" line_number="181" version="CybereasonForSplunk.v.1.3.0" message=b'<!DOCTYPE html><html><head><title>Error report</title></head><body><h1>HTTP Status 404 - Not Found</h1></body></html>'" filename="cybereason.py" exception_line="138" input="cybereason://cybereason" section="malops" -- restclient.log ERROR -- 2021-07-13 15:02:21, 354 log_level=ERROR pid=11744 tid=MainThread file="cybereason_rest_client.py" function="get_time_bound_malops" line_number="419" version="CybereasonForSplunk.v.1.3.0" message="b'<!DOCTYPE html><html><head><title>Error report</title></head><body><h1>HTTP Status 404 - Not Found</h1></body></html>'" exception_type="Exception" exception_arguments="b'<DOCTYPE html><html><head><title>Error report</title></head><body><h1>HTTP Status 404 - Not Found</h1></body></html>'" exception_type="Exception" exception_arguments="b'<!DOCTYPE html><html><head><title>Error report</title></head><body><h1>HTTP Status 404 - Not Found</h1></body></html>'" filename="cybereason_rest_client.py" line="358" section="get_time_bound_malops" Where is the problem? Thanks

Hello folks,   I encountered a problem when trying to filter events from WinEventLog and EventCode 4662.  When I use the next regex in a tester or in a SPL with a data set unfiltered, it works fine. But using it in a blacklist only allows a fraction of the messages when "Default Property Set" is in the first row after Properties.   blacklist9 = EventCode="4662" Message="(Tipo\sde\sobjeto:(?!\s*groupPolicyContainer))[\s\S]*(Propiedades:(?![\s\S]*Default Property Set))" I tried some changes to the regex but I do not find a solution for this. Thanks for your time.

I want to map multiple value field to one single value field. Ex: COL1     |     COL2 VAL1     |     Val11                       Val12 VAL2     |     Val21                       Val22                      Val23 And the output I want is: COL1     |     COL2 VAL1     |     Val11,VAL12 VAL1     |     Val21,VAL22,VAL23  

Hi All I have a bar chart generated using a timechart command I want to increase the width of the bar column they seem to be very thin I have tried using the below setting as well still not working changed the value to 5 as well <option name="charting.chart.columnStyle.width">1</option> This setting was also giving me a validation warning