I have 2 events having fields 1. id_cse_event: sqsmessageid,timestamp 2. Scim: sqs_message_id, timestamp. I want to search all the messages published by id_cse_events in scim using messageid, then find the difference between the time stamps This is the query i have wrote: sourcetype=id-cse-events | where isnotnull(sqsMessageId) | eval sqsmsgid=sqsMessageId | eval id_cse_time=timeStamp | table sqsmsgid, id_cse_time | map [search sourcetype=scim |fields line.message.sqs_message_id, line.timestamp|search line.message.sqs_message_id="$sqsmsgid$" | eval time_diff_in_seconds=strptime(id_cse_time,"%Y-%m-%dT%H:%M:%S")-strptime(line.timestamp,"%Y-%m-%dT%H:%M:%S") ]maxsearches=9999 | table line.message.sqs_message_id,time_diff_in_seconds id_cse_time= 2023-01-27T09:55:45.970831Z scim timestamp = 2023-01-27T08:24:28.601+0000 The events are getting matched, but i don't see any table with messageid and timediff. Can anyone help?

Hi Except if i am mistaken, Splunk ES contains a collection of add-ons. In combination, these add-ons provide the dashboards, searches, and tools that summarize the security posture of the enterprise, allowing users to monitor and act on security incidents and intelligence Does it means that Splunk ES works without any forwarder?  How the correlaation is done beteween these addns and the enterprise infrastructure? Is it automatic? The data are sent to the indexers lije with Splunk Enterprise or just to a search head? Sorry for these questions, but I am rookie in Splunk ES and I need to understand how the security events are ingested Thanks

Hi, I want to ask about SLA which I refer from following URL: https://www.splunk.com/ja_jp/legal/splunk-cloud-service-level-schedule.html My questions are: 1. Service credit billing is a customer's confidential information, but it is stated that the customer should contact Splunk. Is the customer in this statement and End-user who should contact Splunk directly? 2. Credits will be returned in time (up to 1 month) according to the availability % per quarter, but will the contract period be extended? 3. It states that a complete description is required when making a service credit claim. Is there any sample report content or regulatory form for it? Thanks, Emmy

Hybrid and multi-cloud deployments is the new reality for many organizations today who want to get the most out of their on-premises and cloud investments. With the pace of hybrid and multi-cloud deployments on the rise how can one ensure your cloud is fully optimized and not froth with security and reliability concerns? Are there any best practices and recommendations for migrating self-managed Splunk Enterprise deployments to Splunk Cloud Platform (Splunk platform capabilities delivered as a service) efficiently and smoothly?

I feel like I'm dancing circles around the solution to this problem. I created a field named "Duration" with rex that has system recovery time in the 1d 1h 1m format but it doesn't always have all values; can also be 1d 1m, 1h 1m, 1m, 1h, or 1d (with values other than 1). I want to show the average downtime over 60days by system. index= ....... earliest=-60d latest=0h | rex field=issue ".*\((?P<Duration>\d[^\)]+" | rex field=Duration "((?P<Days>\d{0,2})d\s*)?((?P<Hours>\d{0,2})h\s*)?((?P<Mins>\d{0,2})m)?" | where isnotnull(Duration) | eval D=tonumber(Days)*1440 | eval H=tonumber(Hours)*60 | eval M=tonumber(Mins) | stats sum(D) as DT sum(H) as HT sum(M) as MT count(event_id) as Events by System | addtotals fieldname=TTotal | eval HTime=TTotal/60 This gets me the numbers I need but am having trouble displaying the average time by System. It still needs to be divided by event_id per system and I need this to be an ongoing report so I can't do it manually. | stats avg(HTime) by System - only gives me the HTime value per system, not the average per event per system. Suggestions?  

Dear experts ,  I am searching on my bot index, which contain conve-id and rest of the fields are stored as payload. Using spath i am able to extract required fields from payload into a table , now for trend analysis i want to use time chart command to see number of users per month , however its not working , below is the query for your reference , need help with the query : index=idx_chatbot logpoint=response-in AND service="journeyService" OR service="watsonPostMessage" |spath input=payload output=displayname path=context.displayName | spath input=payload output=Country path=context.countryCode | spath input=payload output=Intent path=intents{}.intent |spath input=payload output=ticketResponse path=response.createTicketResponse.Message | table conversation-id timestamp service duration logpoint userFeedback displayname text Country Intent category ticketResponse payload | dedup conversation-id | timechart span=1mon count(displayName)

Hi folks, Our on-premise 5.3.1 SOAR's Ingest daemon is behaving funny in terms of memory management and was wondering if someone can give me any pointers to where to look for what is going wrong. In essence, the ingestd keeps on using more and more virtual memory until it maxes out at 256GB and then stops ingesting more data. Restarting the service does solve the issue. I am thinking the root cause might be hiding in 3 places: - poorly written playbooks - I am thinking something might be wrong with the playbooks that we have. We have playbooks running as often as every 5 minutes, so I suppose they can cause resource starvation. Not sure how to dive deeper for potential memory leaks here though.  - something going wrong with the ingestion of containers/better clean-up of closed containers - is it possible that just closing containers without deleting them after X amount of time can cause this? - some weird bug that we've hit - not sure how likely this is but I saw that in version 5.3.4 a bug regarding memory usage has been fixed (PSAAS-9663) so it is on my list, if nothing else turns up   One relevant point to make is that this started occurring after migration from 4.9.X to our current version so I have no idea if this is linked to the fact that we migrated to Python 3 playbooks or the particular product version. Any pointers to where/how to start looking for the root cause are appreciated. Cheers.