I want to see the 500 error count for each Customers over time (Today/Yesterday/LastWeekOfDay) So total 3 days. Below screenshot is Kibana Chart. How can we create same kind of chart in Splunk? I have tried below timechart query but x axis have time first instead of customerId. index="services" statusCode="500" | timechart span=1d count by customerId I have also tried with below Query But I feel Count in response in not correct. index="services" statusCode="500" | bucket _time span=day | chart count by customerId,_time | head 10 Is there a better way to do it?    

I am working on a KPI script and I need to deduplicate lines in the field  Looks like this : is there an | eval field= substr for first line of field  or some regex that can deduplicate my values. Thanks

Hello Team, i have the following problem. Inside my data i have a String like: Error in Data | 5432323 from endpoint 543336 Error in Data | 1344214 from endpoint 543446 Error in Data | 1323214 from endpoint 545536 The field in Splunk is called: error_message. The Goal is to filter these events out from the search results with a lookup. So that when i dont want to see these messages in futher searches i can adapt the lookup. The idea was something like test.csv check, error_message true, Error in Data | * from endpoint * | lookup test.csv error_message output check | search check!=true I tried the things from https://community.splunk.com/t5/Splunk-Search/Can-we-use-wildcard-characters-in-a-lookup-table/td-p/94513?_ga=2.154739834.350113351.1675844344-1427000930.1666340646&_gac=1.213658144.1672302784.EAIaIQobChMIrf-SprWe_AIVp49oCR13GwTHEAAYASAAEgKCgvD_BwE&_gl=1*1ufx1dh*_ga*MTQyNzAwMDkzMC4xNjY2MzQwNjQ2*_ga_5EPM2P39FV*MTY3NTg1MDAzMy4xMTAuMS4xNjc1ODUyMzk3LjU0LjAuMA.. but this doesnt worked for me. Thank you all.  

Hello Splunkers, Please if someone can help me with a Splunk query, I have a list of IPs I imported in lookup table, I want to grab the FW traffic where dest_ip in the FW logs matches my lookup list of IPs, I'm confused what command i should use in search "inputlook" or "lookup. Moreover, I would be grateful is someone can explain me the difference beteween inputlook and lookup with an example. Thank you,   Moh

I want to create a alert that will notify if error_count is continuously increasing over time for any of the group mentioned in column In table I have used timechart which gives sum of error_count value for different groups over the time. I need to compare. I want query that will trigger alert when every row value is greater then its previous row for their respective column, If any column verify this condition Alert should be raised In Simple words : Alert when error_count increases with time for any group My sample query: <<BASE QUERY>> earliest=-4h@h latest=@h | timechart span=30m sum(error_count) as c by group  Result of this query is in image attached ,consider this table as sample data for Alert query

Hi Splunk community, I have a chart display the number of users in each month. There was no data coming in in October and November, and I want to show the number of September for October and November for the chart to have a continuous trend. Here's my query:   <my search> | timechart span=1mon dc(UserID) as "Number of Users"   The current chart looks like this:  

I'm having trouble getting a new deployment client to connect to the DS. I can see connectivity is established, but the client keeps logging an error:     DC:DeploymentClient ... channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected       Looking at the splunkd_access log on the DS I can see the handshake message being recieved with a 401 by the DS     10.X.X.2 - - ... "POST /services/broker/connect/GUID/CLIENTNAME/guff/linux-x86_64/8089/9.0.2/GUID/universale_forwarder/CLIENTNAME HTTP/1.1" 401     I have plenty of Windows machines in the environment connecting successfully to this DS (also running on Windows). But this server and a few other Linux machines are not connecting. Any advice?  

Hi all.  Through my work I'm building a little distributed test environment.  To make it extra hard on me they have setup the search head, indexer and forwarder on different v-Nets. Also, only the search head has a public IP. My question then is how do I connect the indexer to the search head when the indexer does not have a public facing IP?    Hope the question makes sense. Jacob