Hello Splunk Commnity! I have a customer that have two different Splunk Licenses: Perpetual and Term License in separated Splunk environments.  It could be possible to merge two license in one single environment?, the customer year after year is renewing the Splunk Support for both licenses. In this environment there is no special Splunk products as ITSI or ES.  The main idea is install both licenses in one license master to merge the environments in just one. Thanks in advance for your response, regards. 

I am running a query like this     index=main source=transferstatus sourcetype=logs transaction.transferSet.FileName="*myfile*" | stats dc(transaction.Id) by transaction.Id     this gives me the unique transaction Ids that i am looking for  Now i want to pass this unique transaction Ids to a query like below     index=main source=transferstatus sourcetype=logs transaction.action="success" transaction.Id=[ pass each unique value i got from first query to here]     transaction.action="success" will not present on the first query results.. it will be part of success events that wont have "transaction.transferSet.FileName" field in it. how do I join these two queries?            

Hello everyone,  I have been trying to move data from my old 6.3.2 splunk to the new 8.1.3 splunk which is empty.   I tried to first do a search "*" and downloaded everything which is 16gb. I then used the new splunk web gui monitor import which did take all the data, but it only had one host, source, and source type. The original splunk had 3 index names, 2 hosts sending data, and many sources and source types. How can i move the data so that search results show the same as it did in the original splunk? Is there a way to export everything to match exactly? I am having a hard time determining how to move these items. Both the new and old splunk have 1 search head, 2 indexers, and one master. I am not familair in how I can copy the index folder method either. Hopefully someone can guide me in how I can move the data in place keeping all the hosts, source, sourcetypes, etc. Thanks

Hi Everyone, I am trying to write a query that will allow me to use my notable_events table, display the time the notable opened and the time it was closed. Looking through the forums I found: |eval _time=strftime(_time,"%Y/%m/%d %T") |eval review_time=strftime(review_time,"%Y/%m/%d %T") |eval assign_time = case(isnotnull(owner), _time) | eval close_time = case(status=5, review_time) |stats min(_time) as notable_time min(assign_time) as assign_time min(close_time) as close_time by AlertTitle,owner  But that isn't quite working as it returns 0 results.

Hi Splunkers, Long time listener, first time caller. I am trying to figure out how to make a dashboard based on a monthly vulnerability scan.  Our previous implementation was using relative dates to generate a dashboard, but that was highly dependent on everything going right.  I copy/pasted my way to a mostly-working dashboard from this community. Hoping I can get some help to get the rest of the way there.  The new implementation uses a ScanID from the report.csv.  My dashboard has a drop-down which doesn't let me select anything, but automatically selects the latest scanID (and dynamically assigns the previous month's ScanIDs for comparison/trendlines). I'd like to be able to use the drop down to review last month's report as well though.  Examples:  ScanID's: This month: 999999 Last month: 888888 Previous Month: 777777 etc. So as it stands the dashboard automatically performs a search and assigns the following tokens:  <set token="Scan1">$result.row 1$</set> <set token="Scan2">$result.row 2$</set> <set token="Scan3">$result.row 3$</set> <set token="Scan4">$result.row 4$</set> I'd like to be able to click the drop-down and select ScanID 888888 and have it automatically assign the token to "Scan1", and dynamically set "Scan2" to ScanID 777777 and so on.  Hope I've explained it well enough. Below is my sample (anonymized dashboard xml/source). Thanks in advance!     <form theme="dark"> <label>dropdown dashboard</label> <fieldset submitButton="false" autoRun="true"> <input type="dropdown" token="Scan1" searchWhenChanged="true"> <label>Select a Report</label> <search> <query>index="fakeindex" | dedup ScanID | table ScanID | head 6 | sort - ScanID | transpose </query> <earliest>-6mon@mon</earliest> <latest>now</latest> <done> <set token="Scan1">$result.row 1$</set> <set token="Scan2">$result.row 2$</set> <set token="Scan3">$result.row 3$</set> <set token="Scan4">$result.row 4$</set> </done> </search> </input> </fieldset> <row> <panel> <title>Panel for Debugging Token:</title> <html> Upercase $ScanX$ <div>This Month: $Scan1$</div> <div>Last Month: $Scan2$</div> <div>Prev Month: $Scan3$</div> </html> </panel> </row>     [example search that required multiple scanID's]       <single> <search> <query>index="fakeindex" sourcetype=fakesourcetype ScanID=$Scan2$ NOT [ search index="fakeindex" sourcetype=fakesourcetype ScanID=$Scan3$ | stats count by somevalue | table somevalue] | dedup somevalue ScanID | stats count(somevalue) as EVENTS | eval period="Last Month" | append [ search index="fakeindex" sourcetype=fakesourcetype ScanID=$Scan1$ NOT [ search index="fakeindex" sourcetype=fakesourcetype ScanID=$Scan2$ | stats count by somevalue | table somevalue] | dedup somevalue ScanID | stats count(somevalue) as EVENTS | eval period="This Month" ] | fields EVENTS period _time</query> <earliest>-6mos@mos</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="colorBy">trend</option> <option name="colorMode">none</option> <option name="drilldown">none</option> <option name="numberPrecision">0</option> <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option> <option name="rangeValues">[0,30,70,100]</option> <option name="refresh.display">progressbar</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">inverse</option> <option name="trendDisplayMode">absolute</option> <option name="underLabel">New</option> <option name="unitPosition">before</option> <option name="useColors">1</option> <option name="useThousandSeparators">1</option> </single>      

Hello, I am doing a fundamentals course lab and cannot figure out what to search in order to get a list of "all web application events where a file was successfully served to the user". Can anyone help steer me in the right direction? Any help would be greatly appreciated. 

I am using snmp to poll interface stats from a device, which is only returning total packets received on interface, I am polling every 60 seconds.  Is there any way in dashboard to take the difference between those values and then divide by 60t to get packets per second and display this value in dashboard?  (<event1 value> -  event2 value>)/60. Dashboard would need to do this for each event coming in.

I want to use splunk webhook future to send the fired alerts/events to another third party system. the third party rest api needs authentication.  So I have given the weebhook url as https:.//username:password@url, but its not sending the trigged alerts to this url. Cannot we give username/password in the url? how to debug or check why splunk is not able to send trigged alerts?

I want to fetch the results from triggered alerts  from time T1 to T2. Tried passing the earliest_time or earliest query params but it didn't work. Can someone please let me how to pass the time filter params to the following rest apis https://splunk1:8089/servicesNS/nobody/-/alerts/fired_alerts/-?output_mode=json   https://splunk1:8089//servicesNS/nobody/-/search/jobs/scheduler__admin__SplunkEnterpriseSecuritySuite__RMD5123456_at_1623704400_52981/results?count=0&output_mode=json