Fairly new to Splunk so may not have the correct terms for everything. Currently working in a distributed environment with Splunk Enterprise with windows and Linux host. These hosts are sending logs via UFs to the clustered indexers. There is also an HF that is receiving logs from apps and AWS. My issue is that the logs coming from my UF are not being parsed into field name-value pairs. The windows/Linux host, indexers, and Search Heads all have the splunk_TA_nix and splunk_TA_windows add-ons installed.  I almost feel like my indexers are not parsing the data that is coming in. Log data is getting into Splunk and I can see my events however it is all in a format similar to this, very crude I know.     <data><data><data>1039<data><data><data>time<data><data>program<data>splunk<data>     I would like it to be in field name values.  At some point I was receiving logs in this format however I am no longer. What could be causing this?      time: 10:39 program: splunk          

We have ingested into Splunk logs from our application - these logs include two keys - stageType  and correlation id, along with other keys.    I have to find a list of correlation ids that are returned for one stageType and not for other stageType.   I realise Splunk queries cannot be written similar to SQL I am not very conversant with Splunk -  I just normally get by - using simpler queries.   Hence hoping, someone can help me with a query that gives me the list - so I can do further analysis to find out the reason for differences, which should not normally exist. Is it possible to do it in Splunk? Can someone help me with the query? index=grp-applications sourcetype="kafka:status" stageType IN ("STAGEA", "STAGEB" )  env=qa | dedup env, correlationId, stageType | stats count by env, correlationId, stageType Thank you  

I have an application that have some instances/hosts. Because of change of throughput or instability new instances/hosts can be initiated and old can be terminated. There are many different events/logs being registered.  When a new instance/host is initiated it shows the following event/log: 1/20/23 6:00:01.256 PM   [app=gateway-example-app, traceId=, spanId=, INFO 1 [ main] gateway.GatewayApplicationKt : Started GatewayApplicationKt in 21.081 seconds (JVM running for 48.641) host = ip-example-of-ip-01 source = http:source-example sourcetype = example-sourcetype    When an instance is terminated, it shows the following log: 1/20/23 3:53:42.778 PM   CoreServiceImpl INFO: JVM is shutting down host = ip-example-of-ip-02 source = http:source-example sourcetype = example-sourcetype  Is there a way of getting a list of hosts that have the log of initialization, but don't have the log of termination?  In other words, a list of currently active hosts? Thank you for any help in advance. And sorry if I wrote anything wrong, english is not my main language.

I'm creating a ServiceNow Dashboard in Splunk, and there is a particular column called "dv_priority" that I'd like to assign a color code to.  For example, their are four values assigned to dv_priority field, it's either going to "1 - Critical" ,  "2 - High" , "3 - Moderate" , "4 - Low", "5 - Informational"   I'd like to color code these values, for example "1 - Critical" (Red), "2 - High" (Orange), "3 - Moderate" (Yellow) and "4 - Low" (Purple) and "5 - Informational" (Green). What would be the best approach SPL-wise in doing this with the below query?     index=servicenow sourcetype=* NOT dv_state IN("Closed", "Resolved", "Cancelled") | eval dv_number = if(isnull(dv_number), task_effective_number, dv_number) | eval dv_number = if((isnull(dv_number) OR len('dv_number') == 0), DV_NUMBER, dv_number) | eval number = if((isnull(number) OR len('number') == 0), dv_number, number) | eval number = if((isnull(number) OR len('number') == 0), NUMBER, number) | eval number = if((isnull(number) OR len('number') == 0), "Error", number) | eval number = if(number!=dv_number, dv_number, number) | eval dv_u_subcategory = if((isnull(dv_u_subcategory) OR len('dv_u_subcetegory') == 0), DV_U_SUBCATEGORY, dv_u_subcategory) | eval dv_u_category = if((isnull(dv_u_category) OR len('dv_u_category')==0), DV_U_CATEGORY, dv_u_category) | eval dv_business_service = if(((isnull(dv_business_service) OR len('dv_u_business_service')==0) AND dv_category="MDR Analytics"), "Detect", dv_business_service) | eval dv_business_service = if(((isnull(dv_business_service) OR len('dv_u_business_service')==0) AND dv_category="MDR Engineering"), "Engineering", dv_business_service) | eval dv_business_service = if((isnull(dv_business_service) OR len('dv_u_business_service')==0), DV_BUSINESS_SERVICE, dv_business_service) | eval dv_business_service = if(((isnull(dv_business_service) OR len('dv_business_service')==0) AND dv_u_category="Notable" AND dv_u_subcategory="Security"), "Detect", dv_business_service) | eval dv_business_service = if((isnull(dv_business_service) OR len('dv_u_business_service')==0), "Error", dv_business_service) | eval dv_business_service = if(dv_u_category="Infrastructure", "Engineering", dv_business_service) | eval state = if((isnull(state) OR len('state')==0), STATE, state) | eval dv_state = if((isnull(dv_state) AND state=1), "New", dv_state) | eval dv_state = if((isnull(dv_state) AND state=3), "Closed", dv_state) | eval dv_state = if((isnull(dv_state) AND state=6), "Resolved", dv_state) | eval dv_state = if((isnull(dv_state) AND state=11), "On-Hold", dv_state) | eval dv_state = if((isnull(dv_state) AND state=18), "In Progress - Customer", dv_state) | eval dv_state = if((isnull(dv_state) AND state=7), "Cancelled", dv_state) | eval dv_state = if((isnull(dv_state) AND state=10), "In Progress - dw", dv_state) | eval dv_state = if((isnull(dv_state) OR len('dv_state')==0), DV_STATE, dv_state) | eval dv_state = if((isnull(dv_state) OR len('dv_state')==0), "Error", dv_state) | eval dv_state = if(dv_state="Error" AND (isnotnull(closed_at) OR len('closed_at') == 0), "Resolved", dv_state) | eval dv_short_description = if((isnull(dv_short_description) OR len('dv_short_description') == 0), short_description, dv_short_description) | eval dv_short_description = if((isnull(dv_short_description) OR len('dv_short_description') == 0), case, dv_short_description) | eval dv_short_description = if((isnull(dv_short_description) OR len('dv_short_description') == 0), DV_SHORT_DESCRIPTION, dv_short_description) | eval dv_category = if(dv_business_service="Detect", "MDR Analytics", dv_category) | eval closed_at = if((isnull(closed_at) OR len('closed_at')==0), CLOSED_AT, closed_at) | eval u_mttn = if((isnull(u_mttn) OR len('u_mttn')==0), U_MTTN, u_mttn) | eval u_mttca_2 = if((isnull(u_mttca_2) OR len('u_mttca_2')==0), U_MTTCA_2, u_mttca_2) | eval u_mttcv = if((isnull(u_mttcv) OR len('u_mttcv')==0), U_MTTCV, u_mttcv) | eval u_mttdi = if((isnull(u_mttdi) OR len('u_mttdi')==0), U_MTTDI, u_mttdi) | eval u_mttrv = if((isnull(u_mttrv) OR len('u_mttrv')==0), U_MTTRV, u_mttrv) | eval u_mttc = if((isnull(u_mttc) OR len('u_mttc')==0), U_MTTC, u_mttc) | table _time, number, dv_state, dv_priority, dv_u_category, dv_short_description,dv_assigned_to,dv_assignment_group, opened_at | where dv_assignment_group="Security" | sort - _time | sort - dv_state | dedup number      

Hi, Splunkers, I have the following token handler,   if input "Gucid_token_with3handlers" is 2 digits number, it will return as token skillexpressionLength,  if it's not 2 digits number will return itself as token Gucid_token, which works fine. now I want to add handler 3,  if 1st 3 characters are VQ_,   I want it to return itself as token Gucid_token_VQ, otherwise, it return as Gucid_token_VQ  with value * but it looks handler 3 is conflicting with handler 1. so my question is how to define the 3rd token handler to have it work together 1st and 2nd token handlers without conflict?    the following is the input token definition with 3 token handlers. <input type="text" token="Gucid_token_with3handlers" searchWhenChanged="true"> <label>Gucid/UUID/SID</label> <change> <eval token="Gucid_token"> if(match(value, "^[0-9][0-9]?$"),"", value)</eval> <eval token="skillexpressionLength">if(match(value, "^[0-9][0-9]?$"),value, 0)</eval> <eval token="Gucid_token_VQ">if(substr(value,1,3)=="VQ_"),value, *)</eval> </change> <default></default> </input>   then I used the following search  clause with  $Gucid_token_VQ$ | search VQ = $Gucid_token_VQ$   then this search panel showing :   search is waiting for input.   thx in advance.   Kevin

Hey All, wondering if I can get some input on this. I have data coming in as JSON. The fields follow this naming convention: objects.Server::34385.fields.friendlyname = Server123 objects.Server::88634.fields.friendlyname = Server444 What I'm trying to do is to somehow rename the fields, so I omit the ::<number> after the Server part. End result is needed to be like this: objects.Server.fields.friendlyname = Server123 objects.Server.fields.friendlyname = Server444 It's worth mentioning that there are around 10k servers, so I can't list them out one by one.

Hi, I am trying to get two cols from the same table onto a line graph. Each col is an independent value, so the graph should show two lines; I do not want to consolidate the two col together. This is the Search SPL I am using to pull data: ------graph 1------- mstats avg(_value) prestats=true WHERE metric_name="cpu.system" AND "index"="em_metrics" AND "host"="ABC" AND `sai_metrics_indexes` span=10s timechart avg(_value) AS Avg span=10s fields - _span* ------graph 2------- mstats avg(_value) prestats=true WHERE metric_name="memory.used" AND "index"="em_metrics" AND "host"="ABC" AND `sai_metrics_indexes` span=10s timechart avg(_value) AS Avg span=10s fields - _span* As you can see, almost everything is the same besides the metric_name. I am trying to get both metric_name data's onto one graph. I tried to combine both metric_name into one by adding another AND statement, but it won't work. Thanks in Advance!