I have logs (Azure logs) that have two time fields, StartTime and ExpirationTime. Example: index=azure sourcetype=my_sourcetype | table StartTime ExpirationTime role user I want to take the user and see if the user had a failed login attempt in another index / sourcetype between the two time fields StartTime and ExpirationTime. Any help would be greatly appreciated.

I have a subsearch, and am trying to use the value of a field I extracted in an inner search, to check if that value exists anywhere in _raw for the results of my outer search. Current search: index=my_index  | append      [ searchindex=my_index  "RecievedFileID"     | rex field=_raw  "RecievedFileID\s(?<file_id>\w*)"      | fields file_id ]  | search file_id   I can confirm the regex is working, but cant figure out how to check _raw for any presence of the value of file_id. The logic I'm looking for on the last line is essentially | where _raw contains the value of file_id   Any assistance is appreciated.

Hi guys! I need a help with a time problem. So  my structure is the following: i have many agent installed  on Windows machine that collects some data , i have a heavy forwarder thant handles the universals and forward data to an enterprise instances.  My issue is that one of the server where the universal is installed has a time different from the other machine and from the heavy forwarder, in particular -1h .  So when i use search and alerts in real_time or in 5/10 minutes range i miss all the events related to that machine. I would like all events to take as _time the system time of the enterprise instances (index_time)  or at least the heavy forwader system time.  I tried to change the props.conf and inserting date_config = current at every level but nothing change. It's ok also to have a custom configuration that add + 1h to that specif host  as long as the _time field is alligned with other machine.   Some assumption: All the machine are in the same country, the particular machine has different clock setting and can't be changed. The event that generates the universal contain always a timestamp of the specif machine but we don't want it as _time. 

I'm looking at a very large set of data that separates transactions by product. I've performed some relatively straightforward stats commands on the aggregate data set, but now I'd like to extract a similar set of data as it relates to unique accounts.  For example, I want to look at stats related to products, but across unique accounts rather than accounts as a total to give insight into how specific accounts behave. For the purposes of this, let y be product and x be accountHash.  In a splunk query, I could extract the distinct account numbers from the data set by product doing the following:  index=index source=source sourcetype=sourcetype product=productValue  | fields product, accountHash | lookup productCode AS product OUTPUT productDescription | stats  DC(accountHash) as uniqueAccounts by productDescription What if I wanted to look at say, stats count as Volume, avg(transactionValue), etc. across unique accounts? Can I then aggregate the total by productDescription? I know that I could do something like this: index=index source=source sourcetype=sourcetype product=productValue  | fields product, accountHash | lookup productCode AS product OUTPUT productDescription | stats  count as Volume, avg(transactionValue) as avgTranValue by accountHash, product But this would give me a dataset with too many rows to be meaningful. Is it possible to create statistics by unique accountHash values, and then tie those to a product? I don't need to see the individual accountValues, but I'd like to compare statistics across the aggregate total, which would likely skew the statistics towards accounts that use their accounts the most.  Could I do something like  | stats by accountHash And then another stats command that gives me product results across distinct accounts? If the question isn't clear, let me know and I will try to rephrase.  

I'm using dashboard studio and have a geomap, I want to set the colors based on series, which I can do on a line or area using seriesColorsByField, but the documentation for map only has dataColors and seriesColors, both of which appear to be ordered, so if a value is not present the colors would shift. So how can I do similar to seriesColorsByField on a map graph?

Hello Members, Here at the company, we are going to carry out the total migration of Splunk Enterprise, which is currently in AWS Argentina, to AWS Norte Virginia. I would like to ask for some help here, which are the best practices to follow for this type of migration and/or which server do we start transferring data through, heavy forwarder, indexer, search head, deployment server? Would there be any difference depending on the order? We have a large environment. As a side note, let's take a SnapShot of the environment before starting the migration. We are studying to use CloudEndure for this job, would it be the best option?

Hello  I have a question because I'm in trouble.  `EasyVistaGeneric` "Statut" = "En service" AND ("Identifiant réseau"="IMP*" OR "Identifiant réseau"="ECR*" OR "Identifiant réseau"="PCW*") |dedup "Identifiant réseau" |eval entité=mvindex(split('Entité (complète)',"/"),0) | timechart span=1y count by entité useother=f usenull=f   I want to combine the results of  entité : "Commune de Toulon"  + "METROPOLE TPM" +" MTPM" + "Toulon" in a same field that we can named as RESULT : -> so I want to have : RESULT ="Commune de Toulon"  + "METROPOLE TPM" +" MTPM" + "Toulon"   Can you help me please ?    Thanks

Does anyone have ALERT MANAGER APP. I have the Alert Manager app 3.0.11. On the incident posture dashboard next to the alert that triggered there are options, run incident in search, edit incident, assign to me and a lightening bolt. When I select edit incident a window pops up and there is another option drop down to assign a Owner. As I pull down the drop down to select an owner all of the users names are on a white background and I can not see them unless I scroll over the white space. Does anyone know how to change the background color to black for the dropdown, so I can see usernames in the dropdown.

Our Dev Splunk instance was recently upgraded from Splunk Enterprise 8.2.2.1 to 9.0.2. I am getting the following error on our primary Search Head from python.log on splunkd restart: ERROR config:149 - [HTTP 401] Client is not authenticated Traceback (most recent call last): File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/config.py", line 147, in getServerZoneInfoNoMem return times.getServerZoneinfo() File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/times.py", line 163, in getServerZoneinfo serverStatus, serverResp = splunk.rest.simpleRequest('/search/timeparser/tz', sessionKey=sessionKey) File "/opt/splunk/lib/python3.7/site-packages/splunk/rest/__init__.py", line 625, in simpleRequest raise splunk.AuthenticationFailed splunk.AuthenticationFailed: [HTTP 401] Client is not authenticated I did a re-scan of everything using the newest version of the Upgrade Readiness App (off Splunkbase). Some apps did have a Python warning. I verified currently installed versions of each app (with the exception of Splunk Enterprise package-included apps like Splunk Secure Gateway and Splunk RapidDiag) and the documentation states our installed versions are compatible with Enterprise 9.0. It does not appear that any installed apps are using a deprecated version of python. I also ran the following command and verified our python version as Python 3.7.11: splunk cmd python -V After combing over known issues for the 9.0 release and other Answers threads I’ve had no luck. I don’t know if this errors is meaningful so direction would be advised. Thank you!

index=data severity IN ("critical","high","medium","low") | eval TopHost = [ search index=tenable severity IN ("critical","high","medium","low") | where len(dnsName)>0 | dedup dnsName,solution | dedup dnsName,pluginText | rex field=pluginName "^(?<VulnName>(?:\w+\s+){2})" | dedup dnsName,VulnName | top limit=1 dnsName | rename dnsName as query | fields query | head 1] | where dnsName=TopHost | table dnsName, ip   My query above works, but missing one thing. Right now it is getting the first result ( using head command ). I am trying to do first 5 results and store that to my eval variable. I tried to change head 5 but got errors. Any help is appreciated. Thanks Attached error

Hi folks,   Im looking for config of splunk in palo alto Xsoar. im running Splunk ES in Windows server 2012. and i have installed universal forwarder in Windows for log collection (Active Directory).  I would like to configure the splunk instance in palo  alto Xsoar. when i installed the API of Splunk Pycharm, im not able to connect it to splunk server( Entered correct ip address while configuring the instance, allowed inbound rule on windows splunk ES). but i cant connect. can anyone help me?   Thanks in advance.      

Can you please explain how to do partial fit on DensityFunction  I have created a lookup file for a day, say today.. it has fields src_ip, dest_ip, bytes, hod. First created a search as below: |inputlookup log_21.csv | fit DensityFunction bytes by "hod" into model1 partial_fit=true After that , i have to do partial fit for another lookup with same fields. How to do it? |inputlookup log_22.csv