I have a field "Date" as below. However, there are some inconsistency in the date format.  How can I get the "30/1/2021" and change it to "1/30/2021" following the rest of the date format?   Date 4/16/2021 3/31/2021 2/28/2021 30/1/2021 2/13/2021

what is the quickest way to list files that exit on index. I am use this spl command usually but it take long time specially if index size is huge! index="my-index" | dedup source | table source any idea? Thanks

Hi, I would like to find out how to calculate the time difference between different events of the same asset ID (group by). My data is structured as such (see below) with no transaction IDs provided:             Asset_ID          _time                                                  Event_Status A001                  2021-01-01 00:00:00                 A A001                  2021-01-01 00:01:00                 B A001                  2021-01-01 00:07:00                 A A002                  2021-01-01 00:01:00                 B A002                  2021-01-01 00:02:00                 C A002                  2021-01-01 00:09:00                 A A002                  2021-01-01 00:11:00                 D A003                  2021-01-01 00:00:00                 B A003                  2021-01-01 00:09:00                 D ... Note: the event statuses can appear in any order time duration needs to be grouped by common asset ID for it to be meaningful It's intended that this be deployed in a live system, so event status values that aren't closed (last value for an asset) are to display the current elapsed time since that event occurred The desired output would be to compute the time duration between rows as such: 1 & 2 for Asset A001: 1min 2 & 3 for Asset A001: 6min 3 for Asset A001: running for X duration (based on current time) since 2021-01-01 00:07:00 4 & 5 for Asset A002: 1min 5 & 6 for Asset A002: 7min 6 & 7 for Asset A002: 2min 7 for Asset A002: running for X duration (based on current time) since 2021-01-01 00:11:00 8 & 9 for Asset A003: 9min 9 for Asset A003: running for X duration (based on current time) since 2021-01-01 00:09:00 ... I've previously tried experimenting using the "transaction" and "duration" functions but they don't seem to give the desired result. Any suggestions on how to resolve this would be greatly appreciated. Thanks.

Hello all, I am at a bit loss in what to do at this point. I had an indexer fail and now that my it is healthy I cannot rejoin the cluster reliably. After a reboot/restarting splunk he will join and begin syncing buckets for about 10 mins. After this he will throw errors and get stuck in a batch adding state on the indexer management page. I get this error on the master: Failed to register with cluster master reason: failed method=POST path=/services/cluster/master/peers/?output_mode=json master=:8089 rv=0 gotConnectionError=0 gotUnexpectedStatusCode=1 actual_response_code=502 expected_response_code=2xx status_line="Bad request" socket_error="No error" remote_error= [ event=ReaddPeer status=retrying AddPeerRequest: { _id= active_bundle_id=9884CA425F0224F22F37BE784337C463 add_type=ReAdd base_generation_id=0 batch_serialno=1 batch_size=4 forwarderdata_rcv_port=9997 forwarderdata_use_ssl=0 last_complete_generation_id=0 latest_bundle_id=9884CA425F0224F22F37BE784337C463 mgmt_port=8089 name=6A1C1358-0C02-4D60-B58B-EA903E3D0991 register_forwarder_address= register_replication_address= register_search_address= replication_port=8080 replication_use_ssl=0 replications= server_name= site=default splunk_version=8.0.7 splunkd_build_number=1c4f3bbe1aea status=Up } ]. The indexer in question displays the same error, along with this one. I’m not sure if it’s related.   ERROR HTTPClientRequest: caught exception while parsing HTTP Reply: string value too long value size = 531110, Maxvaluesize = 524288   i should mention I did reinstall splunk over the currently installed version as part of fixing that indexer.

Hello everyone I hope everyone is having a great day I have been bumping my head against the wall trying to select the smallest positive number from a multi-value field...   I have a SPL that looks like this: | Stats values(numbers) as NUMBERS values(KEY) as KEY by client  But the field NUMBERS may have multiple values per client and I want to select the smallest positive number and the respective KEY associated with it.... For instance I may have something like this Client           NUMBERS.    KEY NATALIE.             -7.               U                                   8.                Y                                    5.                M From the last result I will be interested in having only: Client           NUMBERS.    KEY NATALIE.             5                  M    Does anyone know how to achieve this? I will be so thankful if you guys can help me out thank you guys so much!                                                   

Hello, I have log entries that look like this: 2021-06-21 16:36:14 Error Fix Success for issue submitted by user:14 2021-06-21 16:35:22 Error Found for Users:12,13,14 2021-06-21 16:21:11 Error Fix Success for issue submitted by user:19 2021-06-21 16:20:43 Error Found for Users:15,19,22,23 2021-06-21 16:07:38 Error Fix Success for issue submitted by user:14 2021-06-21 16:05:51 Error Found for Users:12,13,14   I want to be able to get the details (users, submitted_by user, and times) and calculate the durations of errors from when they are found to when they are fixed. I am trying to do this without using transactions. Currently my search finds the duration from 16:05:51 to 16:36:14 because the two sets of events have the same information. How can I rewrite my query (below) to get two different results for the error affecting users 12, 13 and 14? My query: index=INDEX host=HOST sourcetype=SOURCETYPE | rex field=_raw "Error\sFound\sfor\sUsers:(?<users>.+)" | rex field=_raw "Error\sFix\sSuccess\sfor\sissue\ssubmitted\sby\suser:(?<submitted_by_user>\d+)" | where isnotnull(users) or isnotnull(submitted_by_user) | sort 0 +_time -users | filldown submitted_by_user users | sort 0 -_time +users | stats earliest(_raw) as earliest_raw latest(_raw) as latest_raw earliest(_time) as early_time latest(_time) as late_time by users submitted_by_user | eval submitted_by_user=if(like(latest_raw, "%Found%"), "---", submitted_by_user) | eval error_start=strftime(early_time, "%Y-%m-%d %H:%M:%S") | eval error_end=if(submitted_by_user != "---", strftime(late_time, "%Y-%m-%d %H:%M:%S"), "---") | eval duration=if(submitted_by_user != "---", tostring(late_time-early_time, "duration"), "---") | eval users_involved=split(users, ",") | eventstats count(users_involved) as user_count by earliest_raw | fields - early_time late_time | table users_involved, user_count, submitted_by_user, error_start, error_end, duration