I have two Splunk queries 1 and 2 below, and both have one common email , i want the searched emails generated from the result which are email variable to be able to send an alert notification base on the search result generated email. I need the common value to have the field with matching values in both queries which is the email , then be able to send an email alert notification Query-1 index="aws-cloudtrail" eventName="AssumeRoleWithSAML" |fields * | spath "requestParameters.roleArn" |search "*super*admin*" | rex field=responseElements.subject "(?<Email>[a-zA-Z0-9]{1,8}@digitlogs.com$)" | search Email=* | table Email,"recipientAccountId" | dedup Email, "recipientAccountId" Query-2 index="okta" displayMessage="Authenticate user with AD agent" | rename target{}.alternateId as email | eval my_ponies=mvindex(email, -3, -2) | eval Email=mvindex(email, 0) | eval email=mvindex(email, 1) | table Email email Here are the two of them, please any input will help

Hi, I am not sure if this is possible or not in Splunk classic Dashboard, but if it is, it would make the user experience much better for the Dashboard that I am trying to designing. I have 2 panels within my dashboard.  Once the user enters the text in the search box, and press submit, then the results are displayed in a table format in rows.  The results have several columns: _time operation_id location  account_number What I would like to have, is for each row of data, a specific field the operation_id, be selectable like a check box beside the field value.  Typically, I expect the user to select 3-5 row at a time.  Once the user selects the rows of interest, I would like the selected row's operation_id to be used in the second pannel within the Dashboard and provide a different search and display its results.   Each operation_id in the first panel is unique, so there will be 3-5 operation_id selected. I am aware you can pass a token from the first to the second panel, but I am struggling with how to create a check-box beside each result row, so that it can be selected by the user to furnish the opration_id into the second panel (rather than copy and pasting each operation_id) Any input on how to achieve such an interactive Dashboard would be appreciated.

I have a current time query: | makeresults | eval clock = strftime(now(), "%H:%M:%S") | eval timestamp = strftime(now(), "%+") | table clock,timestamp for a single value item on my dashboard. I would like it to be refreshed every second. I would like this to be a "clock" on my dashboard to display the current time. How can I do this? Thanks, eholz1    

Upgraded Splunk Enterprise to v9.0.2 in a single instance deployment. The CIM app is currently running version 5.0.2 and I am receiving the following error below. I cannot seem to pinpoint what the issue is and where to start. Any help would be appreciated! Unable to initialize modular input "relaymodaction" defined in the app "Splunk_SA_CIM": Unable to locate suitable script for introspection..

Hey gents,  I am very new to splunk but does anyone have an idea why my search from datamodel=authentication not getting older events (say last month or two)? Below is my search string: | tstats prestats=true summariesonly=true allow_old_summaries=true count from datamodel=Authentication.Authentication where Authentication.app=win* Authentication.action=* by _time, Authentication.action span=10m | timechart minspan=10m useother=true count by Authentication.action Any suggestion would be so much appreciated!  Cheers 

I have this dataset in SPlunk,  I am trying to see only the events where "firstSeen" is within the last 7 days. I tried to | where firstSeen<7d  but that didn't work also. state Age dnsName firstSeen ip lastSeen severity pluginID open 32.49 28-Nov-22  28-Nov-22  10.102.10.1 29-Nov-22 informational 10180 open 1 Cat  28-Nov-22 10.102.1.23 29-Nov-22 informational 11219 open 34.06   22-Nov-22   29-Nov-22 informational 19506 open 5.6 Dog  23-Nov-22   28-Nov-22 informational 168007 open 22.65 Lion 6-Nov-22   28-Nov-22 informational 166958 open 31.64 tiger 28-Oct-22   28-Nov-22 informational 166602 open 120.63 giraf 25-Nov-22   28-Nov-22 informational 163588 open 68.47 leap 21-Sep-22   28-Nov-22 informational 163489 open 68.47 big dog 21-Sep-22   28-Nov-22 informational 163488

I use mvzip command  index=main sourcetype="ms.356" | eval nested_payload=mvzip(mvzip(flaw, solution),answer) | eval nested_payload=split(nested_payload,"--") | eval flaw=mvindex(nested_payload,0) | eval solution=mvindex(nested_payload,1) | eval answer=mvindex(nested_payload,2) | table flaw solution answer what I use above command I get all 3 field value in flaw field separated by commons instead of their own field. what I am doing wrong

I have 2 sourcetype sourcetype="source1" and sourcetype="source2" This is how sample data looks: source1: CID,Cname,CData Source 2: CID,key,FName,LName Here values of CID of source 1 and key of source 2 will be same.Even though CID will be present in source 2 but it will be having different value. I need to write query to when CID(source 1) = key (source 2) then fetch all other fields from source 1 and source 2 display in table .   Any suggestions would be appreciated.    

Hi! I'm starting with Splunk, so i really appreciate some help cause i've been stucked several weeks. I have a CSV file which its source is DB2, when i search in splunk the same query as in DB2, i can see i'm getting duplicated information in splunk. Example: in DB2 my query is select * from table where field=value and in splunk i'm doing  ((index="index1")(sourcetype="csv")(source="file.csv"))  | where field="value" | table field1 field2 field3 field4  Does anyone know what is happening or how can i solve this? I really don't want to use dedup because i may not be able to see how the data is changing after day.

Hi Folks,  I have the following issue on my Cluster Master when trying to create an index via Cluster Master and push the bundle: [Critical] In index 'oxxion': Failed to create directory '/opt/indexes_frozen/oxxion' (File exists) I have been unable to identify what the issue is. Does anyone has an idea on how to resolve this? Thanks in advance!

After updating to unprivileged mode (because privileged is being depcrecated), we are getting access denied issues when running some commands. For example: "phenv ibackup --setup" So far, the issues seem to be with commands that relate to Postgres. How are we supposed to run unprivileged, but complete admin tasks? Note: If I run the commands as root, I get this error: "CommandError: This command must be executed by user phantom." Thanks!

Hello everybody! My standalone SH Storage Engine did not migrate to WiredTiger after upgrade to Splunk 9.0.2.  I then followed these steps: https://docs.splunk.com/Documentation/Splunk/8.1.3/Admin/MigrateKVstore Migrate the KV store after an upgrade to Splunk Enterprise 8.1.* or 8.2.* in a single-instance deployment Stop Splunk Enterprise. Do not use the -f option. Open server.conf in the $SPLUNK_HOME/etc/system/local/ directory. Edit the storageEngineMigration setting to match the following example: [kvstore] storageEngineMigration=true Save the server.conf file. To begin the migration, use the following command: splunk migrate kvstore-storage-engine --target-engine wiredTiger Starting KV Store storage engine upgrade: Phase 1 (dump) of 2: ..ERROR: Failed to migrate to storage engine wiredTiger, reason= How can I troubleshoot this further?  Thanks.  

Good morning,    I am trying to create a filter to avoid events where the user is 3 letters and 4 numbers (Not 0), f.e. FSA4568 and to avoid events at the time of entry to work for these users. I have created the filter for the user regex but I don't know how to integrate it with the time. The thing is that no events appear when the users have the structure of 3 letters plus four numbers and the time is between 7.30 and 9.30 a.m. How can I integrate it? This is the search:     (index="anb_andorra" OR index="anb_luxembourg" OR index="anb_monaco" OR index="anb_espana") source="XmlWinEventLog:Security" ((EventCode IN (4771,4768) Error_Code=0x6) OR (EventCode=4625 Error_Code="0xc000006d")) user!="*$" src!="::ffff:*" | regex user!="([A-Z]{3}[1-9]{4})" | eval timestamp = _time*1000, name = signature    

Hi everyone and thanks for any tips. The question is: can the font be changed in Dashboard Studio? More specifically, I'm trying to change the font family of a text box (markdown text). I've found this material on the topic: 1) font in beta dashboard  https://community.splunk.com/t5/Dashboards-Visualizations/How-to-change-font-in-beta-dashboard/m-p/510029 which doesnt seem to work in dashboard studio and 2) text boxes in dashboard studio https://docs.splunk.com/Documentation/SplunkCloud/9.0.2209/DashStudio/chartsText So I know it is possible to change size and color, but I don't see a way of changing the font family. Thanks.

Hi All Splunk Experts. I'd like to create an alert in a certain index when the word "Finished" doesn't appear within five minutes of the word "Starting". For context, we upload file and see the string "Started" when we don't see the word "Finished" within 5 minutes, I'd like to have an alert. btw, me regex knowledge is really crap. Can you help. Much appreciated,  Sheldon.

I want to filter the Subject Account Name in the Event log below as those other than Admin. So I want to see the cases where this log appears outside of the Admin. How can I do it ?     11/29/2022 12:23:16 PM LogName=Security EventCode=4738 EventType=0 ComputerName=dc.windomain.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=247213 Keywords=Audit Success TaskCategory=User Account Management OpCode=Info Message=A user account was changed. Subject: Security ID: S-1-5-21-4236582264-665789389-1555517817-1000 Account Name: Admin Account Domain: WINDOMAIN Logon ID: 0x59B44 Target Account: Security ID: S-1-5-21-4236582264-665789389-1555517817-1324 Account Name: aleda.billye Account Domain: WINDOMAIN    

Hi All, We have below data extracted in splunk and the ask is , in the "Node" field we need to make first two values as one value, next two values as one value and so on and map these values to the corresponding COUNT value. For Eg: in the first row in "Node" field , we need to create three separate values of consecutive two values and map these values to corresponding COUNT value.   expected result: COUNT              Node 682                     gol************,ser**** --------------------------------------------------------- 622                     gol************,ser**** ---------------------------------------------------------- 606                     gol************,ser****   Note: *********** is just for masking not the requirement. Only above format is the requirement. COUNT and Node are multi value fields and we need single value fields in above format Can someone please help me in achieving this. I have spent 2 days and not getting the solution. Any help would be appreciated a lot.     Thanks,