Hello, I follow the Splunk Fundamentals 1 and have installed Splunk 8.2.1 as a local instance (Windows 10). The lab 4 material is composed of 3 files that have to be uploaded on splunk in an admin session. I follow the instructions and that seems to be working ok, but I don't see the indexed datas neither on the admin or power session after. I tried to change the time span of the search results, to search in my datasets (empty in both sessions), nothing appears. I reuploaded the material and while saving a cvs file it seems the file was already there (from the first upload). But again, no results and no datas appear to have been indexed/ingested into splunk after. Has anyone any idea to fix that or ever encountered this problem? Thanks a lot folks!

created a query with data  in table as Name , app_status, Job_status. Both app_status and job_status has Success and Failed statuses as per conditional. What to change text color to red for failed and green for Success, I tried couple the format text changes the background color instead text color. Thank you  

Hi there, First of all, thank you for any comment. I am looking for a way to identify if I have any index missing across databases in my environment. So, I am logging in Splunk all indexes I have across the environment and the results looks like as following:     [ { "indexrelname":" index_1", "table":" tb_1", "database":"db_a" }, { "indexrelname":" index_2", "table":" tb_2", "database":"db_a" }, { "indexrelname":" index_1", "table":" tb_1", "database":"db_b" }, { "indexrelname":" index_2", "table":" tb_2", "database":"db_b" }, { "indexrelname":" index_1", "table":" tb_1", "database":"db_c" }, Missing index_2 tb_2 here... ]     So, as an example I would like to find the missing index "index_2" on  the table "tb_2" on database "db_c".  The result would be a table of missing index: database | table | indexrelname  db_c         |  tb_2  | index_2 Does anyone able to  help ?

Hello , I would really appreciate  your help in creating a splunk search query to find out the anomaly over size from individual indexes .There are 50+ indexes logging to splunk and I want some kind of alerting to notify if any of those index get sudden surge in logging from the normal trend.      

I have two different searches running against 2 different indexes to pull in realtime syslog data and enrich it with snmp polling data, like circuit information etc.  My first search is looking for a specific syslog text and returning with all necessary results, while my second search is doing the exact same thing but does not show any stats.  Each one of these searches and sub searches function individually so I don't understand why one works and not the other. The only ostensible change in either search are the explicit syslog text queries and manual evals to push into the table so I can't make sense of why it's failing. Any ideas or recommendations? first example - (working) syslog text - <28>Jun 29 18:22:25 DEVICE mib2d[2775]: SNMP_TRAP_LINK_DOWN: , ifAdminStatus up(1), ifOperStatus down(2), ifName ge-5/0/3 index=syslog "ifOperStatus down" | rex field=_raw "ifName (?<ifDescr>.+)" | eval deviceName = host | eval TriggerDescription = message | eval Environment="prod" | eval SourceEventID = "" | eval AlarmType = "Router" | eval Domain = "XO" | eval SourceSystem = "NI Splunk" | eval SendtoNOC = "Y" | eval EventStatus = "NEW" | eval ProductName = "XO" | eval ElementType = "Device" | eval TriggerUnitsofMeasure = "" | eval KPIMeasure = "" | eval CaseDescription = "Backbone Interface Down" | eval StateCode = "XO" | eval Severity = "Major" | lookup xo-cili-lookup device as deviceName output cili as NEID | eval Port = ifDescr | eval TriggerType = "Interface Down" | eval Cause = TriggerType | eval DeviceClli = NEID | eval Vendor = "Juniper" | eval model=case(match(deviceName, "MCR*|CIR*|mcr*|cir*"), "MX960", match(deviceName, "CTR*|ctr*"), "MX2020", match(deviceName, "RCA*|RCB*|rca*|rcb*"), "PTX5000", match(deviceName, "LCA*|LCB*|lca*|lcb*"), "PTX3000") | eval DeviceModel = model | join deviceName, ifDescr [search index=SNMP ifDescr=ae* OR ifDescr=et-* OR ifDescr=xe-* OR ifDescr=ge-* AND ifAlias=*bone* | eval no_circuitid="" | rex field=ifAlias ":(?<circuitID>\d+\s?\/[^\/]+[^\/]+\/[^\/]+\/[^\/|\:|\s]+)" | eval circuitID=coalesce(circuitID, no_circuitid) | eval AID = circuitID | eval AlarmKey = deviceName." ".ifAlias." Down" | stats latest(ifAlias) as ifAlias values latest(_time) as LatestAlertedTS, earliest(_time) as FirstAlertedTS by AlarmKey,deviceName, ifDescr, AID,circuitID] | table Environment,AlarmKey,FirstAlertedTS, LatestAlertedTS,EventStatus,deviceName,ifDescr,NEID,AID,circuitID,Port, Severity, TriggerType,TriggerDescription,Cause, DeviceClli, Vendor, DeviceModel, SourceEventID, SourceSystem, Domain,ProductName, ElementType, TriggerUnitsofMeasure, KPIMeasure, CaseDescription, SendtoNOC, StateCode, AlarmType Collapse | dedup AlarmKey Second example (not working) Syslog text - <28>Jun 29 18:56:38 DEVICE lfmd[17284]: LFMD_3AH_THRESHOLD_EVENT: Threshold event happened for ifd et-8/0/8(snmpid 525): index=SYSLOG LFMD_3AH_THRESHOLD_EVENT | rex field=_raw "event happened for ifd (?<ifDescr>\S+)\(snmpid" | rare host | eval deviceName = upper(host) | eval TriggerDescription = message | eval Environment="prod" | eval SourceEventID = "" | eval AlarmType = "Router" | eval Domain = "XO" | eval SourceSystem = "NI Splunk" | eval SendtoNOC = "Y" | eval EventStatus = "NEW" | eval ProductName = "XO" | eval ElementType = "Device" | eval TriggerUnitsofMeasure = "" | eval KPIMeasure = "" | eval CaseDescription = "Backbone Interface Errors" | eval StateCode = "XO" | eval Severity = "Major" | lookup xo-cili-lookup device as deviceName output cili as NEID | eval Port = ifDescr | eval TriggerType = "PCS Errors" | eval Cause = TriggerType | eval DeviceClli = NEID | eval Vendor = "Juniper" | eval model=case(match(deviceName, "MCR*|CIR*|mcr*|cir*"), "MX960", match(deviceName, "CTR*|ctr*"), "MX2020", match(deviceName, "RCA*|RCB*|rca*|rcb*"), "PTX5000", match(deviceName, "LCA*|LCB*|lca*|lcb*"), "PTX3000") | eval DeviceModel = model | join deviceName, ifDescr [search index=SNMP deviceName=RCA* OR deviceName=RCB* OR deviceName=LCA* OR deviceName=RCB* ifAlias=*bone* | eval no_circuitid="" | rex field=ifAlias ":(?<circuitID>\d+\s?\/[^\/]+[^\/]+\/[^\/]+\/[^\/|\:|\s]+)" | eval circuitID=coalesce(circuitID, no_circuitid) | eval AID = circuitID | eval AlarmKey = deviceName." ".ifAlias." PCS Errors" | stats latest(ifAlias) as ifAlias values latest(_time) as LatestAlertedTS, earliest(_time) as FirstAlertedTS by AlarmKey,deviceName, ifDescr, AID, circuitID] | table Environment,AlarmKey,FirstAlertedTS, LatestAlertedTS,EventStatus,deviceName,ifDescr,NEID,AID,circuitID,Port, Severity, TriggerType,TriggerDescription,Cause, DeviceClli, Vendor, DeviceModel, SourceEventID, SourceSystem, Domain,ProductName, ElementType, TriggerUnitsofMeasure, KPIMeasure, CaseDescription, SendtoNOC, StateCode, AlarmType Collapse  

Hi here is my dashboard, i want to populate server name in dashboard. i create token to get server name from source file, here is the source file  /data/product/customer/20210622/log.SRV21.20210622.bz2" /data/product2/customer2/20210622/log.SRVdata21.20210622.bz2" …   <form theme="dark">   <label>dashboard</label>   <fieldset submitButton="false">     <input type="time" token="tokTime" searchWhenChanged="true">       <label>Time</label>       <default>         <earliest>-1d@d</earliest>         <latest>@d</latest>       </default>     </input>     <input type="multiselect" token="tokserver">       <label>Server Name</label>       <choice value="*">all</choice>       <valuePrefix>"</valuePrefix>       <valueSuffix>"</valueSuffix>       <delimiter> OR </delimiter>       <fieldForLabel>rexOutput</fieldForLabel>       <fieldForValue>rexOutput</fieldForValue>       <search>         <query>| metadata type=sources index=main  | rex field=source "(\/\w+){4}\/(?&lt;rexOutput&gt;\w+.\w*)\S+" |search   rexOutput=$tokserver$ | dedup rexOutput | table rexOutput</query>         <earliest>-24h@h</earliest>         <latest>now</latest>       </search>       <default>*</default>     </input>     <input type="multiselect" token="toksig">       <label>Signal</label>       <choice value="*">all</choice>       <fieldForLabel>signal</fieldForLabel>       <fieldForValue>signal</fieldForValue>       <search>         <query>index="main"  signal    | search signal=$toksig$ | table _time Modules signal</query>       </search>       <default>*</default>       <delimiter> OR </delimiter>       <valuePrefix>"</valuePrefix>       <valueSuffix>"</valueSuffix>     </input>   </fieldset>   <row>     <panel>       <viz type="timeline_app.timeline">         <search>           <query>index="main"  signal  | search  source=$tokserver$  | search signal=$toksig$ | table _time Modules signal</query>           <earliest>$tokTime.earliest$</earliest>           <latest>$tokTime.latest$</latest>           <sampleRatio>1</sampleRatio>         </search>         <option name="drilldown">all</option>         <option name="height">430</option>         <option name="timeline_app.timeline.axisTimeFormat">MINUTES</option>         <option name="timeline_app.timeline.colorMode">categorical</option>         <option name="timeline_app.timeline.maxColor">#DA5C5C</option>         <option name="timeline_app.timeline.minColor">#FFE8E8</option>         <option name="timeline_app.timeline.numOfBins">6</option>         <option name="timeline_app.timeline.tooltipTimeFormat">SUBSECONDS</option>         <option name="timeline_app.timeline.useColors">1</option>         <option name="trellis.enabled">0</option>         <option name="trellis.scales.shared">1</option>         <option name="trellis.size">medium</option>       </viz>     </panel>   </row> </form>

2019-06-201 09:05:22.945,  User: XX, EType: SIGN, Filter: 000000000, EventId: SIGNATURE, Id: 028119296, UserIdType: xxx, Address: 000.000.100.100, SystemName: Neno, SId: adb155b9-b3aa-4a64-8312-33f8f41de96d, TransType: SDLN, Tid: 9200001193, UserNm: xxx aaa, UType: yyyy, UId: 67B7-xxxx-bbbb-6abr-E0B1D9B6083B, Level: BoM3, Form: MOB, IntentId: 531, Timestamp: 2019-06-29T14:05:22.954Z, ExtCode: 00, Message: null. 2019-06-21 06:30:30.107, User: YYY, EType: noSIGN, Filter: 000000000, EventId: No_SIGNATURES,Id: 00234545345-, Address: 000.111.222.005, SystemName: Neno, SId: =/=S()A.b(X(-yJrV/+do)f(Q_)uW-/6+o_v.k|3dOYc+Fh_=YOX-iDA++===, TType: CAF_dLn, TId: ThisIsAutomation, ExtCode: 00, Message: null.   I included 2 sample events. My objective is to extract "Sid" field values. The field values should contain all text between SId and ExtCode (Highlighted as Bold RED). Any help will be highly appreciated! Thank you.  

We have asked our customers to forward syslog from Netscaler Service VMS (SVMs) to our Splunk syslog servers. We have tried tracroute, sending dummy data to syslog servers, but there weren't any traffics sent out at all.  This is not related to Splunk, but I don't know if anyone encountered the same issues and there are any suggestions/workarounds. Thanks.

Hi, I'm new to ML in Splunk. As a POC I'm trying to forecast expected call volumes for a service, and then alert if we are under or over the expected volume. I'm training the model on 30 minute chunks of historic data, which goes back about 7 months. Call volumes are periodic based on both the time of day and day of week, so I'd thought I would use a period of 336 (the number of half hours in a week):   | mstats sum(_value) as call_count WHERE metric_name="myServiceCalls" span=30m@w index=my_metrics | makecontinuous _time span=30m@h | fillnull value=0 call_count | fit StateSpaceForecast "call_count" output_metadata=true holdback=1week forecast_k=2week conf_interval=50 period=336 into "service_call_count"     I am trying to experiment with using "apply" on the previous 1/2h hours of live data. Maybe "apply" is the wrong tool here.   index=myliveIndex earliest="-30m@h" latest="@h" host="p*" sourcetype="p*" "my service string" | bin _time span="30m" aligntime="@h" | stats count(_raw) AS call_count BY _time | apply "service_call_count"     The error I'm getting is (I believe) that I am not supplying 336 data points for the apply function:   Error in 'apply' command: holdback value equates to too many events being withheld (336 >= 2).     I now understand that apply expects to see an entire "period" of data, so I'm guessing this is the wrong approach for my usecase. Can anyone point me in the right direction? Really, I want to lookup the predicted range of counts for a given 1/2 hour and then alert when we're out of range.   

We have to calculate the Utilization of the system (PC\Laptop) based on the Windows events logs (4800 & 4801). 4801 --> This log denomination indicates the system has been Unlocked 4800 --> This log denomination indicates the system has been Locked The time difference between the 4801 to 4800 events is considered as Utilization period. As we are working on the Night shifts we have encountered a scenario where  we are receiving the 4801 event entry for that particular day  & 4800 entry never returns on the same day since the system will not be locked.   Hence we would need help in calculating the Utilization period for the users between 6pm to 4am. As there will be change in the date for the mentioned time frame, we are unable to calculate the Utilization for the day due to the aggregate functions. Kindly provide us your suggestions which could be possible solution.

Following produces values for a and b in Splunk 8.2.0, but in 8.0.1, values of a is empty Is there any changes in behaviour of stats latest in 8.2.0? | makeresults | eval a=1,b=2 | fields - _time | stats latest(a) as a by b