Hi  My system is Linux.  Am trying to monitor 3 users in an index.  The last time they login, IP address etc. There are over 180+ user. How do I get the search to show just the three users I want e.g James Peter and John? Thanks

Hi, I`m following this article in an attempt to ingest Teams data into Splunk and I need some help with testing the webhook - can someone confirm what the webhook URL is ?         curl WEBHOOK_ADDRESS -d '{"value": "test"}'           Also, looking at the documentation for the Teams Add-on for Splunk it states that "theTeams Webhook is not available for Splunk Cloud installations." - has anyone found an alternative solution for Cloud Deployments ? We use Splunk in a hybrid (cloud + on prem) environment. Many thanks.

Dears, I have installed Splunk app for linux  & add on in my Splunk enterprise paid license version. Installed splunk forwarder in all hosts & added cpu, vmstat & df in input.conf file in remote servers. Now i want to create dashboard for live monitoring for mentioned linux metrics  & alerts for that. Need to help to do that or have any good documents please share.

Hi Team, We have a field called Status=Start and Status=Success OrderId is one field When orderId has the Status=start and if there is no Status=Success for 10 mins it should be considered as failure May i know how to write a condition for this?

Very strange scenario. I'll use a rex statement to retrieve data and it works perfectly. If I copy and paste the rex command that Splunk used (Copied from Job Inspector) it does not work. I'll receive an error. An actual snippet of raw data that I've used as an example in my erex statement. The data in bold is what went into my example. "usbProtocol":1,"deviceName":"Canon Digital Camera","vendorName":"Canon Inc.", And the job inspector spat out the following: | rex "(?i)\"deviceName\\\":\\\"(?P<Device>[^\\]+)" And the data looked perfect, like so; Canon Digital Camera   But if I use that rex statement spat out by the Job Inspector in my search Splunk says nay nay; The error in Splunk received was "Error in 'rex' command: Encountered the following error while compiling the regex '(?i)"deviceName\":\"(?P<Device>[^\]+)': Regex: missing terminating ] for character class."   I reached out to a coworker that provided | rex ".*deviceName(?<Model>.*?)," And it works to a degree, but includes characters that I'd rather not see in my data. Actual example of what is spat out; \":\"Canon Digital Camera\" Just also mentioning this in case it matters - where there is no data available/null within the "deviceName" raw data, it will show like this; \":\"\" I'd really appreciate some guidance with my regex code. I've been delving into this lately, used many training materials, but can't seem to figure this one out?!

There a about 3 ways to set up outputs.conf and  when you trying to setup forwarders.  you can either do a cli entry to add a forwarder server(and indexer) or you cand edit outputs .conf files We made the outputs .conf according to a tutorial we saw but were have issues getting data in. So the question is what is broken about our outputs.conf file  (also side note originallt the.102 address wasnt in the files and neither was default-autolb group) thanks    

Hi, I have a search where I am attempting to extracting 2 different fields from one string response using "rex":     1st Field: rex \"traceId\"\s:\s\"?(?<traceId>.*?)\" 2nd Field: rex "\"statusCode\"\s:\s\"?(?&lt;tstatusCode&gt;2\d{2}|4\d{2}|5\d{2})\"?"     I am attempting to "dedup" the 1st field (traceId) before I pipe those results into the 2nd field (statusCode).  I have attempted multiple variation based on Splunk threads and other internet resources.  Below is the query I am making:     index=myCoolIndex cluster_name="myCoolCluster" sourcetype=myCoolSourceType label_app=myCoolApp ("\"statusCode\"") | rex \"traceId\"\s:\s\"?(?<traceId>.*?)\" | dedup traceId | rex "\"statusCode\"\s:\s\"?(?&lt;tstatusCode&gt;2\d{2}|4\d{2}|5\d{2})\"?" //I have tried a lot of other permutations this is just one     Below is the response from the log (looks like JSON but it is string type):     \\Sample Log (Looks like JSON object, but its a string): "{ "correlationId" : "", "message" : "", "tracePoint" : "", "priority" : "", "category" : "", "elapsed" : 0, "locationInfo" : { "lineInFile" : "", "component" : "", "fileName" : "", "rootContainer" : "" }, "timestamp" : "", "content" : { "message" : "", "originalError" : { "statusCode" : "200", "errorPayload" : { "error" : "" } }, "standardizedError" : { "statusCode" : "500", "errorPayload" : { "errors" : [ { "error" : { "traceId" : "9539510-d8771da0-a7ce-11ed-921c-d6a73926c0ac", "errorCode" : "", "errorDescription" : "" "errorDetails" : "" } } ] } } }, }"     The intent of the query is to: Extract field "traceId", then "dedup" "traceId" (to remove duplicates), then extract field "statusCode" and sort "statusCode" values. When running these regEx's independently of eachother they work as expected, but I need to combine them into one query as I will be creating charts on my next step.....  All help is appreciated.  

On Splunk 9.0.0 on windows on one of our dedicated Deployment servers when we go to Settings \ Forwarder Management in the Web UI we get a nice list of Clients aka systems running the Universal Forwarder so far so good My question is how can I see what Search is generating this result ie this list of machines? unlike some of the other screens there is no magnifying glass icon to click on to invoke the search pane