We are newer customers to the platform and are beginning our journey on implementing APM on SOC/SignalFx in the cloud. As part of that journey we are creating the base for our alerting capabilities and learning how to integrate with our AIOps solution, Moogsoft. Under Data Management when adding a new Integration I see there are options for many popular solutions for notification services, but not Moogsoft. Are there any short term plans to add this? I know Splunk Cloud already has this direct integration as we are using it, so it feels like it should be a short path to adding this to Observability Cloud as well. I know there are webhooks available to us but customizing these for things like assignee groups and priority levels for the incidents it may create appear to be lacking. Thanks in advance for any details you can share.

Hello. To help with Text Classification, we are looking to utilize the BERT machine learning model.  Has anyone had experience incorporating new ML models (like BERT) into the MLTK toolkit app? Regards, Max  

Hello. Using the eval function, trying to add a new field to the Change data model.  When I try to add the new field (ie. time_millis=_time), no results come back from my tstats query.  When I perform the same tstats query using SPL, I am able to get proper values (ie. timestamp with milliseconds).  Does anyone have suggestions on how to add new fields to an existing CIM data model?  Thanks in advance for any advice. Regards, Max    

Hi, I'm curious if anyone has a query that can help provide some insight into something I am trying to figure out.  The issue is regarding a user that was not a member of the Admin's security group on 5/6/22 but did on 6/2/22.  For the life of me, I cannot find out who added this user to that group.  I'm using the following query, but it's not providing anything meaningful.  Any help is solving this mystery is greatly appreciated. eventtype=wineventlog_security (EventCode=4727 OR EventCode=4730 OR EventCode=4731 OR EventCode=4734 OR EventCode=4735 OR EventCode=4737 OR EventCode=4744 OR EventCode=4745 OR EventCode=4748 OR EventCode=4749 OR EventCode=4750 OR EventCode=4753 OR EventCode=4754 OR EventCode=4755 OR EventCode=4758 OR EventCode=4759 OR EventCode=4760 OR EventCode=4763 OR EventCode=4764) | stats count by _time,Security_ID,EventCodeDescription,member_dn | rename member_dn as Change_Made_By        

Hello Splunk community, I need some help with the following:    I have a .csv file that is being created at a Pacific Time Zone, and the hour and date of the events I need to track are 2 separate fields in this .csv name : Date ( 09/12/2022) and "Begin Time" (06:30).  I want to table my events based on those two fields, as my time reference and not the _time  (2022-12-09T10:41:02.000-05:00 )when the file was exported to Splunk which is actually a different time zone ( eastern) What would it be the best way using those two fiels ( Date & "Begin Time") to accuratelly display the events in my .csv   thanks for your help

I have a subsearch that is used to pull user, and start and expiration time fields.  I want to use the two time fields from the sub search to be the time frame the outter search uses to pull events. I'm not familiar with how to do this. earliest=<ealiest_from_subsearch> latest=<latest_from_subsearch index=myindex sourcetype=my_st_2 <my spl> | join user [ search index=myindex sourcetype=my_st <my spl> | eval earliest = strptime(StartTime, "%Y-%m-%dT%H:%M:%S.%N") -18000, latest = strptime(ExpirationTime, "%Y-%m-%dT%H:%M:%S.%N") -18000 | fields user earliest latest user_role ] table user role failure_code failure_reason Thanks for the help and guidance.

Regex working fine in standalone splunk but not in clustered environment. 1) Indexer conponent of app-->test_log_idx having the indexes.conf and  props.conf kept at default directory with local directory empty is below.  [test:sanetiq:log] CHARSET = AUTO DATETIME_CONFIG = EXTRACT-log_level = \[\d+\]\s(?P<log_level>[^\s]+) EXTRACT-message = \]\s-\s(?P<message>.+) EXTRACT-process_name = \[\d+\]\s.+\s\s(?P<process_name>.+)\s\[ EXTRACT-sanetiq_label_type = Label\sType\s=\s(?P<sanetiq_label_type>[^\s]+) EXTRACT-sanetiq_mask_template = Mask\sTemplate\s=\s(?P<sanetiq_mask_template>[^\s]+) EXTRACT-sanetiq_print_request_id = Print\sRequest\s=\s(?P<sanetiq_print_request_id>[^\s]+) EXTRACT-sanetiq_printer_name = Printer\s=\s(?P<sanetiq_printer_name>[^\s]+) NO_BINARY_CHECK = true category = Custom disabled = false pulldown_type = true 2) UF component of app-->deployed to UF is test_log_uf having inputs.conf placed in default and local directory is empty [monitor://D:\Tab\Server\data\SanetiqLogger\*log*] index=test_log_data source=test:sanetiq:log 3) Search head component of app-->test_log_sh having same props.conf as mentioned above Sample data 2022-12-09 16:02:04,304 [2452022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.QuitLppx2() method ends 2022-12-09 16:02:04,040 [2452022120993750] INFO SanetiqLogger [(null)] - Closing all documents in Codesoft Instance 2022-12-09 16:02:04,038 [2452022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method begins 2022-12-09 16:02:04,037 [2452022120993750] INFO SanetiqLogger [(null)] - Get Active Codesoft Instance to quit : PID - 30812 2022-12-09 16:02:04,035 [2452022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.QuitLppx2() method begins 2022-12-09 16:02:04,030 [2452022120993750] INFO SanetiqLogger [(null)] - Finish Codesoft Instance PID : 30812 1 Labels printed Printer = Zebra ZM400 (203 dpi)- ABCDB362 Mask Template = DI AMBRS-IDENT REGLEMENTEE Label Type = DI IDENT REGLEMENTEE 2022-12-09 16:02:03,480 [2452022120993750] INFO SanetiqLogger [(null)] - PRINT : Print Request = 3855021 2022-12-09 16:01:56,936 [2452022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method ends 2022-12-09 16:01:56,928 [2452022120993750] INFO SanetiqLogger [(null)] - Codesoft Instance Created : PID - 30812 2022-12-09 16:01:52,127 [2452022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method begins 2022-12-09 16:01:50,708 [2452022120993750] INFO SanetiqLogger [(null)] - End of CheckIntegrity(string strUserMatricule) 2022-12-09 16:01:50,675 [2452022120993750] INFO SanetiqLogger [(null)] - Satrt of CheckIntegrity(string strUserMatricule) 2022-12-09 16:01:50,670 [2452022120993750] INFO SanetiqLogger [(null)] - Check Integrity of printTask 1604231 printrequest 3855021 Imported Print Requests : 1 2022-12-09 15:56:27,266 [2412022120993750] INFO SanetiqLogger [(null)] - Imported Data Lines : 1 2022-12-09 15:56:23,731 [2412022120993750] INFO SanetiqLogger [(null)] - Data Import File E:\sanetiq\sanofi\etudes\ficentree\AMBXSQP\GPAO\TPSREEL\SANIDENT.1 correctly deleted at Sanetiq.BusinessFramework.BusinessObjects.PrintModule.Loop() at Sanetiq.BusinessFramework.BusinessObjects.PrintTask.CheckIntegrity(String strUserMatricule) 2022-12-09 15:51:26,540 [2452022120993750] ERROR SanetiqLogger [(null)] - ERROR : at Sanetiq.BusinessFramework.BusinessObjects.PrintTask.checkPrinterAndMaskTemplateCompatibility(Printer printer, MaskTemplate maskTemplate, String strUserMatricule) 2022-12-09 15:51:26,532 [2452022120993750] ERROR SanetiqLogger [(null)] - Service Print Error2 : PrintRequest ID=3855018, Error=LABEL_FORMAT_INCOMPATIBLE 2022-12-09 15:51:26,367 [2452022120993750] INFO SanetiqLogger [(null)] - Satrt of CheckIntegrity(string strUserMatricule) 2022-12-09 15:51:26,363 [2452022120993750] INFO SanetiqLogger [(null)] - Check Integrity of printTask 1604228 printrequest 3855018 2022-12-09 15:48:58,989 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.QuitLppx2() method ends 2022-12-09 15:48:58,736 [2262022120993750] INFO SanetiqLogger [(null)] - Closing all documents in Codesoft Instance 2022-12-09 15:48:58,732 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method begins 2022-12-09 15:48:58,728 [2262022120993750] INFO SanetiqLogger [(null)] - Get Active Codesoft Instance to quit : PID - 4340 2022-12-09 15:48:58,724 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.QuitLppx2() method begins 2022-12-09 15:48:58,717 [2262022120993750] INFO SanetiqLogger [(null)] - Finish Codesoft Instance PID : 1234 1 Labels printed Printer = Zebra ZM400 (203 dpi) - BOX5 Mask Template = TICKET-PESEE-300 Label Type = Tickets BOX5 2022-12-09 15:48:58,152 [2262022120993750] INFO SanetiqLogger [(null)] - PRINT : Print Request = 3855017 2022-12-09 15:48:47,883 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method ends 2022-12-09 15:48:47,879 [2262022120993750] INFO SanetiqLogger [(null)] - Codesoft Instance Created : PID - 4340 2022-12-09 15:48:42,148 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method begins 2022-12-09 15:48:41,272 [2262022120993750] INFO SanetiqLogger [(null)] - End of CheckIntegrity(string strUserMatricule) 2022-12-09 15:48:41,211 [2262022120993750] INFO SanetiqLogger [(null)] - Satrt of CheckIntegrity(string strUserMatricule) 2022-12-09 15:48:41,204 [2262022120993750] INFO SanetiqLogger [(null)] - Check Integrity of printTask 1234567 printrequest 1234567 Imported Print Requests : 1 2022-12-09 15:48:40,389 [2222022120993750] INFO SanetiqLogger [(null)] - Imported Data Lines : 1 2022-12-09 15:48:40,276 [2222022120993750] INFO SanetiqLogger [(null)] - Data Import File E:\sanetiq\sanofi\etudes\ficentree\AMBXSQP\XFP\BOX5\ticpes correctly deleted at Sanetiq.BusinessFramework.BusinessObjects.PrintModule.Loop() at Sanetiq.BusinessFramework.BusinessObjects.PrintTask.CheckIntegrity(String strUserMatricule) 2022-12-09 15:53:48,067 [2452022120993750] ERROR SanetiqLogger [(null)] - ERROR : at Sanetiq.BusinessFramework.BusinessObjects.PrintTask.checkPrinterAndMaskTemplateCompatibility(Printer printer, MaskTemplate maskTemplate, String strUserMatricule) 2022-12-09 15:53:48,060 [2452022120993750] ERROR SanetiqLogger [(null)] - Service Print Error2 : PrintRequest ID=3855020, Error=LABEL_FORMAT_INCOMPATIBLE 2022-12-09 15:53:47,909 [2452022120993750] INFO SanetiqLogger [(null)] - Satrt of CheckIntegrity(string strUserMatricule) 2022-12-09 15:53:47,905 [2452022120993750] INFO SanetiqLogger [(null)] - Check Integrity of printTask 1604230 printrequest 3855020 2022-12-09 15:52:20,553 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method ends 2022-12-09 15:52:20,548 [2262022120993750] INFO SanetiqLogger [(null)] - Codesoft Instance Created : PID - 1556 2022-12-09 15:52:16,395 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method begins 2022-12-09 15:52:15,859 [2262022120993750] INFO SanetiqLogger [(null)] - End of CheckIntegrity(string strUserMatricule) 2022-12-09 15:52:15,825 [2262022120993750] INFO SanetiqLogger [(null)] - Satrt of CheckIntegrity(string strUserMatricule) 2022-12-09 15:52:15,822 [2262022120993750] INFO SanetiqLogger [(null)] - Check Integrity of printTask 1604229 printrequest 3855019 Imported Print Requests : 1 2022-12-09 15:52:14,912 [2222022120993750] INFO SanetiqLogger [(null)] - Imported Data Lines : 1 2022-12-09 15:52:14,847 [2222022120993750] INFO SanetiqLogger [(null)] - Data Import File E:\sanetiq\sanofi\etudes\ficentree\AMBXSQP\XFP\BOX5\ticpes correctly deleted 2022-12-09 15:52:30,245 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.QuitLppx2() method ends 2022-12-09 15:52:29,871 [2262022120993750] INFO SanetiqLogger [(null)] - Closing all documents in Codesoft Instance 2022-12-09 15:52:29,866 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method begins 2022-12-09 15:52:29,861 [2262022120993750] INFO SanetiqLogger [(null)] - Get Active Codesoft Instance to quit : PID - 1556 2022-12-09 15:52:29,855 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.QuitLppx2() method begins 2022-12-09 15:52:29,848 [2262022120993750] INFO SanetiqLogger [(null)] - Finish Codesoft Instance PID : 1556 1 Labels printed Printer = Zebra ZM400 (203 dpi) - BOX5 Mask Template = TICKET-PESEE-300 Label Type = Tickets BOX5 2022-12-09 15:52:29,213 [2262022120993750] INFO SanetiqLogger [(null)] - PRINT : Print Request = 3855019 2022-12-09 15:43:03,149 [2452022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.QuitLppx2() method ends 2022-12-09 15:43:02,688 [2452022120993750] INFO SanetiqLogger [(null)] - Closing all documents in Codesoft Instance 2022-12-09 15:43:02,682 [2452022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method begins 2022-12-09 15:43:02,676 [2452022120993750] INFO SanetiqLogger [(null)] - Get Active Codesoft Instance to quit : PID - 18592 2022-12-09 15:43:02,670 [2452022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.QuitLppx2() method begins 2022-12-09 15:43:02,662 [2452022120993750] INFO SanetiqLogger [(null)] - Finish Codesoft Instance PID : 18592 1 Labels printed Printer = ZEBRA 105S/Se - Fab Multi-produits - Vracs avec picto Mask Template = SHP-END Label Type = 01-Identification Vracs Int avec picto Multi-Pro 2022-12-09 15:43:00,828 [2452022120993750] INFO SanetiqLogger [(null)] - PRINT : Print Request = 3855015 1 Labels printed Printer = L_LPAMB406 Mask Template = LUNA_AMB_PREL_AC_SEP Label Type = Prélèvements AC Séparateur 2022-12-09 15:43:00,336 [2252022120993750] INFO SanetiqLogger [(null)] - PRINT : Print Request = 3855014 2022-12-09 15:42:58,512 [2452022120993750] INFO SanetiqLogger [(null)] - Print with Codesoft Instance PID : 18592 at Sanetiq.BusinessFramework.BusinessObjects.PrintModule.Loop() at Sanetiq.BusinessFramework.BusinessObjects.PrintTask.CheckIntegrity(String strUserMatricule)

Example of issue encountering: Search one returns a row with all the fields populated | makeresults count=1 | eval tmp_field1="abc" | lookup kvstore_name field1 AS tmp_field1   Search two returns a row with most of the fields empty (even though it is a search of the same row in the kvstore - just using a different field) | makeresults count=1 | eval tmp_field2="xyz" | lookup kvstore_name field2 AS tmp_field2 What could cause the results described above? (any recommendations would be greatly appreciated)    

Hi all, I'm currently working on creating an alert for any time a user mounts an ISO. My core search works exactly as intended, but I'm having trouble creating a desired subsearch. Both searches run from the same index, but the core search will not produce the name of the workstation as it is not present in the data returned by the sourcetype in use. There is another sourcetype (same index) that does include this as a field titled "ComputerName", and there is an "ID" field that correlates between both sourcetypes. So here is my core search: index=[indexname] sourcetype=[sourcetype] [search parameters] | table EventType FileName ID IndexTime How can I build a subsearch that queries the second sourcetype by the corresponding ID value and produces the ComputerName value to add to the table? Thanks!

The documentation (9.0.2 Search Reference)  describes a function ipmask(<mask>,<ip>) that is supposed to apply the given netmask to the given IP.  Seems pretty simple, and the examples are mostly straightforward... unless you consider what a netmask of 0.255.0.244 would actually mean on the network. The more interesting problem is what you're allowed to pass to this function.  From what I can tell, the first parameter MUST be a quoted string of digits, and particularly NOT the name of a field in your data:     |makeresults 1 | eval ip = "1.2.3.4", mask = "255.255.255.0"       With these values defined, | eval k = ipmask("255.255.255.0", "5.6.7.8") works fine, k=5.6.7.0 | eval k = ipmask("255.255.255.0", ip) works fine, k=1.2.3.0 | eval k = ipmask("255.255.255.0", mask) works fine, k=255.255.255.0 (but isn't a meaningful calculation). | eval k = ipmask(mask, "5.6.7.8") does not work: Error in 'EvalCommand': The arguments to the 'ipmask' function are invalid. | eval k = ipmask(mask, ip) does not work: Error in 'EvalCommand': The arguments to the 'ipmask' function are invalid. I'm sure there's some highly technical reason why the SPL parser does not handle this fairly common case, and if there's anyone who can share that reason, I'd love to hear it. --Joe

HI, We are analyzing the Splunk product to get the Assets ( Hosts, servers, network devices etc) , Asset information like name, network interface and associated vulnerability details. We need to fetch these details with REST API. We explored all the REST API, we didn’t succeed, kindly let us know the possible ways to get Asset and associated vulnerability details using API.

Hi, looking for guidance please on how to alert on recurring auth events over multiple time spans, but I can't get my head around how to construct the search terms for example: - user account is locked out =>X per hour for =>X consecutive hours - user has =>X login failures in an hour for  =>X consecutive  hours  Hope that makes sense! TIA

I looking for someone help on this I am struggling with parsing the logs when pool was down and and send alert 5 minutes time period. Dec 8 05:18:39 servername notice mcpd[7794]: 01070727:5: Pool /FGID/server_443_pool member /FGID/load-balancer:443 monitor status up. [ /Common/tcp: up ] [ was down for 0hr:0min:16sec ] host = servernamesource = /srv/syslog/f5-logs/f5/servername/2022120805 12/8/22 5:18:39.000 AM Dec 8 05:18:39 servername notice mcpd[7794]: 01070727:5: Pool /FGID/server-pool member /FGID/load-balancer:443 monitor status up. [ /Common/tcp: up ] [ was down for 0hr:0min:16sec ] host = servernamesource = /srv/syslog/f5-logs/f5/servername/2022120805 12/8/22 5:18:38.000 AM Dec 8 05:18:38 servername notice mcpd[6928]: 01070727:5: Pool /FGID/server_443_pool member /FGID/load-balancer:443 monitor status up. [ /Common/tcp: up ] [ was down for 0hr:0min:15sec ] host = servernamesource = /srv/syslog/f5-logs/f5/servername/2022120805

Hi Team  I want to get the percentile 90 of the response time in splunk. Suppose I have the below response times. What is the query with which I can get the percentile 90 in Splunk   1.379 1.276 1.351 2.062 1.465 3.107 1.621 1.901 1.562 27.203     Please help on the same

Hello Team  I have been trying to search for this information for a while now and haven't been successful yet. Our plan is to deploy Appdynamics as a SAAS based deployment for testing purposes and test ServiceNow integration with Appdynamics and last would be Monitoring applications and VM's that are deployed on the AWS cloud.  Initially, we thought of going with the IBL APM Enterprise licenses but will that be sufficient enough. Will we be needing extra licenses to monitor applications and VM's deployed at the cloud.  We are planning to deploy 3 ESXI hosts and deploy some applications and start the monitoring from there and next step would be integrate Service now with Appdynamics, and then Monitoring applications and VM's that are deployed on the AWS cloud. If anyone can please clarify what and how many licenses should be considered here, that would be superhelpful.