I don't have any application, but when I'm going to create one, "Unable to create application" is shown. Is there any way for Lite users to contact the support desk? Name turing202002042221105 Global Account Name turing202002042221105_1fc24c8b-c7b0-40ec-bea8-0f07ed51eea1 Edition AppDynamics Lite Access Key   Expiration Date Never

Hi, i have been looking but cant seem to make much sense of it all. im new to splunk. im trying to create a search and alert from a csv file, the csv fiel contains Domain Admin account and i wanted to creat a search for a numbers of eventid on those domain admin accounts. index=win sourcetype=wineventlog EventCode=*the events im looking for* | inputlookup file.csv   but cant seem to make it work.   any help would be great

Hi all, I'm a Splunk beginner and I'm having a hard time getting this particular search down. My objective is to get the "Account_Name" field from 2 different event codes (4624 type 10 & 4778).  This issue is I can't figure out how to get both the 2nd instance of Account_Name for only the 4624, but the first instance of it in the 4778.  This is because windows uses the Account_Name field twice in a lot of logs, but not in some.  So I need the first Account_Name in 4778, and the second Account_Name in 4624. Here is what I have so far.  Having trouble putting in that middle piece. index=main source="WinEventLog:Security" ("eventcode=4624" AND Logon_Type=10) | eval Acct=mvindex(Account_Name,1) ***Also find "eventcode=4778" Account_Name**** | rename Acct as "Account Used on Remote Machine" | rename Client_Name as "Source Machine" | rename ComputerName as "Destination Machine" | timechart count by "Account Used on Remote Machine"  

  Hello, I have many windows machines sending logs through the agent to index = main With what query can I monitor either from a dashboard or from an alert when one of these machines stops sending logs after an interval of 24 hours? note: I don't have a deployment server  

Hello all,  I currently have the following data set, and a table will look like this: Test Iteration Results Test1 1 400 Test1 2 500 Test1 3 600 Test2 0 1000 Test2 1 500 Test2 2 1000 Test2 3 2000   We run a test several times and save the results for each time.  What I need to do is to calculate iteration 0 for the tests that don't have it (test1), which will be a median of all other iterations available. What I want to do is add a new for, with the new value:  Test Iteration Results Test1 0 500 Test1 1 400 Test1 2 500 Test1 3 600 Test2 0 1000 Test2 1 500 Test2 2 1000 Test2 3 2000   It needs to add only the iteration 0 for those tests that doesnt have it, and ignore the other cases. I've tried using appendpipe + eventstats, but It only rewrites the Iteration and Value fields: |appendpipe [ |eventstats median(Results) as Results, first(Test) as Test,  | eval iteration=0 ] I would like to get some ideas on how to do this.  Any help will be appreciated, thank you in advance. 

Hi. I am trying to run the Build a Custom Visualization tutorial from https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/CustomVizTutorial#Tutorial_overview . But when I use "npm run build", I receive this error [webpack-cli] SyntaxError: Invalid regular expression: /(\p{Uppercase_Letter}+|\p{Lowercase_Letter}|\d)(\p{Uppercase_Letter}+)/: Invalid escape. I have been following the steps closely. I believe this may be an issue due to package versions. Any help would be appreciated. Thanks.

Need your expert advice about Splunk Ent. & Enterprise Security (ES) Backups + Disaster Recover + HA advice please. Any steps to succeed in this project specially in AWS environment is appreciated. Thank u in advance

Trying to enable startup on SLES 15.1: /opt/splunkforwarder/bin # ./splunk enable boot-start Unknown option: levels usage: chkconfig -A|--allservices (together with -l: show all services) chkconfig -t|--terse [names] (shows the links) chkconfig -e|--edit [names] (configure services) chkconfig -s|--set [name state]... (configure services) chkconfig -l|--list [--deps] [names] (shows the links) chkconfig -L|--liston [--deps] [names] (as -l, enabled in at least 1 level) chkconfig -c|--check name [state] (check state) chkconfig -a|--add [names] (runs insserv) chkconfig -d|--del [names] (runs insserv -r) chkconfig -h|--help (print usage) chkconfig -f|--force ... (call insserv with -f)chkconfig [name] same as chkconfig -t chkconfig name state... same as chkconfig -s name state chkconfig --root=<root> ... use <root> as the root file system

I am working with a stats table with 7 fields. | tstats count as "f" where a=* b=*  c=* d=* e=*  by a b c d e | stats   sum(f) as f   list(f) as f_list   max(f) as f_max   list(c) as c_list   list(d) as d_list   list(e) as e_list   by b I would like to be able to take:       b's f_max and match it to the correlating value in b_list, c_list, d_list, e_list, f_list Anyone able to provide the SPL for this type of search?

Hi All, I'm working on a search, where I currently have the following: ..base search.. | table static_name, static_time, static_title, static_owner,  static_id, static_description   Apart from static_title, static_time, static_id, the other fields are dynamic (they change as the search runs with different inputs. static_owner gets replaced by file_name, other fields like fqdn, process, event_hash etc get added to the search)   What I'm trying to achieve is that the static values, which always are present in the search, should be shown as separate fields, while dynamic fields are merged into a new, multivalued field called Combined_Field, irrespective of the new fields showing up. They should be merged into them. | table static_time, static_owner, static_id, Combined_Field (a multivalued field, comprising the values of all the dynamic fields)   ..base search.. | table static_name, static_time, static_title, static_owner,  static_id, static_description | eval Combined_Field = null() | foreach * [ eval Combined_Field=if('<<field>>'==static_time OR '<<field>>'==static_owner OR '<<field>>'==static_id, '<<field>>', mvappend('<<field>>', Combined_Field)) ] | table static_time, static_owner, static_id, Combined_Field The Combined_Field always remains empty. Could anyone check and let me know as to what am I doing wrong. Or if this can be achieved via a different approach. I've always tried doing the foreach command with case instead of if, no luck.   Thank you in advance, S

Hi Team, I have a simple requirement but unable to get it. I am using a query index=tms sourcetype=kafka type=ssh| stats count by NETYPE For above query I am getting output as below NETYPE Count CISCO 100 JUNIPER 200   However, I want output as CISCO JUNIPER 100 200   Can you please help how can I get above o/p table

Hi Splunkers.. my requirement is to keep the selection in a column chart stay highlighted unless different choice made in the same chart. I have tried  link his approach given by @niketn, I unable to identify relevant component for the chart to td or tr for highlighting. If someone already has an idea please help or aware of a chart supports these behavior selection-highlight out of the box please recommend. Thanks

Hello, I have 5 Servers. Every server has an actual count of user sessions. I want them to sum up, without loosing the trend funcion in the single value chart.  This is my actual query:     index=ascrm sourcetype=jmx NumUiSessions=* host IN (z1il0095*,z1il0096*,z1il0097*,z1il0098*) | stats latest(NumUiSessions) as latest_NumUiSessions by host | stats sum(latest_NumUiSessions) AS UISessions      Could anyone give me a clou? Best regards Benjamin