I have daily user login/logout data like this: date,user,action 2020-04-14 01:00:00,user1,login 2020-04-14 01:05:00,user2,login 2020-04-14 01:10:00,user3,login 2020-04-14 02:40:00,user2,logout 2020-04-14 02:50:00,user3,logout 2020-04-14 03:10:00,user2,login 2020-04-14 03:10:00,user1,logout 2020-04-14 03:30:00,user3,login 2020-04-14 04:20:00,user2,logout Users can login/logout multiple times in a day. A session closes and then new session opens. (like user2) I need to get the duration for every session and there is no session id. How can i merge this two events in one row: Login and first logout after login. Like this: login_date,logout_date,user 2020-04-14 01:00:00,2020-04-14 03:10:00,user1 2020-04-14 01:05:00,2020-04-14 02:40:00,user2 2020-04-14 01:10:00,2020-04-14 02:50:00,user3 2020-04-14 03:10:00,2020-04-14 04:20:00,user2 2020-04-14 03:30:00,-,user3 

I am new to splunk. Creating a report to count the successful and error logins to my system. The report shows the two columns but when I put the report on my dashboard, it adds two columns, span and span_days. I can't figure out how to remove those two extra columns. Any advice?

I have a search with a subsearch. I run into the limitations of the maximum results (50.000) Now Ia m trying to figure out to rebuild my search but I am stuck. Can anyone guide to the right direction? My search now :  <> index=TEST | search logger="success - Metadata:*" [ search index=TEST | search logger="Response: OK]" | fields message.messageId] | stats dc(message.messageId)</>

Hi, I am doing Boss of the SOC v1 and I stuck on question, where I need to use lookup. I imported .csv file ad here are my commands: index=botsv1 dest=192.168.250.70 src="23.22.63.114" http_method=POST | rex field=form_data "passwd=(?<passwd>[a-zA-Z]{6})" | lookup coldplay.csv Song as passwd OUTPUTNEW song   Error I get: Error in 'lookup' command: Could not find all of the specified destination fields in the lookup table.   Here I can find writeup with similar command: https://www.aldeid.com/wiki/TryHackMe-BP-Splunk/Advanced-Persitent-Threat##7_-_One_of_the_passwords_in_the_brute_force_attack_is_James_Brodsky%E2%80%99s_favorite_Coldplay_song._Which_six_character_song_is_it? I tried to run it and I received the same error.   Do you know how can I solve it? 

My sample events look like this , API logs   { location: Southeast Asia, properties: { backendMethod: GET errors: [ {some huge nested object}, {some huge nested object} ] } }   I want to search only the events with the "errors" field. If the API is successful, it does not have this "errors" field, and I don't want to search them. I have tried {baseSearch}  | where mvcount('properties.errors') > 0 , this return nothing {baseSearch}  | where mvcount("properties.errors") > 0 , returning even the events without the "errors" field {baseSearch}  | where isnotnull('properties.errors'), this return nothing {baseSearch}  | where isnotnull("properties.errors"),returning even the events without the "errors" field {baseSearch}  |  "properties.errors"=*.  ,  this return nothing I just need something simple like {baseSearch}  |  where exist(properties.errors), what is the most simple way

Can anyone please answer my questions : Are the Apps bundled by default in Splunk Cloud  upgraded at the same time as the Splunk Cloud instance is upgraded? Is it possible to prevent only Apps from being upgraded when the Splunk Cloud instance is upgraded?

Hello Splunkers ,   I want to know if we can create a timechart that will show only values when they change ..If  there is a change in field value Below is the timechart of events every minute 2022-12-12 20:41:00 IDLE 2022-12-12 20:40:00 ACTIVE 2022-12-12 20:39:00 FALSE 2022-12-12 20:38:00 FALSE 2022-12-12 20:37:00 FALSE 2022-12-12 20:36:00 TRUE 2022-12-12 20:35:00 TRUE 2022-12-12 20:34:00 TRUE 2022-12-12 20:33:00 TRUE 2022-12-12 20:31:00 NEGATIVE 2022-12-12 20:30:00 NEGATIVE 2022-12-12 20:29:00 NEGATIVE 2022-12-12 20:28:00 TRUE     I am looking for 2022-12-12 20:41:00 IDLE 2022-12-12 20:40:00 ACTIVE 2022-12-12 20:39:00 FALSE 2022-12-12 20:36:00 TRUE 2022-12-12 20:31:00 NEGATIVE 2022-12-12 20:28:00 TRUE     Thanks in advance!!

I was trying to join a group of documents with a list of users that I had in a lookup, and the search return me results and always works fine, but the problem its when I try to table another of the fields of the lookup. The search that return me one result, doesn't return me nothing, and I cant understand why, cause the table doesn't should affect the results or the search.   Even I try to change the name or different things like list the lookup and search the documents, but simply doesnt work     this is when I try to table "Nombre", the search doesn't return results But this is exactly the same search and if I dont put the field "Nombre" , return me results       this is the lookup, and if I search the document that match in the join, I see that effectively have the field "Nombre"   In all the searches have a range of 7 days ago,  

Hi, I am new to splunk and have a requirement where i have to search the logs which are on 100 servers and i have to figure if each log may consist 2 statements as below ex: "started step1" "started step2" source of log contains actual name of source where i can check the step (location of log /test/test1/ABC.log ,/test/test1/CDE.log,/test/test1/DEF.log) which i figured out based on rex command (using regex)  I want a table which contain for each log how many step are completed. like: ABC      started step1  started step2 CDE    started step1 DEF    started step1 started step2

Hello Splunkers. I need help regarding a field with multiple values that must be separated. I have the following log in the following format: PostureReport Policy_Umbrella;Passed Policy_DLP;Passed Policy_Kaspersky;Passed Policy_Domain;Passed Policy_SCCM;Passed Police_Firewall_Windows;Failed Policy_Crownstrike;Passed I need to separate every Policy with your status. I tried to use mvindex, mvjoin and them separate the events, mvexpand, but none of these worked for me.   Thank you.