Hi, I have used eval with multiple if conditions and it's failing. Kindly help.   source = "2access_30DAY.log" | eval new_field = if(status==200, "I love you Suman", "I love you Cloeh", if(status==403, "Suman Cloeh", "Cloeh Suman")) | table status, new_field   Regards Suman P.   

hello index=_audit user=admin action=search info=granted search=* | table search_id search | replace "'search *" WITH "*" IN search | replace "*'" WITH "*" IN search I extracted the following result with this command. search_id search [ID1] [SPL1] [ID2] [SPL2] [ID3] [SPL3] I want to extract count of search field by re-search. search_id search  count [ID1]         [SPL1]   [SPL1-count] [ID2]         [SPL2]   [SPL2-count] [ID3]         [SPL3]   [SPL3-count] I'd appreciate it if you could help me.

Hi, I wrote a eval command and its not working. Kindly help. source = "2access_30DAY.log" | eval "new_field" = case('status'=200, 'Suman and Cloeh are best couple') | table "status" "new_field" Regards Suman P.

hi experts by any chance if anyone has intergrate nifi to splunk via using httpinvoke processor. for this testing im generating self sign cert using openssl to test https from splunk where do i generate my self sign certs , CA should i follow this link ? https://docs.splunk.com/Documentation/Splunk/9.0.1/Security/Howtoself-signcertificates appreciate any help or resource which i can reference

I'm trying to get data in from a server via a powershell script. I have another app already doing similar on the same server but for some reason (that is driving me up the wall) i constantly get the error:     ERROR Executing script=. "$SplunkHome\etc\apps\vmwareinventory\appserver\static\vmguests.ps1" for stanza=VMWare-Guests failed with exception=The system cannot find the path specified.   I have checked and double checked the spellings, the system variables (for Splunk_Home), renamed the files, the directories and still it comes up with this error. I have followed the instructions to the letter from the Splunk Documentation and still the error persists.   This is my input stanza:   [powershell://VMWare-Guests] script = . "$SplunkHome\etc\apps\vmwareinventory\appserver\static\vmguests.ps1" schedule = 30 0 * * * sourcetype = vm:inventory index = vmware disabled = false     Can someone please tell me why this would be happening with this script but not others on the same server?   TIA  

I need to be able to split multiple fields that have a delimiter of "|#|". The field name will differ depending on the log. Is there a way to do a mass split using props.conf or transforms.conf. Is there a way to do this without having to write a eval statement for every single field that may come? EX: log:: time=XXXX,src_ip="123.123.123.123|#|234.234.234.234|#|",user="foo1|#|foo2|#|foo3"...... I want to split src_ip, and user. 

Please help... 1st search query is where I get a value from the result. (value can be in either 1 of 3 fields)     index=index1 | table SQ1-user SQ1-field1 SQ1-field2 SQ1-field3     SQ1-user SQ1-field1 SQ1-field2 SQ1-field3 john null null apple jane null orange null doe banana null null From that value, I want to use it to check if it exist in another search query, (the value can be on any fields)     index=index2 | where ANY_FIELD=SQ1-field1 OR ANY_FIELD=SQ1-field2 OR ANY_FIELD=SQ1-field3     SQ2-ID SQ2-field1 SQ2-field2 SQ2-field3 001 null apple null 002 banana null null if it exist in the second query, I want to have a new field on my first query that says the ID of where it was found or "NOT FOUND". SQ1-user SQ1-field1 SQ1-field2 SQ1-field3 (NEW FIELD)SQ2-ID john null null apple 001 jane null orange null NOT FOUND doe banana null null 002

In my dashboard I need to add multiple custom URL  but Drilldown only allow me to add one custom url. Is there any way I can use xml to add more Custom URL. Below are my xml code. [   <row> <panel> <table> <search> <query>index="main" sourcetype="cisco.json" findings{}.issue_type=* findings{}.cwe_id=* findings{}.severity=* | table findings{}.severity findings{}.cwe_id findings{}.issue_type findings{}.flaw_details_link | rename findings{}.severity as Severity1,findings{}.cwe_id as CWE_ID1,findings{}.issue_type AS Name1 findings{}.flaw_details_link AS "More_Info" | eval Severity = mvdedup(Severity1) | eval CWE_ID = mvdedup(CWE_ID1) | eval Name = mvdedup(Name1) | eval More Info = mvdedup(More_Info) | table Severity CWE_ID Name "More Info"</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">50</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <drilldown> <link target="_blank">https://downloads.cisco.com/securityscan/cwe/v4/xmla/78.html</link> </drilldown> </table> </panel> </row>             ]

After fresh install of Splunk 9.0.1, splunk cli commands (example 'add oneshot') report the following warning message: WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. This warning was not seen on prior releases of Splunk (8.2.x). Also, this warning message did show up on 'splunk start'  after the fresh install. Looks like this warning message is bug in 9.0.x for a fresh install/start of Splunk

I am currently attempting to build in a new command. This command includes code from the msgspec python package. Within the package is a C library which is referenced as a module by the other functions of the package. Testing on my Splunk Ubuntu server and base python3 versions 3.6, 3.7, 3.8, 3.9, and 3.10, this package works without issue. When I attempt to run the same package reference from a python script called via the splunk command line, I receive an error. Given I can successfully run a test script from the same <app>/bin directory as my splunk commands using the same modules, is there anything in Splunk's use of the python interpreter that would prevent Splunk from using Python's built-in C-extension library? Error code example: _core  --> reference: https://github.com/jcrist/msgspec/blob/main/msgspec/_core.c Successfully created new dispatch directory for search job. sid=b762c107adc97090_tmp dispatch_dir=/opt/splunk/var/run/splunk/dispatch/b762c107adc97090_tmp 10-31-2022 13:33:02.556 INFO ChunkedExternProcessor [782335 searchOrchestrator] - Running process: /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/<app>/bin/<base_script>.py 10-31-2022 13:33:02.674 ERROR ChunkedExternProcessor [782340 ChunkedExternProcessorStderrLogger] - stderr: Traceback (most recent call last): 10-31-2022 13:33:02.674 ERROR ChunkedExternProcessor [782340 ChunkedExternProcessorStderrLogger] - stderr: File "/opt/splunk/etc/apps/<app>/bin/<base_script>.py", line 14, in <module> 10-31-2022 13:33:02.674 ERROR ChunkedExternProcessor [782340 ChunkedExternProcessorStderrLogger] - stderr: from <parse_script> import <parse_function> as <function> 10-31-2022 13:33:02.674 ERROR ChunkedExternProcessor [782340 ChunkedExternProcessorStderrLogger] - stderr: File "/opt/splunk/etc/apps/<app>/bin/lib/<parse_script>.py", line 3, in <module> 10-31-2022 13:33:02.674 ERROR ChunkedExternProcessor [782340 ChunkedExternProcessorStderrLogger] - stderr: from msgspec.json import encode, decode 10-31-2022 13:33:02.674 ERROR ChunkedExternProcessor [782340 ChunkedExternProcessorStderrLogger] - stderr: File "/opt/splunk/etc/apps/<app>/bin/lib/msgspec/__init__.py", line 1, in <module> 10-31-2022 13:33:02.674 ERROR ChunkedExternProcessor [782340 ChunkedExternProcessorStderrLogger] - stderr: from ._core import ( 10-31-2022 13:33:02.674 ERROR ChunkedExternProcessor [782340 ChunkedExternProcessorStderrLogger] - stderr: ModuleNotFoundError: No module named 'msgspec._core' 10-31-2022 13:33:02.685 ERROR ChunkedExternProcessor [782335 searchOrchestrator] - EOF while attempting to read transport header read_size=0 10-31-2022 13:33:02.708 ERROR ChunkedExternProcessor [782335 searchOrchestrator] - Error in '<command>' command: External search command exited unexpectedly with non-zero error code 1.  

 Hi! I have a tgz-file with Splunk add-on developed by my coworkers. I created a trial instance of Splunk Cloud and would like to install (upload) this add-on from the file with the intention to make some modifications for my POC. Unfortunately, I can't locate a place to install or upload a new add-on (see the screenshot in attachment). Please help me find it. 

Hi folks, I want to monitor a cloud watch metrics of single ec2 instance. How to just monitor metrics in a single instance? I tried Splunk AWS add on but I couldn't  configure my aws account. The problem is that while using data manager it is giving the results of all the running instance data, but I need to just monitor a single instance. Thanks in advance,