Can someone help with query? I have 2 index abc and bcz From abc index I want to show stats for field1 where field2 from index abc matches with field3 of index bcz and bcz index field5="value"   what I tried which is not working:  index=abc | stats count by field1 | join type=inner field2 [search index=bcz  | rename field3 as field2 | where field5="employee_name"]

< query > ... | stats count by return_code fetches me the below output. I have to create an alert where the sum of any return_code value other than 100 and 200 should not cross 20% of the overall value. Example: from the above image, I will add the count of return_codes (other than 100 and 200 ) which will result as 226. now the count of 100 and 200 is 2924. now the  percentage will come around 7.17 %. How do I achieve this via query?

Hi community, I've just performed an upgrade on my infrastructure (distributed environment) from Splunk 8.2.3 to Splunk 9.0.3. All the instances seem to work fine, I have problems though in applying search head cluster bundle. I use this command to upgrade Splunk Enterprise Security:   $SPLUNK_HOME/bin/splunk apply shcluster-bundle -preserve-lookups true -target https://instance1:8089     But it doesn't work and I receive this message:   Error while deploying apps to first member, aborting apps deployment to all members: Error while updating app=SplunkEnterpriseSecuritySuite on target=https://instance1:8089: Error in JSON response: Unexpected EOF     Do you have any idea of what could be the problem?   Thank you Marta

Hello, which method is best, using TIME_PREFIX = timestamp":" or TIMESTAMP_FIELDS = @timestamp? https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Configuretimestamprecognition#Examples does not talk about TIMESTAMP_FIELDS We are using this parameter for another JSON source and it works fine too.       Examples : UF side : etc/deployment-apps/_server_app_LBA_ZZZ_LX/local/props.conf [ZZZ_metrics_json] TIMESTAMP_FIELDS = start (useless in my opinion as should only run on indexers side?) TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N.%z (useless in my opinion as should only run on indexers side?) INDEXED_EXTRACTIONS = json etc/deployment-apps/_server_app_LBA_MIC_SUP/local/props.conf [VVV:sup:json] INDEXED_EXTRACTIONS = json IDXC side : [siem@s301lbasplmgt2 ~]$ cat /OPT/siem/splunk/etc/master-apps/APP_PROPS/local/props.conf [ZZZ_metrics_json] TIMESTAMP_FIELDS = start TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N.%z etc/master-apps/XXX_VVV_PROPS/default/props.conf [VVV:sup:json] TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N.%z TIME_PREFIX = timestamp":" MAX_TIMESTAMP_LOOKAHEAD = 50 SHC side: etc/shcluster/apps/XXX_VVV_PROPS/default/props.conf [VVV:sup:json] KV_MODE = none etc/shcluster/apps/APP_YYY_parser_json/default/props.conf [ZZZ_metrics_json] KV_MODE = none       Thanks for your help.  

Hello Community, I would like to inquire about some issues I am facing while setting up a heavy forwarder in splunk. Please take a look at the below issues :-  1) Hosts are visible in splunk but all of them are not forwarding their logs to the indexer. 2) Linux server are not able to forward logs to the indexer. 3) Some host are able to forward their logs to indexer post a modification in their universal forwarder file manually, but it takes an hour or so before they forward their logs. 4) The most recently added do not show their logs in real time i.e. when a time frame recently added devices should logs in last 4 hours or 60 minutes but they do show only post 24 hours time filter.   Thanks in advance.

I have six eventtype's that each check Juniper router logs for an Interface bounce (an up/down event). These are working good. Here is an example, the other five are just variations of this (different routers and interfaces): sourcetype="syslog" host_rdns="lo0.router1.domain.com" AND SNMP AND "xe-0/0/1" NOT "0/3/1.*" I am doing the following search during business hours (08:00 to 20:30/7days a week) as a timechart that spans one day, and displays each eventtype as the "office#" site name with how many flaps per hour occurred during the business hours: sourcetype="syslog" (eventtype="office1" OR eventtype="office2" OR eventtype="office3" OR eventtype="office4" OR eventtype="office5" OR eventtype="office6") NOT UI_CMDLINE | eval date_hourmin=strftime(_time, "%H%M") | eval date_numday = strftime(_time, "%w") | eval date_dow=strftime(_time, "%A") | eval full_datew = _time." ".date_dow| eval mytime=strftime(_time, "%Y-%m-%d, %A") | search (date_hourmin>=0800 date_hourmin<=2030 AND date_numday>=0 date_numday<=6) | timechart span=1d count as "Interface Flap" by eventtype | eval time=strftime(_time, "%m/%d/%Y, %A") | fields - _time | rename office1 as "Home Office", office2 as "Seattle", office3 as "Portland", office4 as "Dallas", office5 as "Chicago", office6 as "New York", time as "Day, Date"   This is working as I want and expect it to, like so: But I cannot figure out how to display all six eventtype's (sites) at all times, including the eventtype's with ZERO counts. I've tried everything I can think of - fillnull, adding fake results (maybe I am doing that wrong?) but I cannot figure out what I am missing/doing wrong. Can someone provide pointers for the best way to address this issue?

Hello Everyone, I need your help please I am using the Location Tracker to follow some alerts. My spl request is : index="imcfault" sourcetype="st_imcfault" | lookup switchs.csv ip AS sourceIp | rex field=location "^(?<latitude>.+?), (?<longitude>.+?)$" | table _time latitude longitude faultDesc The lookup switchs.csv returns the following elements : adresse ip label location The final result of the request is :   I want to have the static Icon in two colors : Orange : severity between 0 and 2 red : severity between  3 and 4 Thank you so much

Hello everyone, I have such fields in log: event="some text text2 text3   something     something2", how should I make regex formula to match all until 3 or more spaces? for example, for this event it should match "some text text2 text3"