I am using the search depicted in the attached photo below to develop a viz in Dashboard Studio separating events by the field "bundleId". It appears to display events in the statistics table the way that I want them to. However, when I save them to a dashboard via Dashboard Studio, I get an "Invalid Date" where I want the break in events (Note - this does not happen in the "Classic" version)   How can the "Invalid date" be removed? I already attempted to eval _time=" " in the appendpipe with no success. Thank you.

I'm fairly new to Splunk and I am having some trouble grouping somethings they way I want I have some data which all have a certain ID and a multitude of other values. I want to be able to group this data if they have the same ID, but only group them in a maximum time interval of 24 hours. This I figured out pretty easily, however, the problem is I would also like to see the actual duration of events.  For example, say I have 10 or so events that all have the same ID and they occur within a 5 minute period, I'd want to group them together. I'd also like to be able to group 10 or so events that have the same ID and occur within a 23 hour period.  I've tried using bins, which groups them properly, but then it gives them all the exact same time, so I don't know how to find the exact duration. I've also tried using time charts and transactions with poor results. Does anyone have any ideas?

Hi, I'm trying to come up with a query to generate the count of strings in a json field in a log, across all events.  For example, say I have a search that displays say, 100,000 logs, with each log containing some JSON structured string [{"First Name": "Bob", "DOB":"1/1/1900", ..."Vendor":"Walmart"}] I want to generate a table that lists all the unique Vendor values, and the count of the values. Something like, Vendor | Count Walmart   5 Target       3 ToysRUs.   100 etc... Is something like this possible?

Hello Splunkers, I have followed this documentation in order to configure my Splunk on my UF as a systemd managed service : https://docs.splunk.com/Documentation/Splunk/9.0.3/Admin/RunSplunkassystemdservice  I also followed the step to make Splunk running with a non-root user, and I have check with the following command that it is indeed the case :     ps -aux | grep -i Splunk     However, it seems that Splunk is now able to read any files and folders on the machine, even no permissions or ACL were specified for the splunk user I used.  This user does not have any sudo right, so I am wondering what could be the root cause here... If I disable the systemd service and run Splunk with (as the non root user) :     /opt/splunkforwarder/bin/splunk start   Everything is working correctly and the protected files / folder are not monitored by Splunk, as excepted. I'm out of idea here! Thanks, GaetanVP      

Hi Friends, My requirement: I want to trigger SNOW ticket from Splunk alert. Before trigger I want to check any open ticket already available for that host. If already open ticket available alert shouldn't trigger. If there is no open ticket then we need to trigger alert and create SNOW ticket.  My First query:  index="pg_idx_whse_prod_events" sourcetype IN ("cpu_mpstat") host="adlg*" | streamstats time_window=15m avg(cpu_idle) as Idle count by host | eval Idle = if(count < 30,null,round(Idle, 2)) | WHERE(Idle >= 90) | table host Idle   my 2nd query:  index=pg_idx_whse_snow sourcetype="snow:incident" source="https://pgglobalenterpriseuat.service-now.com/" | rex field=dv_short_description "^[^\-]+\-(?<Host>[^\-]+)" | rex field=dv_short_description "^[^\-]+\:(?<extracted_field>[^\-]+)" | rename Host as host |table host incident_state_name | where incident_state_name!="Closed"   Now I want to validate 1st result with 2nd result and display only which host don't have open ticket. Could you please help me how to achieve this? Thanks in advance.  

Hi, I have recently got a standalone instance of Splunk on AWS and it is not fully configured yet. I am trying to set up my server.conf on $SPLUNK_HOME/etc/system/local but I cannot locate the pass4SymmKey. When I try and find it on the Splunk GUI, I receive the following:   Can you please help? Thanks

Hi, I need to index  windows server logs and blacklist all the previous year logs. Inputs.conf. [monitor://E:\application\logs\server*] disabled=0 sourcetype=_error_text index=_error_file Logs in the servers looks like below I refered solunk doc and came up with this stanza but it says only the last filter will be applied. Does it mean only 2019 blacklist regex will be applied? [monitor://E:\application\logs\server*] disabled=0 sourcetype=_error_text index=_error_file blacklist.1=^server-2021-\d{2}-\d{2} blacklist.2=^server-2020-\d{2}-\d{2} blacklist.3=^server-2019-\d{2}-\d{2}   Please suggest.

Query: index="web_app" (application= "abc-dxn-message-api" AND tracepoint= "START") (facility="d55075aaedc86d6577676605c0b5f3c0" OR "XYZ") | stats count as Input |append [search (application= "hum-message-api" AND tracepoint= "END") (facility="d55075aaedc86d6577676605c0b5f3c0" OR "XYZ") | stats count as Processed] |append [search (facility="d55075aaedc86d6577676605c0b5f3c0" OR "XYZ") "ERROR" | stats count as Error] | transpose column_name="Bundle" Current Result: 4 columns * 3 rows   Expected Result: 2 columns * 3 rows Bundle    Count Input           x Error            x Processed x