I have a question because I am confused about the majority principle of search header clustering captain election. the question is Assume a dynamic Captain Election. [1] When conducting Captain Election, a majority of the cluster members must vote to be elected. In step 1, more than half means For example, if there are 5 search headers and one is in the Down state, I am confused whether the 3rd generation, which is the majority of the 4th generation, should vote, or whether the 3rd generation, which is the majority of the 5th generation, should vote. In other words, I wonder if it is included even if the target of the vote is down.   [2] Also, according to the majority rule, there must be at least three Search Header. I don't know why Search Header needs to be 3 generations. For example, if there are only two A and B, here B declares to be the captain first, then A votes and B votes for himself, so more than half of the votes are satisfied, so B can become the captain is not it?

Hi All, Need some guidance for calculating SLA  Achieved percentage column.  This is how my results look like after running base search Severity Count_of_Alerts Mean_Time_To_Close SLA Target SLA Achieved  in % S1 10 7 mins 8 secs  15 mins   S2 5 6 mins 25 secs 45 min   I have referenced solution provided by @ITWhisperer in https://community.splunk.com/t5/Splunk-Search/adding-percentage-of-SLA-breach/m-p/572942#M199687  but in my case we also have count column.   We are ok with considering only the minutes portion of the Time_to_Close and ignoring the secs if too complicated. How can i calculate my SLA achieved in % . Is it as simple as doing a  | eval SLA_Achieved = (Mean_Time_to_close*SLA_Target)/100 One further optimization would if the SLA % achieved is less than the Target, then perhaps color that cell green else Red in color (something on that lines).

Hello, we run an Indexer that functions as deployment server as well. I have already configured it to use our CA-Cert for the Web-UI port 8000 as well as for the input port 9997, both works properly. However, I wasn't able to set our certificate for communication on the mgm port 8089. For each request, it returns the pre-shipped self-signed certificate. Other solutions from this board didn't work, unfortunately. We are running splunk enterprise v9.0.3 Configs on the indexer: server.conf   [sslConfig] enableSplunkdSSL = true sslVersions = tls1.2 sslRootCAPath = /opt/splunk/etc/auth/<ourcert>.pem sslVerifyServerName = true sslVerifyServerCert = true sslPassword = <PW> cliVerifyServerName = true     inputs.conf   [splunktcp-ssl:8089] disabled = 0 [splunktcp-ssl:9997] disabled = 0 [SSL] serverCert = /opt/splunk/etc/auth/<ourcert>.pem sslPassword = <PW> requireClientCert = false sslVersions = tls1.2 sslCommonNameToCheck = splunk.domain1,splunk.domain2     I'd be really happy, if someone could help me out with this! Thank you!

Hi, I have got a table in a dashboard which shows some information. For every row of the table I want to include a column which shows a link to another dashboard. This link has to be different for every row (including the filters in the link like "?form.time_select.earliest=..."). I tried to do that using the $click.value2$ token in the drilldown "Link to custom URL" . The problem with that is, that the token gives back the value of the clicked field but some special characters from the clicked field value are converted to a different format (for example the character "?" is converted into "%3F"). Is there a solution to get the exact string value that is in the clicked field with the $click.value2$ token? Or would there maybe be a better solution to solve my problem?   Thanks for the help!

Hi All, I have a very simple use case and that is to display the time difference between 2 fields that already have their values as time in epoch format.   But when i use ctime to display the difference, it shows weird results.  As shown below my events contains 2 fields ( tt0 & tt1). Their values are  timestamp in EPOCH. If we manually  convert these to Human Readable Time , the difference between the tt0 and tt1 is just 03 mins and xx seconds.   tto tt1 1675061542  1675061732 But when i do a      | eval ttc=tt1-tt0 | convert ctime(ttc)     Splunk displays ttc as follows:   12/31/1969 18:56:49.2304990  What am i doing wrong here?  How to make it display ttc correctly ?

We are planning to upgrade our Splunk_TA_windows app (8.5.0 atm) to the latest version, and during the deep-dive into props and transforms I noticed all these transforms being called from Perfmon sourcetypes. Example:   [Perfmon:Processor] EVAL-cpu_user_percent = if(counter=="% User Time",Value,null()) EVAL-cpu_load_percent = if(counter=="% Processor Time",Value,null()) FIELDALIAS-cpu_instance = instance AS cpu_instance EVAL-cpu_interrupts = if(counter=="Interrupts/sec" AND instance=="_Total",Value,null()) ## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 EVAL-windows_cpu_load_percent = if(counter=="% Processor Time",Value,null()) FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store EVAL-metric_type = "gauge"   These transforms seem to extract data and store them in meta fields, like this one:   [value_for_perfmon_metrics_store] REGEX = Value=\"?([^\"\r\n]*[^\"\s]) FORMAT = _value::$1 WRITE_META = true      We have untill now indexed Perfmon data to event indexes - Will these transforms lead to unneccessary data storage on the indexer cluster? Should we comment out the transforms untill we're ready to move Perfmon data over to metrics indexes?

Hi I'm implementing some searches provided by Splunk Threat Research Team to detect threats from AD logs. But I cannot set all required fields. For example, one of them is below.  "Windows Computer Account Requesting Kerberos Ticket" (https://research.splunk.com/endpoint/fb3b2bb3-75a4-4279-848a-165b42624770/) It requires some fields that I cannot find , such as subject, and action. Below is a sample log. I can't find which value I should extract as a "subject" and "action".  I use "WinEventLog:Security" as sourcetype.  I installed the TA-microsoft-windows.  Thank you. LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=2106676187 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: PC-DEMO$ Supplied Realm Name: attackrange.local User ID: ATTACKRANGE\PC-DEMO$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 59022 Additional Information: Ticket Options: 0x40800010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint:    

Hi I am tracking service requests and responses and trying to create a table that contains both requests and response but requests and responses are in different lines ingested in splunk. I have a common field (trace) which is available in both the strings and unique for a set of request and response pairs,  example line1: trace: 12345 , Request Received: {1}, URL:http:// line2: trace: 12346 , Request Received: {2}, URL:http:// line3: trace:12345 , Reponse provided: {3} line4: trace:12346 , Reponse provided :{4}   In line1 and line 3 trace is common field and so is in line 1 and line 4 I want end result like in a table   trace      request     response 12345   {1}            {3} 12346  {2}            {4}