Hi all, I need some help sorting an eval field by one of it's components per below. ...   | eventstats count(ID) AS countID by severity, name | eval name_count=name." (".countID.")" | stats values(name_count) AS Signatures count by severity   This gives me something like... severity       Signatures Critical        asig0 (34)                        bsig1 (2)                        csig2 (76) High             asig3 (1)                       bsig4 (23)                       csig5 (22) What I want... severity      Signatures Critical        csig2 (76)                        asig0 (34)                        bsig1 (2) High              bsig4 (23)                        csig5 (22)                        asig3 (1) Is there any way I can sort the Signatures column by the values in the countID field? Thanks in advance!

Hi i am using palo-alto firewall. i am getting firewall logs to syslog server and monitoring those logs and forwarding to indexer and to search head. I want to exclude events from particular src_ip from indexing as the src is generating high volume of logs and consuming my license. How to exclude these events. Please let me know.  Thanks

Requirement is that we have a dropdown with a list of options. One of the option is all. I have a search query which will try to fetch events based on the selected values. Now I want to group them by name and display individual panel for every name in the dropdown. Example below: Dropdown :- UAE, USA, India, Australia, UK, ALL Search query :- index=population name=<$dropdownvalue> | timechart count sum(people) span=1d Expectation: When I select name as UAE, panel displays timechart related to UAE population. However when option ALL is selected, I want to display 5 panels with each panel displaying timechart of specific country population. Is that feasible. Tried searching all articles and splunk documentation with no luck. 

Hi In my dashboard, I use a search with 2 different ways 1) a inline search which works fine 2) a scheduled search which is exactly the same that the inline search but which returns any results even if the search ended correctly ! NB : this search was returning results at the beginning so it's very strange I dont know if it's important but when I have a look at the job inspector I have the message below :     info : [subsearch]: Your timerange was substituted based on your search string     and what is even stranger is that when I run the search apart (it means outside the dashboard) I have also no results! how is it possible please? thanks  

I'm trying to get the App Agent running on a Windows ECS Fargate container. Agent installs and connects to the coordinator and registers the machine agent but the App Agent and CLR are not discovered/registered. On a regular Windows Server instance doing 'iisreset' usually resolves this issue. In the container startup script there is an iisreset but it's obviously not working. I get the same result if I build/run the container locally on a Windows Server, so Fargate is not the issue. config.xml <?xml version="1.0" encoding="utf-8"?> <appdynamics-agent xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <controller host="AppDynamicsAppHostName" port="443" ssl="true" enable_tls12="true"> <application name="AppDynamicsAppName" /> <account name="AppDynamicsAppAccountName" password="AppDynamicsAppAccountPassword" /> </controller> <machine-agent /> <app-agents> <IIS> <applications> <application path="/" site="api"> <tier name="AppDynamicsTierName" /> </application> </applications> </IIS> </app-agents> </appdynamics-agent> When the container registers with the coordinator, it does NOT assign the agent to the Application Tier.  As far as I can tell from logging, there are no errors or issues during install or when container starts. What I don't understand and what isn't discussed in the documents is how AppDynamics determines whether the App agent is installed and where I need to check (logs/xml/config) to find any misconfiguration.

I am trying to create an alert for multiple failed logins but my query doesn't seem to work. The alert is detailed in the image attached, and the query is: index="authenticate" eventType="user.session.start" outcome.result="FAILURE" | stats count by actor.alternateId Please help correct the query.

Dumb question I cannot find a simple answer to.  If I run a simple timechart search for 7 days, 30 days or 90 days -- How can I overlay the 7 day, 30 day or 90 day average line over the timechart? For example:     index=blah sourcetype=blah filter_term=blah | timechart span=1d count as daily_count      

I have a dataset with a multiline field called Logs. The field typically has values like the below,     "mId": "Null", "deviceID": "a398Z389j", "cSession": "443", "cWeb": "443", "uWeb": "Mixed", "s": "Steak", "Ing": [ "1-555-5555555", "1-888-8888888" ], "Sem": [ "Warehouse@Forest.box" ]     I'd like to make it so I can identify the values within "Ing" and easily search where a specific value is in "Ing" for other events. I was able to break it out and split on the comma and then look at the index number 6 but this only returns the 1st item, where in most events there are multiple (upwards of 10) items.   | eval a = mvindex(split(Logs,","), 6) "Ing": [ "1-555-5555555"   Thoughts on how to get a complete list of the items in Ing?

Hi Guys, I'm trying to create a table with the count emails sent and emails received from a given emails addresses Column 1                            Column 2                        Column 3 Email addresses               Emails received          email sent  bob1@splunk.com            <Number>                   <Number> bob2@splunk.com            <Number>                 <Number> I tried this with append command but the result are shown under one another my search is  index=email_index Recipients IN(bob1@splunk.com, bob2@splunk.com, bob3@splunk.com )  |stats count as "Emails received" by Recipients | append [search index=email_index Sender IN(bob1@splunk.com, bob2@splunk.com,  bob3@splunk.com )  |stats count as "Emails sent" by Sender] |table "Emails received" "Emails sent"  Recipients Sender Anyone can help me please?