This is a single server Splunk deployment. I am indexing Duo MFA logs using the official splunk app. In the "Searching and reporting" app, when I use the table command to view that data, each field is a multivalue field with the value duplicated. When I try the same search using the Duo app instead of "Searching and reporting", the fields are extracted only once as expected, not duplicated. For example... When I use the table command on this data in "Searching and reporting":     email user@example.com user@example.com       When I use the table command on this data in the "Duo" app:     email user@example.com       So this problem appears to be limited to the "Searching and reporting" app. But I'm not finding any configuration specific to "Searching and reporting" related to this app/source. For example, there is nothing in SPLUNK/etc/apps/search/local/ props.conf or transforms.conf that would affect this source. The current configuration according to the btool is coming from SPLUNK/etc/apps/duo_splunkapp/default/props.conf and is:     [source::duo] INDEXED_EXTRACTIONS = json KV_MODE = none       I also tried changing the config to this:     INDEXED_EXTRACTIONS = none AUTO_KV_JSON = true KV_MODE = json       but that just resulted in neither the "Searching and reporting" app nor the "Duo" app having extractions for this data. How do I fix this so the "Searching and reporting" app has a single set of extractions and not duplicates?

i have few orphaned searches, which i need to reassign or disable or delete it. i am not able to do any of these. 1. The orphaned searches which can see in  splunk/app/search/orphaned_scheduled_searches.............. here the sharing is in user level. but i am not able to see the same  in  settings>All configurations>Reassign Knowledge objects. when i search the alert name by selecting the orphaned i am not getting any results. 2. When i checked the owner name in internal index it is showing that user has been disabled. Now how can i reassign or disable or delete this searches. is there any chance to do via CLI. please help on this.

event is json: {message:AZK} x 10 {message:BCK} x 5 {message:C} x 3   What Im trying to get is a table to count message by values with a modified text Message AZK -  10 Message BCK -  5 C - 3   I use this: | eval extended_message= case( match(_raw,"AZK"),"Message AZK", match(_raw,"BCK"),"Message BCK", 1=1, message) | stats count as nombre by extended_message | sort nombre desc | table extended_message, nombre   I can't not get the "C" in the list to be counted the message from the JSON event is not interpreted (i don't know) Thanks for your help  

Dear All. When searching some database log as index=my_db .... I have a field named "statement"  with content as example below: The login packet used to open the connection is structurally invalid; the connection has been closed. Please contact the vendor of the client library. [CLIENT: 192.20.21.22] I need to create a new field, named IP2, with the IP address as above. In general, the rex command must look for the text between  "[CLIENT: " and "]" Your help is appreciated best regards Altin

Hi, Splunkers,    I have a timechart in dashboard.. l timechart span=1h count by VQ,    then timechart returns a graph with VQ_A, VQ_B, VQ_C with their values. I want to click these VQ_XXX  as input to reopen the dashboard.  how to pass these "count by" result as input to my dashboard?   actually, in my timechart:    l timechart span=1h count by VQ,    this VQ comes from a token.   there is a chart option below :  <option name="charting. Drilldown">$t_countby$</option>,  if  I put token  t_countby here,  then when I click VQ_A, or, VQ_B, VQ_C in my timechart,   the value passed as input is VQ， which I  selected from droplist with token t_countby,   not VQ_A, or, VQ_B, VQ_C, which I expected to pass as input.     thx in advance.   Kevin  

i currently have a query that returns what I need for a single day.   ( index=microsoftcloud sourcetype="ms:azure:accounts" source="rest*group*") OR (index=microsoftcloud sourcetype="ms:azure:accounts" source="rest*User*") | where match(userPrincipalName,"domain name") or match(userPrincipalName,"domain name") | eventstats count by id | eventstats count(eval((source="rest://MSGraph Group1 Members" OR (source="rest://MSGraph Group 2 Members") or (source="rest://MSGraph Group 3 Members") ))) as total | eventstats count(eval(source="rest://MSGraph CL Users" AND count>1)) as current | dedup total, current | eval perc=round(current*100/total,1)."%" | eval missing=total-current | rename total as "In Scope Users" | rename current as "Current Users" | rename perc as "Percent Compliant" | rename missing as "Missing" | table "In Scope Users", "Current Users", "Missing", "Percent Compliant"   I am trying to make this show me a chart over the previous month that show me the daily result of the posted query.   I have tried many "solutions" from the web, but nothing has worked.  Any help is appreciated

Hello, When analyzing web traffic logs, at times the url field does not have a http_referrer field.  We are interested in finding out which URL did the original request came from ?  There is looping involved.  THis is similar to the post:  https://community.splunk.com/t5/Getting-Data-In/Loop-through-URL-and-http-referrer-to-find-original-request/m-p/138817#M28507 In the above post, user makes use of a script which I cannot use in my environment.  How to then use the MAP command or any other command to recursively/loop thru the URL field and find out which was the original domain ? For example: index=firewall url =malicious-domain.com Actual flow of traffic: abc.com  >>> bcd.com  >>  No Http_Referrer field  >> malicious-domain.com  ( http_referrer is <empty>)  Expected result: abc.com

Hi,   I have an application(test.app) which invokes multiple downstream application apis(profile, payments etc) and we log elapsed time of every downstream call as an element of Json Array. Is it possible to plot timechart on the p99(elapsed) time of each downstream application call separately.   Sample log :      { ...... appName : test.app downstreamStats : [ { ... pathname : profile, elapsed: 250, ... }, { ... pathname : payments, elapsed: 850, ... } ] ...... }       I want to plot timechart of the above logs with p99 of elapsed time BY pathname

Any suggestions on how to rename fields and keep those fields in their stated table order. I have a bunch of fields that are attributes that are named is_XXX. I want all those fields to be on the right hand side of the table, so if I do     <search> | foreach is_* [ eval "zz_<<MATCHSTR>>"=if(<<FIELD>>=1,"","")] | fields - is_* | table entity entity_type *     it works nicely and puts the first two named fields as the first two columns, then other fields then all the zz_* fields.    However, as soon as I add     | rename zz_* as *     it changes the order and sorts all the columns (apart from the first named two) into alphabetical order. Any specifically named fields I add after entity_type persist the column order but all fields output as a result of the wildcard lose their order after the rename.