I already have the following macro  `subnet(3)`  defined as the following:     | eval subnet = case(cidrmatch("$ip1$/24",src_ip), "$output_name$", cidrmatch("$ip2$",src_ip), "$output_name$")       If I call the macro multiple in the same search the value of the field it creates (also called subnet) will be overwritten by the latest values.   I would like to edit the macro so that calling it multiple times appends a new value to subnet.  How could I use mvappend, or another command, to accomplish this?

Hello, I am trying to create an Oracle database collector with the REST API. I don't seem to be able to get it working. The example online is of a SQL server, so I was hoping someone could please provide an example of an Oracle server JSON payload. Below is what I get if I do a GET. Also, our controller version is 4.5, so not sure if maybe that is part of the problem. The error I get is just a generic 500 Internal Server Error. { "id": 42, "version": 0, "name": "Oracle-OLTP", "nameUnique": true, "builtIn": false, "createdBy": null, "createdOn": 1531336844000, "modifiedBy": null, "modifiedOn": 1531336844000, "type": "ORACLE", "hostname": "Oracle-OLTP.domain", "useWindowsAuth": false, "username": "USER", "password": "appdynamics_redacted_password", "port": 1521, "loggingEnabled": true, "enabled": true, "excludedSchemas": [ "" ], "jdbcConnectionProperties": [], "databaseName": null, "failoverPartner": null, "connectAsSysdba": false, "useServiceName": true, "sid": "SRVC", "customConnectionString": null, "enterpriseDB": false, "useSSL": false, "enableOSMonitor": false, "hostOS": null, "useLocalWMI": false, "hostDomain": null, "hostUsername": null, "hostPassword": "", "dbInstanceIdentifier": null, "region": null, "certificateAuth": false, "removeLiterals": true, "sshPort": 0, "agentName": "Default Database Agent", "dbCyberArkEnabled": false, "dbCyberArkApplication": null, "dbCyberArkSafe": null, "dbCyberArkFolder": null, "dbCyberArkObject": null, "hwCyberArkEnabled": false, "hwCyberArkApplication": null, "hwCyberArkSafe": null, "hwCyberArkFolder": null, "hwCyberArkObject": null, "orapkiSslEnabled": false, "orasslClientAuthEnabled": false, "orasslTruststoreLoc": null, "orasslTruststoreType": null, "orasslTruststorePassword": "", "orasslKeystoreLoc": null, "orasslKeystoreType": null, "orasslKeystorePassword": "", "ldapEnabled": false, "customMetrics": null, "subConfigs": [], "jmxPort": 0 }

500 and 504 are shown here - but i'd like to condense them to one column="5xx" (same with 400, where all 4% responses would be shown under "4xx"     <panel> <table> <title>Functions Statistics by ResponseCode</title> <search base="base_search3"> <query> stats sum(count) as Count sum(S) as Success sum(F) as Failures avg(Avg_ResponseTime) as Average_ResponseTime by _time FNAME CODE | eval Availability=(Success/(Success+Failures))*100 | chart count by FNAME CODE </query> </search> <option name="count">15</option> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel>     the above is the relevant code

We are in the process of migrating a lot of hosts to report to a new deployment server. The deploymentclient.conf file was changed to reflect the IP address of the new deployment server and the hosts phones home to the new new deployment server and we verify logs coming in. Then after some time, something modifies the deploymentclient.conf file to have the hosts report back to the old deployment server. We cannot seem to figure out what is making this change. We have uninstalled and reinstalled the universal forwarder on a test client this past week and everything was fine. Then the same thing happened yesterday and the host is reporting back to the old deployment server. This is happening on some hosts, not all. The ones that do not have this problem are reporting to the same new deployment server with no problems. Any suggestions would be helpful

Hi all, I'm working on a dashboard query that preprocesses data for a | geostats command. The end goal is to pipe data between two different but similar applications. The value used to populate the field 'country' has different format between the two applications, and if it's possible to create a conditional statement that uses different values from a lookup table (or even separate lookups) in line. Caveat: I know it's possible to build a different search and used a token with the | savedsearch command to pass the correct search based on the token. I'm trying to understand if it can be done inline in my base search. The details: application A's field associated with country uses the ISO numeric country code. The search then uses a lookup table like so:  | lookup [lookup].csv NumericCountryCode as [field in search] output AlphaCountryCode This takes the numeric code and produces a 2 character ISO like 'US' or 'BR' and so on. The format of the lookup table is: AlphaCountryCode CountryCode NumericCountryCode In application B, country data comes in uppercase ISO alphabetical format, but it can be represented as either the Alpha-2 or alpha-3 (3 digit) country code. In the majority of cases, this could be solved with a substring call that reduces the length to 2. However, there are fringe cases where this approach does not work, and must be accounted for.  Example: Angola - Alpha-2 code: AO alpha-3 code: AGO.  My proposed approach is to modify the lookup table like so: AlphaCountryCode AlphaTwoCountryCode AlphaThreeCountryCode NumericCountryCode Such that I can access both of these values and return the correct format (AlphaTwoCountryCode). Is it possible to handle this inline with the same lookup table? The pseudo code would be something like this: if(len(countryCode)==2), lower(countryCode) and return the countryCode. Else if(len(countryCode)==3), | lookup [lookup].csv AlphaThreeCountryCode as countryCode output AlphaTwoCountryCode Is this an appropriate approach, and if so, how can I build the syntax of the eval statement to evaluate length and output the appropriate result? Thanks  

    <query>"$ps_fn$" |rex field=message "(?&lt;Http&gt;HttpStatus): (?&lt;status&gt;\\d+)" | eval status=(status, "4%"),"4xx" | stats count by status</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest>     I am trying to make a pie chart that shows all the 4xx errors, and then breaks them out by error - so x% was 401, y% was 402, etc. But i am getting Error in 'eval' command: The expression is malformed. Expected ). when i run this on the dashboard.

So far I think I have the syntax built out like this  index=tool OR index=tool2 OR index=tool3 | eval parta=(index=tool information, information | stats count) | eval partb=(index=tool2 information, information | stats count) | eval partc=(index=tool3 information, | stats count) | table parta partb partc Thinking this will get me totals for the separate tools, but I'm looking to get just 1 total, per week if possible. I was thinking addtotals would help, but not sure.  Any and all help would be very appreciated. 

Hi community, I have the need to store encrypted password used in a python script. I've created the app with its setup.xml page and the app is deployed on a search head cluster. The problem is that under Manage Apps I cannot see "Set Up" button and if I click on "Launch App" I get 404 - not found.   This is my setup.xml file   <setup> <block title="New Crdential" endpoint="storage/passwords" entity="_new"> <input field="name"> <label>Username</label> <type>text</type> </input> <input field="password"> <label>Password</label> <type>password</type> </input> </block> </setup>     This is my app.conf file:   [install] is_configured = 0 [ui] is_visible = 1 label = my app [launcher] author = Marta Benedetti description = my app version = 1.0.0     Any idea?   Thanks a lot Marta