Im trying to get the following into a table and have a count of the successful attempts. I have tried a few ways, but still am lost. below are my 2 attempts: Ex1: (index="sfdc" sourcetype="sfdc:loginhistory" eventtype="sfdc_login_history" LoginType="SAML Sfdc Initiated SSO" app="sfdc" action=success)  OR (index="microsoft" (sourcetype="azure:aad:signin" eventtype="azure_aad_signin" app="windows:sign:in" action=success) OR (sourcetype="azure:aad:user" jobTitle!=null)) | eval login=case((sourcetype=="azure:aad:signin" AND eventtype=="azure_aad_signin"), "windows", (sourcetype=="sfdc:loginhistory" AND app="sfdc"), "salesforce") | table displayName  mail jobTitle officeLocation eventtype Ex2: index=microsoft (sourcetype="azure:aad:user" givenName="***" surname="***" jobTitle!="null" officeLocation!="null") OR (sourcetype="azure:aad:signin" eventtype="azure_aad_signin" app="windows:sign:in" action=success)    | stats  count by displayName  mail jobTitle officeLocation     | rename  displayName AS "Display Name" mail AS Email department AS Department jobTitle AS "Job Title" officeLocation AS Branch    | fields  - count     | sort  + Display Name EX3: index=microsoft (sourcetype="azure:aad:signin" eventtype="azure_aad_signin" app="windows:sign:in" action=success) OR (sourcetype="azure:aad:user" givenName="***" surname="***" jobTitle!="null" officeLocation!="null") | eval joiner=if(sourcetype="azure:aad:signin", action, displayName) | stats values(action) as action by displayName mail jobTitle officeLocation | rename displayName AS "Display Name" mail AS Email department AS Department jobTitle AS "Job Title" officeLocation AS Branch | sort + Display Name What I'm trying to achieve here is to have a table listing the following Display Name | Email | Job Title | Branch | Windows Logon Attempt* | Sales Force Login Attempt* Windows Logon Attempt* | Sales Force Login Attempt* - is the part that I get stuck and can't seem to populate the list from the following index and srctype. Ex2 and 3 is without Salesforce (which I can live with ). If you can help he with Ext3 that will be great! Any ideas from the Splunkers in here? Thanks, S

I want to strip certain results by time from my search. I eventually plen to place a dedup command between the first and second searches, however I am running into issues with the earliest and latest modifiers on search in the second search. The following 3 searches work fine and return results throughout the week:     host=x host=x earliest=-7d host=x earliest=-7d | search *     But these searches return no results: even when there are events in the listed time frame.     host=x | search host=x earliest=-7d host=x | search host=x earliest=-4d     Does anyone have any idea why? I would like to strip off search results based on time in the second search but it doesn't seem to work.

Hello, I've spent probably 8+hrs now trying to debug how to get SSL certificates working with splunk web and finally got it working, so posting this here to hopefully help someone in the future. Using these links as a reference: https://docs.splunk.com/Documentation/Splunk/9.0.2/Security/Turnonbasicencryptionusingweb.conf https://docs.splunk.com/Documentation/Splunk/9.0.2/Security/HowtoprepareyoursignedcertificatesforSplunk The hardest part was figuring out how to use the certificates provided by certbot into a format that splunk recognizes. The following steps ended up working: 1) Create /opt/splunk/etc/system/local/web.conf by copying /opt/splunk/etc/system/default/web.conf and change the line "enableSplunkWebSSL = false" to "enableSplunkWebSSL = true" 2) Install and configure certbot to obtain certificates as needed. They'll be in /etc/letsencrypt/live/$my_domain/ instead of /opt/splunk/etc/auth/splunkweb/ and they're not in a format that splunk can use. 3) The second link above gives some guidance on how to prepare the certbot certificates to the format that splunk needs them, which should be: server certificate private key CA certificate To do this, I'm creating the following certbot post renewal hook script: /etc/letsencrypt/renewal-hooks/post/splunk.sh #!/bin/bash #change this my_domain variable to match the domain you are using my_domain=XXXX src_path=/etc/letsencrypt/live/$my_domain dst_path=/opt/splunk/etc/auth/splunkweb cat $src_path/cert.pem $src_path/privkey.pem $src_path/fullchain.pem > $dst_path/cert.pem cat $src_path/privkey.pem > $dst_path/privkey.pem chown splunk:splunk $dst_path/cert.pem $dst_path/privkey.pem chmod 600 $dst_path/cert.pem $dst_path/privkey.pem /opt/splunk/bin/splunk restart #EOF And make the script executable: chmod +x /etc/letsencrypt/renewal-hooks/post/splunk.sh 4) Since you've already renewed the certificate with certbot, you can run the script directly: /etc/letsencrypt/renewal-hooks/post/splunk.sh The script should run automatically whenever certbot renews your certificate