We have a Splunk UI that allows the users to export a certain set of the rows from a lookup. The caveat is that each row might produce multiple output rows with quite a complex logic. So, I wonder whether to use the mv set of functions maybe coupled with the map command or to develop a python function to do it. Any suggestions?     

Hello, We're coming from another platform that we used to keep track of incidents.  In order to keep things more consistent after the transition, we'd like to be able to have the IDs of new cases start at a higher number than the default of 1, if possible.  Is this something that can be done? I haven't seen anything in the settings or documentation. Thanks!

I have a time chart of count by field     | timechart count by field_name limit=0     I would like to divide each value in the statistics table by the mean of that field.  Current Output: Time A B 1 1 4 2 2 5 3 3 6   Desired Output: Time A B 1 0.5 0.8 2 1 1 3 1.5 1.2   I can use a `foreach` to perform an operation on every column but I am having trouble configuring a subquery within that to calculate the mean and divide by it.

I'm working on a query with the goal of determining the percentage rate of request/response event pairs that match by way of a common field value. The events share the same index, sourcetype and source; the field name, however, is different. The field in the request event is called "ID" while the field in the response event is called "InResponseTo". NOTE: The response event also contains a field called "ID" which should be ignored. Here is a sample of each type of event (note that these two events share the matching value "_907b4184-e85c-41f2-9a32-c1c735f01510")... Request:   Oct 26 17:32:29 ServerX knick.knack [10/26/22, 17:32:20:292 EDT] 00018baf id=00000000 om.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils I traceString INFO --saml20-access-policy-utilities.js - [axamf4EhUmaVjkwwd+akl10BbjbDS1vVg6YJhu2F2E8=]:[protocolContext.getAuthnRequest()] <samlp:AuthnRequest xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://xyz.com" Destination="https://foobar.com" ForceAuthn="true" ID="_907b4184-e85c-41f2-9a32-c1c735f01510"</samlp:Response>   Response:   Oct 26 17:32:29 ServerX knick.knack [10/26/22, 17:32:20:455 EDT] 00018baf id=00000000 .am.fim.saml20.types.SAML20HTTPPostBrowserResponseWriterImpl 1 getStringMessage Request XML message: <samlp:Response xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="https://dundermifflin.com" ID="FIMRSP_1635e05b-0184-1dc4-803d-f94b11a6d04e" InResponseTo="_907b4184-e85c-41f2-9a32-c1c735f01510"</samlp:Response>   The development flow: Look at all request and response events for a given timeframe. Sometimes, duplicate events show up...so they would need to be deduplicated. If the same value is found for both "ID" and "InResponseTo", that's considered a 100% success rate. Mark it as a match. The sample events provided above would be an example of this. If the same value is not found (i.e., there's a request event but no matching response event), that's considered a 0% success rate. Mark it as a non-match. Add up the number of matches and divide the sum by the total number of request events found. Multiply the quotient by 100 to determine the percentage rate. The results will be visualized using a simple line chart (timechart) showing the average percentage rate over time. I'm able to compare the overall number of requests against the overall number of responses (regardless of matching field values) to produce a percentage rate, as shown here:   index=zig sourcetype=zag samlp:AuthnRequest | timechart count as RequestCount | appendcols [ search index=zig sourcetype=zag samlp:Response | timechart count as ResponseCount ] | eval ResponseRequestRatio = round(((ResponseCount/RequestCount) * 100),2) | table _time, RequestCount, ResponseCount, ResponseRequestRatio   How would I modify this query to accommodate the additional rules? I'm guessing that some sort of count could be used to determine the percentage rate, with a "1" for matches and a "0" (zero) for non-matches.

Hi Even if i have read some documentations, i have difficulty to understand the difference between macro and eventtype I use macro essentially for index + sourcetype agregation but is somebody can clearly explaining me the difference between macro and eventtype? Thanks

Good Morning, I'm installing php agent 22.8 on oracle linux server with php 7.3 and apache webserver. When I run the install.sh command with -s -i options I am getting the following error. Script is finding version, extensions directory, ini directory. Does anyone know what that means or how to fix?  "Agent installation does not contain PHP extension for PHP 7.3" thx, M

Hi, I have the following query:   index = ABC | eval domain=mvindex(split(EMAIL_TXT, "@"), 1) | stats dc(EMAIL_TXT) AS Count_EmailAddress, values(domain) as domain values(EMAIL_TXT) as Email_Address, values(STRT_DTS) AS Start_Date by IP_ADDR | where Count_EmailAddress >1 | sort -Count_EmailAddress   I also have a lookup with a list of IPs: |inputlookup HighRiskDomain  How do I create a new field called "HighRiskIP" that would have with "Yes" or "No" values, depending on whether the IP for that given row matches an IP on the lookup?????