All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I'm trying to find whether a lookup file is available or not. If yes, I want to use the same file, if not I want to use different file, so far with some helps, I've written below query, the eva... See more...
Hi, I'm trying to find whether a lookup file is available or not. If yes, I want to use the same file, if not I want to use different file, so far with some helps, I've written below query, the eval fileName if condition is working fine, in the stats I could see the correct results(desired files I'm looking for).  But I'm wondering whether I could use the filename in makeresults and search for lookup file. Could someone please assist. Thanks in advance.   index=main sourcetype="dummySource" events | stats by EventCode | append [ | inputlookup states.csv | stats count as isAvailable ] | stats sum(isAvailable) as available, values(EventCode) as EventCode | eval fileName = if(available > 0, "1.csv", "2.csv") | stats values(available) as available values(EventCode) as EventCode by fileName | join type=left fileName [| inputlookup [ | makeresults | eval search=fileName | table search ]]  
Hi, I'm trying to build a search query for the Unexpected Host Sending a Large Amount of Email  in which i need to Exclude the  vcp public wifi anything come from 172 Host. | tstats `summarieso... See more...
Hi, I'm trying to build a search query for the Unexpected Host Sending a Large Amount of Email  in which i need to Exclude the  vcp public wifi anything come from 172 Host. | tstats `summariesonly` count from datamodel=Network_Traffic where All_Traffic.app=*smtp* ` `unexpected_host_sending_a_large_amount_of_email_filter` NOT All_Traffic.dest=167.228.0.0/16 by All_Traffic.src All_Traffic.dest All_Traffic.src_category _time span=1h | rename All_Traffic.* as * | bin _time span=1d as day | eventstats dc(day) as day_count by src |  How to edit the search accordingly. Thanks.
Hi, I have adjusted one of the FWs to be CIM compline. I have 2 type of action parameters: one called "Action" that contains 100% of the values. one called "action" that contains 3% of the ... See more...
Hi, I have adjusted one of the FWs to be CIM compline. I have 2 type of action parameters: one called "Action" that contains 100% of the values. one called "action" that contains 3% of the values. I created a query in the calculated fields that should translate all the values in the Action field to the strings allowed and blocked as supposed to be in the Network Traffic Data Model. Link: https://docs.splunk.com/Documentation/CIM/5.1.1/User/NetworkTraffic The query is: case(like('Action',"%alert%"),"allowed",like('Action',"%allow%"),"allowed",like('Action',"%drop%"),"blocked",like('Action',"%reset-both%"),"blocked",like('Action',"%block-url%"),"blocked",like('Action',"%deny%"),"blocked") It works when I query this in the SPL command line however is not works when it rans as a calculated field. Does Someone familiar with this issue? I will really appreciate your help
Hello, I'm new on the splunk community, how do I create a dropdown with strings retrieved from a csv file separated by commas? In this csv file contains a bunch of different values. For example... See more...
Hello, I'm new on the splunk community, how do I create a dropdown with strings retrieved from a csv file separated by commas? In this csv file contains a bunch of different values. For example is this image, each of one needs to be shown in a dropdown.   How do I make this?  
I am using a js script in a dashboard. But after each refresh of the web page or after a restart of the splunk server, the script is not launched. I need to refresh the search that is using the js sc... See more...
I am using a js script in a dashboard. But after each refresh of the web page or after a restart of the splunk server, the script is not launched. I need to refresh the search that is using the js script or clicke on the button "edit" of the dashboard to see the modification of the script.  I tried several methods such as the "document.ready" but nothing works.  Anyone have encountered the same problem or have an idea to resolve it ? Thanks in advance !
There are many accounts with different roles that often use the backend management system to query user information. Now, I need to use Splunk to search for accounts that frequently q... See more...
There are many accounts with different roles that often use the backend management system to query user information. Now, I need to use Splunk to search for accounts that frequently query user information. Example events are as follows:   `_time=2022-12-01T10:00:01.000Z, account_id=1, query user infomation. _time=2022-12-01T10:00:02.000Z, account_id=2, query user infomation. _time=2022-12-01T10:00:03.000Z, account_id=1, query user infomation. _time=2022-12-01T10:00:07.000Z, account_id=2, query user infomation. _time=2022-12-01T10:00:09.000Z, account_id=1, query user infomation. _time=2022-12-01T10:00:11.000Z, account_id=2, query user infomation. _time=2022-12-01T10:00:12.000Z, account_id=2, query user infomation. _time=2022-12-01T10:00:13.000Z, account_id=2, query user infomation. _time=2022-12-01T10:00:14.000Z, account_id=2, query user infomation. _time=2022-12-01T10:00:22.000Z, account_id=2, query user infomation. _time=2022-12-01T10:01:27.000Z, account_id=3, query user infomation. _time=2022-12-01T10:00:27.000Z, account_id=2, query user infomation. _time=2022-12-01T10:00:30.000Z, account_id=2, query user infomation. _time=2022-12-01T10:00:33.000Z, account_id=2, query user infomation. _time=2022-12-01T10:00:34.000Z, account_id=2, query user infomation. _time=2022-12-01T10:00:36.000Z, account_id=2, query user infomation. _time=2022-12-01T10:01:37.000Z, account_id=3, query user infomation. _time=2022-12-01T10:01:39.000Z, account_id=1, query user infomation. _time=2022-12-01T10:01:45.000Z, account_id=3, query user infomation. _time=2022-12-01T10:01:47.000Z, account_id=3, query user infomation. _time=2022-12-01T10:01:55.000Z, account_id=3, query user infomation. _time=2022-12-01T10:01:59.000Z, account_id=3, query user infomation.`   We can obtain the average time frequency of queries by calculating the sum of time intervals between each query for each account, and then dividing it by the number of queries. account_id =1 ,account 1 has queried 4 times and the total time interval is 2+6+30=38 seconds,so the average query time frequency is 38 seconds/3 times = 12.66 seconds/times.   account_id =2 ,account 1 has queried 12 times and the total time interval is 4+3+1+1+1+8+5+3+1+1+2=38 seconds,so the average query time frequency is 30 seconds/11 times = 2.72 seconds/times.   account_id =3 ,account 1 has queried 6 times and the total time interval is 10+8+2+8+4=32 seconds,so the average query time frequency is 32 seconds/5 times = 6.4 seconds/times.      now, I want to find accounts with query interval below 5 seconds. By manual calculation, we can see that the average query interval time for account_id=2 is 2.72s, so it may have exhibited abnormal behavior.It's possible that account 2 used an automation tool to crawl user information in the backend, given its short query intervals. so  how to use SPL statements to search for abnormal accounts with an average query interval of less than 5 seconds, and to calculate the total number of queries and the average interval for each account?"            
Hi Team, We have created a splunk XML dashboard for our infra structure monitoring. Below is a snippet regarding the dashboard. I am able to see the graphs related to cpu information, RAM in... See more...
Hi Team, We have created a splunk XML dashboard for our infra structure monitoring. Below is a snippet regarding the dashboard. I am able to see the graphs related to cpu information, RAM information, File count, Storage Consumption information. But our colleagues are not able to see the information and below is the snippet related to the same dashboard for them. Below is the sample XML code for this dashboard which we have used.   <row> <panel id="chart_width"> <title></title> <!-- Display results as a table. Uses an --> <!-- inline search, equivalent to the <searchName> --> <!-- specified for the other panels --> <html> <H1 style="text-align:center;background-color:#0080ff;">Daily Monitoring Dashboard</H1> </html> <html> <style> .dashboard-row .dashboard-panel h2.panel-title{ font-size: 20px !important; } #chart_width{ width:30% !important; } </style> </html> <chart> <search> <query>index= app_events_dwh2_de_int *(*Error*) | eval status="Error"| fields + status | append [ search index= app_events_dwh2_de_int *(*Success*) | eval status="Success" | fields + status ] | append [ search index= app_events_dwh2_de_int *(*Wait*) | eval status="Wait" | fields + status ] | append [ search index= app_events_dwh2_de_int *(*Running*) | eval status="Running" | fields + status ] | stats count by status</query> <earliest>$Daily Monitoring Dashboard.earliest$</earliest> <latest>$Daily Monitoring Dashboard.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.backgroundColor">#ffffff</option> <option name="charting.chart">pie</option> <option name="charting.chart.bubbleMaximumSize">100</option> <option name="charting.chart.bubbleMinimumSize">60</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.fieldColors">{"Success": 0x009900, "Error": 0xFF0000, "Wait": 0xFF9900, "Running": 0x0047AB}</option> <option name="charting.fontColor">black</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">none</option> <option name="charting.lineWidth">2</option> <option name="height">125</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">small</option> <option name="trellis.splitBy">_aggregation</option> </chart> <html> <H1 style="text-align:center;background-color:#0080ff;">Stats Table</H1> </html> <html> <style> </style> </html> <table> <search> <query>index= app_events_dwh2_de_int *(*Error*) | eval status="Error"| fields + status | append [ search index= app_events_dwh2_de_int *(*Success*) | eval status="Success" | fields + status ] | append [ search index= app_events_dwh2_de_int *(*Wait*) | eval status="Wait" | fields + status ] | append [ search index= app_events_dwh2_de_int *(*Running*) | eval status="Running" | fields + status ] | stats count by status</query> <earliest>$Stats Table.earliest$</earliest> <latest>$Stats Table.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> <format type="color" field="status"> <colorPalette type="map">{"Success":#FFFFFF,"Running":#FFFFFF,"Wait":#FFFFFF,"Error":#FFFFFF}</colorPalette> </format> <format type="number" field="status"></format> <format type="color" field="count"> <colorPalette type="minMidMax" maxColor="#FFFFFF" minColor="#FFFFFF"></colorPalette> <scale type="minMidMax"></scale> </format> </table> </panel> <panel id="CPU_Information"> <html> <H1 style="text-align:center;background-color:#0080ff;">CPU Information (In Percentage)</H1> </html> <html> <style> #CPU_Information{ height: 25px; } #CPU_Information{ width:35% !important; } </style> </html> <chart> <search> <query>index="app_events_dwh2_de_int" _raw=*cpu* | rex ": %utilization\",.+:\"(?&lt;CPU_Utilization&gt;[\d\.]+)" | rex max_match=0 ":\\\\\"(?&lt;TIME&gt;\d\d:\d\d:\d\d)" | chart Values(CPU_Utilization) over TIME</query> <earliest>$Infra Time Select.earliest$</earliest> <latest>$Infra Time Select.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.backgroundColor">#FFFFFF</option> <option name="charting.chart">line</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.fontColor">#000000</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="height">125</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> <html> <H1 style="text-align:center;background-color:#0080ff;">RAM Information (in KB)</H1> </html> <chart> <search> <query>index="app_events_dwh2_de_int" _raw=*kbswpused* | rex max_match=0 "\\\\\\\\\\\\\"kbswpused\\\\\\\\\\\\\":\d*\\\\\\\\\\\\\"(?&lt;Swap_used&gt;[^\\\]+)" | rex max_match=0 ":\\\\\"(?&lt;TIME&gt;\d\d:\d\d:\d\d)" | eval Swap_Used(GB)=round(Swap_Used/1024/1024,3) | chart Values(Swap_Used(GB)) over TIME</query> <earliest>$Infra Time Select.earliest$</earliest> <latest>$Infra Time Select.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.backgroundColor">#FFFFFF</option> <option name="charting.chart">line</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">connect</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.fieldColors">{"Success": 0x009900, "Error": 0xFF0000, "Wait": 0xFF9900, "Running": 0x0047AB}</option> <option name="charting.fontColor">#000000</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="height">231</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> <panel id="File_Information"> <html> <H1 style="text-align:center;background-color:#0080ff;">FILE Count(in thousands)</H1> <style> #File_Information{ height:25px !important; } #File_Information{ width:35% !important; } </style> </html> <chart> <search> <query>index="app_events_dwh2_de_int" _raw=*File_count* | rex max_match=0 "\\\\\\\\\\\\\"File_count\\\\\\\\\\\\\":d*\\\\\\\\\\\\\"(?&lt;File_Count&gt;[^\\\]+)" | stats latest(File_Count) as File_Count | chart Values(File_Count)</query> <earliest>$FileCount and Storage.earliest$</earliest> <latest>$FileCount and Storage.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.backgroundColor">#ffffff</option> <option name="charting.chart">fillerGauge</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.fieldColors">{"Success": 0x009900, "Error": 0xFF0000, "Wait": 0xFF9900, "Running": 0x0047AB}</option> <option name="charting.fontColor">black</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="height">145</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">small</option> <option name="trellis.splitBy">_aggregation</option> </chart> <html> <H1 style="text-align:center;background-color:#0080ff;">Storage Consumption (in GB)</H1> </html> <chart> <search> <query>index="app_events_dwh2_de_int" _raw=*File_Count* | rex max_match=0 "\\\\\\\\\\\\\"CONTENT_SIZE\\\\\\\\\\\\\":\d*\\\\\\\\\\\\\"(?&lt;Storage&gt;[^\\\]+)" | stats latest(Storage) as Storage | chart Values(Storage)</query> <earliest>$FileCount and Storage.earliest$</earliest> <latest>$FileCount and Storage.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.backgroundColor">#FFFFFF</option> <option name="charting.chart">radialGauge</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.chart.style">shiny</option> <option name="charting.fieldColors">{"Success": 0x009900, "Error": 0xFF0000, "Wait": 0xFF9900, "Running": 0x0047AB}</option> <option name="charting.fontColor">#000000</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="height">253</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> </row>   I request you to kindly look into this and do the needful.    
Is DDAS storage calculated based on compressed data or uncompressed data in Splunk Cloud?
For one splunk performance issue it was mentioned to us as below "We have a wait time of 57ms on the Search Head and a wait time of 25ms on the indexer. A wait time of maximum 10ms is good for prope... See more...
For one splunk performance issue it was mentioned to us as below "We have a wait time of 57ms on the Search Head and a wait time of 25ms on the indexer. A wait time of maximum 10ms is good for proper processing in Splunk. This could be the reason for the storage performance issue."   Could someone please let us know is there a parameter which denotes wait time on search head and indexers? If yes, please provide us some insight on what is that parameter and details about it.
Can we create custom dashboard for monitoring top 10 queries for multiple applications in AppDynamics? To have a visibility of the top 10 queries, my monitoring team has to every time go to the quer... See more...
Can we create custom dashboard for monitoring top 10 queries for multiple applications in AppDynamics? To have a visibility of the top 10 queries, my monitoring team has to every time go to the queries section of the database. It would be of great help if we could have a single dashboard where we will have the visibility of the same for all of our monitored applications.
Hello Splunk experts, I am encountering strange behaviour when using mvzip on fields extracted using xpath commands. I have provided a toy dataset below that mimics my XML events. I expect mvzip ... See more...
Hello Splunk experts, I am encountering strange behaviour when using mvzip on fields extracted using xpath commands. I have provided a toy dataset below that mimics my XML events. I expect mvzip to combine the values in nickname and title pairwise. However, the search below creates only one pair and that too with the "wrong" set of values; the second value from nickname is combined with the first value from title. The other pair is not combined at all.   | makeresults | eval _raw="<foo><bar nickname=\"spock\" title=\"commander\"></bar></foo><foo><bar nickname=\"scotty\" title=\"engineer\"></bar></foo>" | xpath outfield=nickname "//foo/bar/@nickname" field=_raw | xpath outfield=title "//foo/bar/@title" field=_raw | eval zipped=mvzip(nickname, title, "|")   When I use the same syntax on fields extracted via regular expressions, the output is correct. So, I'm suspecting that mvzip doesn't play nice with multivalue fields extracted using xpath. Can anyone confirm if this is a bug or if I'm doing something wrong? I am running Splunk 8.1.3 in case anyone knows if this has been addressed in a later release.
Hi All, Could someone please provide steps to configure Active MQ logs into Splunk in the existing environment. Thanks in advance.
Hello Splunkers.   i need your help in creating a search that would count number of values for a field in a month and then compare it to a 3months average of the same results.   thanks
Dear Splunker,   i need you help in creating custom results to include in a report and output it in a table for statistics, here are the data:     Thanks in advance    
Hi all, I have an issue with the logs I am receiving from Proofpoint. The issue is that I am receiving logs with either (from) or (to) field, but they are never associated together. This is due to th... See more...
Hi all, I have an issue with the logs I am receiving from Proofpoint. The issue is that I am receiving logs with either (from) or (to) field, but they are never associated together. This is due to the fact that every time an email is sent or received, it goes to quarantine in Proofpoint to be scanned, and is then sent to the recipient. This is an issue for me because I can't see the sender and receiver for each email. I have reached out to Proofpoint but they said there's nothing we can do. I am receiving the logs through syslog, is there anything that I can change or edit to receive the logs with both fields?
Hello Splunkers   i need your help in creating a search to count number of alerts by months that would fit in a column chart     thanks
Hello, I am looking to create a Boolean logic validation checker for a match. I am attempting to use makeresults in a sub search  to create a field with a string I am looking for. Then I am using sea... See more...
Hello, I am looking to create a Boolean logic validation checker for a match. I am attempting to use makeresults in a sub search  to create a field with a string I am looking for. Then I am using search to attempt to look for the newly created event but it doesn’t seem to be working.  “ index= test  [|makeresults count=1 | eval index=test | eval command=“ping 8.8.8.8” | table command] | search ping AND 8 ”
I have a lookup table bsm_string_new_overheat_records.csv:     _time overheat_location start_CCU_AMBI_TEMP start_time_secs end_CCU_AMBI_TEMP end_time_secs overheat_duration_minutes 2023-06-10 ... See more...
I have a lookup table bsm_string_new_overheat_records.csv:     _time overheat_location start_CCU_AMBI_TEMP start_time_secs end_CCU_AMBI_TEMP end_time_secs overheat_duration_minutes 2023-06-10 11:41:44 A10 29 1686421604 23 1686422504 15 2023-06-10 11:42:44 A10 29 1686413444 23 1686422564 152 2023-06-10 11:43:44 A10 29 1686412844 23 1686422624 163 2023-06-10 11:44:44 A10 29 1686413984 23 1686422684 145 2023-06-10 11:45:44 A10 29 1686420584 23 1686422744 36   I also have an `index==“battery_data” sourcetype=“battery_field_data”` that contains the battery data. From this, I can compute the average temperature for a location (“A10”), with start_time_secs (1686421604), and end_time_secs (1686422504). Here is an example: index="battery_data" sourcetype="battery_field_data" | rex field=Tag "^(?P<CCU_location>\w+)_BQMS\.\1\.((BMS_\1_(?P<tag_suffix>.*))|(MU(?P<MU_number>\d+)\.BMS_\1_MU\6_UNIT(?P<UNIT_number>\d+)_(?P<tag_type>.*)))" | where CCU_location=="A10" | eval start_time_secs=1686421604, end_time_secs=1686422504 | where (tag_suffix == "CCU_AMBI_TEMP") AND (start_time_secs <= _time) AND (_time <= end_time_secs) | eval Value=round(Value*0.1, 2) | stats avg(Value) AS average_temperature_in_overheat latest(_time) AS _time latest(*) AS * BY CCU_location start_time_secs end_time_secs | table _time CCU_location start_time_secs end_time_secs average_temperature_in_overheat yielding:   _time CCU_location start_time_secs end_time_secs average_temperature_in_overheat 2023-06-10 11:39:54.971 A10 1686421604 1686422504 17.45   I would like to compute the average temperature for each record in bsm_string_new_overheat_records.csv with the following query,   | inputlookup bsm_string_new_overheat_records.csv | rename CCU_location AS overheat_location | appendpipe [ search index="battery_data" sourcetype="battery_field_data" | rex field=Tag "^(?P<CCU_location>\w+)_BQMS\.\1\.((BMS_\1_(?P<tag_suffix>.*))|(MU(?P<MU_number>\d+)\.BMS_\1_MU\6_UNIT(?P<UNIT_number>\d+)_(?P<tag_type>.*)))" | where CCU_location==overheat_location | where (tag_suffix == "CCU_AMBI_TEMP") AND (start_time_secs <= _time) AND (_time <= end_time_secs) | eval Value=round(Value*0.1, 2) | stats avg(Value) AS average_temperature_in_overheat latest(_time) AS _time latest(*) AS * BY CCU_location start_time_secs end_time_secs ] | table _time overheat_location CCU_location start_time_secs end_time_secs average_temperature_in_overheat start_CCU_AMBI_TEMP end_CCU_AMBI_TEMP overheat_duration_minutes   I’d expect one additional record of average temperature for each overheat record (total 5+5=10 records). However, here is what I got:   _time overheat_location CCU_location start_time_secs end_time_secs average_temperature_in_overheat start_CCU_AMBI_TEMP end_CCU_AMBI_TEMP overheat_duration_minutes 2023-06-10 11:41:44 A10 1686421604 1686422504 29 23 15 2023-06-10 11:42:44 A10 1686413444 1686422564 29 23 152 2023-06-10 11:43:44 A10 1686412844 1686422624 29 23 163 2023-06-10 11:44:44 A10 1686413984 1686422684 29 23 145 2023-06-10 11:45:44 A10 1686420584 1686422744 29 23 36   None of the average temperature results is there. What’s wrong with my above query?
  I want to correlate across two lists and display the results. Log data: 06/10/2023 05:04:12  ACMIUY-6500-2345-20230610050412.pdf 06/10/2023 05:05:12  ACMIUY-6500-2345-20230610050412-success.csv... See more...
  I want to correlate across two lists and display the results. Log data: 06/10/2023 05:04:12  ACMIUY-6500-2345-20230610050412.pdf 06/10/2023 05:05:12  ACMIUY-6500-2345-20230610050412-success.csv 06/10/2023 07:14:22 DCCOUB-86895-20230610071422.pdf Note: The data is in the same index and I don't want to use join mysearch | stats list(file_sent) list(file_received) list(sent_time) list(received_time)   Sent Time  File_Sent  Received Time File_Received Elapsed_time 06/10/2023 05:04:12 ACMIUY-6500-2345-20230610050412.pdf 06/10/2023 05:05:12 ACMIUY-6500-2345-20230610050412-success.csv 00:01:00 06/10/2023 07:14:22 DCCOUB-86895-20230610071422.pdf Pending Pending -    
Hi Team, I have created a props for line breaking. I have tested it using a process of Add Data and Set sourcetype and Advance option. The below props is working fine. While placing the same in H... See more...
Hi Team, I have created a props for line breaking. I have tested it using a process of Add Data and Set sourcetype and Advance option. The below props is working fine. While placing the same in HF, its working in consistently. Kindly assist on fixing the same. My props is: [ __auto__learned__ ] SHOULD_LINEMERGE=false NO_BINARY_CHECK=true TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3Q MAX_TIMESTAMP_LOOKAHEAD=23 LINE_BREAKER  =([\r\n]+) TRUNCATE=20000 TIME_PREFIX=^\"