I am looking for a technical understanding for detecting a "Univariate Categorical Outlier". I have used the ML Toolkit on Splunk and basically, I am trying to detect the "rare" categories which are really having low frequencies for the given variable of the dataset.  I have also followed the thread here but I couldn't find the information I am looking for. Tough I could see the links like this which discuss different methods like histogram, IQR, and ZScore for anomaly detection but couldn't find any technical overview. If anyone could help me with finding the "rare" category automatically, it will be a huge help. Because setting a static threshold like 0.05 doesn't work for all datasets. There has to be some way around like the histogram method. Please give me the sources on how splunk finds the rare categories. It is fine if you can provide me with the univariate variable only instead of the multivariate. Thanks

Hi There,    I would like to export the results of kv lookup file in a lookup editor, but the results after exporting is only 50k records, even the original results is 80k records, How to download the entire results in a single file? Thanks!

Hi all, I'm trying to  make a query  which is not working as expected could you pls help me out in raising an alert. I have a field name first_find value  "2021-06-07T09:04:09.130Z" and last_find values "2023-02-15T16:15:52.506Z"are in this format, I believe it is in UTC format, I need a search to make if first_find OR last_find matches with current date the alert should triggered. My SH is set to IST time zone would it make any impact on search ? Do i need to convert the field values  time zone from UTC to IST to get a alert out of it ?

Hey all, Our raw syslogs are showing IP addresses of sourced events, but the results in Splunk is changing the IP addresses to their respective hostnames/FQDNs. If I want to see the results without the name resolution how can I do this? I just need to see the IP addresses, as per the actual raw syslog. Thanks, Will  

I am looking to get the data in year, month, day, hour, minute and second basis search criteria is index="abc" rex field=raw"few fields" | stats count yearcount by year The above query is giving me below columns year      yearcount 2023      10 Similar to the above query we want to get count of month, day...seconds the final output should have below table year   yearcount   month   monthcount   day  daycount  ......seconds   secondscount Is it possible to get this output without using appendcols function multiple time as it is making the search query very long and not effective.  

Hi, This work when I use it at search time: | spath path=messageParts{} output=message | mvexpand message | rex field=message "{\"disposition\":\s+\"(?<disposition>[^\"]+)\",\s+\"sha256\":\s+\"(?<sha>[^\"]+)\",\s+\"md5\":\s+\"(?<md5>[^\"]+)\",\s+\"filename\":\s+\"(?<filename>[^\"]+)\",\s+\"sandboxStatus\":\s+\"(?<sandboxStatus>[^\"]+)\",\s+\"oContentType\":\s+\"(?<oContentType>[^\"]+)\",\s+\"contentType\":\s+\"(?<contentType>[^\"]+)\"}" BUT how to put this in props.conf? I have tried MV_ADD = true - but no luck  

I am trying to get billing data in s3. The data is in parquet format. I tried to get that data with "splunk add-on for aws" app. but i failed. I setting all the source types supported by the app, the data was not normal. please get me how i can get parquet format data. in a Splunk cloud environment.

Hi I am trying to create alerts and dashboards for my o365 and AD logs.  Is there somewhere that has an overview of the different options in for example Operations? Since I dont have a log from when a user is created, I dont know the value the log will say eg, UserCreated, UserWasCreated, CreateUser. Hope it makes sense  

Hi, I hope that asking this question will not cause controversy. I currently manage a hybrid between Splunk and ELK, some of the sources come directly to Splunk where we pay for the licensing but as there are sources that send very large volumes of information (As we know Splunk is very good but very expensive), we send them to ELK and what we do is that from Splunk we use this type of queries to display data from ELK | ess eaddr="http://localhost:9200" index=paloalto* tsfield="@timestamp" query="src_ip:198.7.62.204" fields="*" now, making clear that these logs are not arriving directly to Splunk, and what Splunk is doing is an external query to ELK I would like to know if it is possible to correlate two sources, in this case I need to correlate the palalto logs type THREAT with the type TRAFFIC This is what I have tried but it does not work   | ess eaddr="http://localhost:9200" index=paloalto* tsfield="@timestamp" query="Type:TRAFFIC AND Threat_ContentType:end AND Action:allow AND NOT SourceLocation:172.16.0.0-172.31.255.255 AND NOT SourceLocation:192.168.0.0-192.168.255.255 AND NOT SourceLocation:Colombia" fields="GeneratedTime,Threat_ContentType,Action,SourceIP,DestinationIP,DestinationPort,NATDestinationIP,SourceLocation,DestinationLocation,SourceZone,DestinationZone" |table GeneratedTime Threat_ContentType Action SourceIP DestinationIP DestinationPort NATDestinationIP SourceLocation DestinationLocation SourceZone DestinationZone * | append [ ess eaddr="http://localhost:9200" index=paloalto* tsfield="@timestamp" query="type:THREAT" fields="threat" |table threat ] |table threat Action *        

I am testing Splunk Cloud DDSS to AWS S3 buckets currently. I see logs in my S3 bucket once an index gets rolled over to S3 after its "Searchable Retention" period ends. The question I have is the logs that I see in S3 buckets are compressed using ".zst". Is this a configuration from Splunk or AWS - is there a way to change it to "gzip". Can we not have logs in its default extension and gzip it accordingly.   My next step is to test the restore process and it requires a standalone Splunk Enterprise instance. How should I go about that, one indexer and one search head, assuming it will be for one index only?   Thank you

Hi, We deployed the Splunk Add-On for Unix & Linux on a few AIX & Netezza servers as noticed a few issues with missing metrics. NETEZZA: All df metrics are not being returned (error message in _internal index shows the following Splunk_TA_nix/bin/df_metric.sh" df: unrecognized option '--output=source,fstype,size,used,avail,pcent,itotal,iused,iavail,ipcent,target' AIX Following IOstat metrics are not being returned. iostat_metric.rReq_PS iostat_metric.wReq_PS   Thanks, AKN

I decided to make a search with following situation.  However, I would like to enhance the performance that when user wanna search Name, it will only enable index A and B  but not index C Can I achieve it? Thanks a lot.   |multisearch [ index =A |search Name=* Results =*] [index =B | search Name=* Age=* Results=*] [index =C | search Name=* Age=*]

Hi, I have an unusual scenario for the data I am working with and would like to see if it's even possible to extract data this way. In brief, I parsed a value from my initial search query to a variable using rex and now I want to use only that value as new query instead of sub-query. Workflow: Find all successful test runs for a suite (this is a long query) Find reporting_url via event on each run  Parse uuid from reporting_url (I used rex on raw data and saved it on variable like res_uuid) Search only that uuid as that has multiple test_id records showing count of Pass/Fail counts. (Eventually create a graph for the same) Trying to make a simple example: First query -> Gives test suite level record. Parse to get UUID value Second query -> Independent query using that UUID and then use that for making graph. Please note that 2nd query results not linked with 1st query and sub-search will only give one record.      (Apologies if it's a very common workflow but I was not able to search it easily)  

Hi, I have a list of hosts  that i want to check their status , so  I have created an if statement to filter out the ones that does not meet the if statement , then i have an action to ping on the ones that met the IF statement ex:  host1, host2,host3,host4 if host==host1 OR host == host4  The next action would be  scan ONLY ( host1 , host4) I have the playbook working with all actions but i just could not figure out the way how to only process the hosts that meet the IF condition  Thanks