Hi All, I'm pretty new to Splunk so forgive me if this is an easy question. I'm trying to figure out how to a) search for an event and then b) search for different events that happened before/after the event. For example, I want to search failed logins for a certain account, and then try to find other login events for that host 5 mins before and after. I can figure out how to search for the events individually, but don't know how to combine them and then format them into something like a table. So my first search would be: index="wineventlog" EventCode=4768 Result_Code=0x6 And the second search would be based on the first search, but for a different event code: search index="wineventlog" EventCode=4624 | "filter by the results of the first search 5 mins before/after each event" Eventually I'd want to get to a table similar to this: Time                                  Event                                  Supporting Events Jan 18 @ 10:01am    Event 1                               Jan 18 @ 10:03am              Event 1a                                                                                          Jan 18 @ 10:02am              Event 1b Jan 17 @ 7:33am       Event 2                              Jan 17 @ 7:35am                 Event 2a                                                                                         Jan 17 @ 7:32am                 Event 2b ect...etc... Thanks!

I have a report index IN (proxy) src_ip=* |eventstats sum(sbimb) as Totalsbimb, sum(sbomb) as Totalsbomb by src_ip | search (sbimb > 300) OR (sbomb > 20) OR (Totalsbimb > 500) OR (Totalsbomb > 10) | sort -sbomb Tried top but can only get one or the other and I need to pass dest,totalsbomb and totalsbimb with the top event.  I keep finding ways to get one but not the other. I am tring to get a table with src_ip, dest, sbimb(for dest) sbomb (for dest) totalsbomb and totalsbimb for src_ip .  query takes too long to run twice with append. 

I'm creating a dashboard that lets users input a comma delimited list of CVE's to search for.  I'm trying to display a table that shows the number of times each CVE was found.  I know how to display the number if the CVE was in the data but I'm struggling to find out how to display 0 for CVE's that aren't in the data. I have a base query that uses tstats (since it runs against a data model) and I can run any additional SPL off the base query in the table panel.   The base query looks like this   <form> <label>Vulnerability Distribution</label> <init> <set token="tok_query">base</set> </init> <search> <query>| makeresults count=1 | eval Vulnerabilities.cve=if("$cves$"=="*",null(),split($cves|s$,",")) | format | eval search=if(search=="NOT ()","","AND ".search) </query> <done> <set token="tok_query">$result.search$</set> </done> </search> <search id="base"> <query> | tstats latest(Vulnerabilities.cve) as cves latest(Vulnerabilities.Vuln_Mgmt.vulnerability_name) as vulnerability_name max(Vulnerabilities.Vuln_Mgmt.age) as age `vm_datamodel_default_filter` $tok_query$ by Vulnerabilities.Vuln_Mgmt.dest_ip,Vulnerabilities.Vuln_Mgmt.vulnerability_id | rename Vulnerabilities.Vuln_Mgmt.* as * </query>       the vm_datamodel_default_filter macro just has our normal filters (i.e. WHERE severity > 3 AND status=open...) The panel query that shows the count for CVE's it found looks like this:       <panel> <title>Vulnerability Distribution</title> <table> <search base="base"> <query>| stats latest(cves) as cves dc(dest_ip) as vulnerable_assets by vulnerability_id</query> </search> </table> </panel>       I just can't figure out how to get the table to include 0 for CVE's not found. Any help would be greatly appreciated

Recently we needed to update the Client Secret for one of our tenants and I wanted to ask what is the most efficient way of tracking what the token expiry date is  and to create an alert in Splunk? I had a look at the logs and couldn`t find anything to indicate when the access token is about to expire.

Regarding Federated search: Is the only authentication option username and password? We use SSO on the remote search head (LDAP/Reverse Proxy) which would be preferable. Why do you need to explicitly define each remote index on the FSH? Why don’t Splunk allow you to enable all indexes and save the effort of having the maintain the list

My data looks like the following  student_id browser_id guid datetime x_id 12_a Chrome_2 1122 1/9/23 14:45 788a 13_a Chrome_4 1213 1/12/23 19:13 33b 14_a Chrome_3 1422 1/13/23 1:42 24c 15_b FireFox_1 1289 1/16/23 15:46  12d 12_a Chrome_2 1132 1/11/23 21:50 788a Ideally, we shouldn't have different guids given same student_id, browser_id and x_id. I am trying to find all those student_ids who violate this rule aka student_ids with same browser_id and x_id but different guid. So for the above, I'd like to see something like -        12_a Chrome_2 1122 1/9/23 14:45 788a 12_a Chrome_2 1132 1/11/23 21:50 788a       I am trying -        index="main_idx" app="student_svc" | stats count by student_id browser_id guid datetime x_id | where count > 1 | stats list(count) by student_id       But it doesn't seem to be yielding the result. What should be the fix? Thanks