I have two streams of data coming into a HEC.  one has call direction (i.e. inbound) and the other has call disposition (i.e. allowed).  at first i was joining these streams (join), but found a great thread in the community suggesting using stats and so with some cleanup, i have something like this:   index="my_hec_data" resource="somedata*" | stats values(*) as * by id   which works great, and may not even be related to my actual question, but next I want to count by day, cool, so just timechart it, but i suppose my real question is Is that the most efficient way to count calls by day?  or should i do some higher level aggregation somehow? i don't even know if that makes sense, but if there are 2M calls a day and I go back 30d, is "counting 60M rows" the best way to display 'events per day?'

Hi folks, I'm trying to get all saved searches from my SHC and ES SH running the following SPL, but I'm unable to see the ones from my ES SH (the SPL is being run on the SHC). | rest /servicesNS/-/-/saved/searches When running the SPL appears the following message: Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability. The I tried running the following SPL and the message disappeared, however, I'm not able to see the saved searches from my ES SH.: | rest splunk_server=local /servicesNS/-/-/saved/searches   Any idea about this? Is this because of the missing capability? Am I restricted to make this search?   Thanks in advance.

I'm having issues with eventtypes not correctly being applied from VMware Carbon Black Cloud ingest that I can't figure out, as each search in the chain successfully finds events. These are the three eventtypes that chain together. The first two apply correctly (vmware_cbc_base_index, vmware_cbc_alerts), but not the third (vmware_cbc_malware). From eventtypes.conf:     [vmware_cbc_base_index] search = index=carbonblack_audit [vmware_cbc_alerts] search = eventtype=vmware_cbc_base_index sourcetype="vmware:cbc:s3:alerts" OR sourcetype="vmware:cbc:alerts" [vmware_cbc_malware] search = eventtype=vmware_cbc_alerts threat_cause_threat_category="*MALWARE*" NOT threat_cause_threat_category="*NON_MALWARE*"    When I use the search in the third eventtype (vmware_cbc_malware), I do get events. Search: eventtype=vmware_cbc_alerts threat_cause_threat_category="*MALWARE*" NOT threat_cause_threat_category="*NON_MALWARE*" | stats count by eventtype    eventtype count vmware_cbc_alerts 65 vmware_cbc_base_index 65 Can anyone help me figure out why this third eventtype is not being applied?  

I have a splunk query, in which my intention is to get all ipAddress for which "EVENT A" occurred in last 22 hours starting from 4 hours before,  but "EVENT B" is not there in last 24 hours for same IpAddress. It is known that "Event A" will have one occurrence for Ip address,(if any), but "Event B" will have ,multiple occurrences. Following is the query:     index=prod-* sourcetype="kube:service" "Event A" earliest=-24h latest=-4h |table IpAddress | search NOT [search index=prod-* sourcetype="kube:service" AND ("Event B") earliest=-24h latest=-0h |table IpAddress ]     Why the first query is not working fine? This does not work fine and return the results, even if, there is an Ip address for "Event A" and multiple events for same Ip address "Event B". But if I add, dedup IpAddress to inner search not query, then it works fine. Updated query:     index=prod-* sourcetype="kube:service" "Event A" earliest=-24h latest=-4h |table IpAddress | search NOT [search index=prod-* sourcetype="kube:service" AND ("Event B") earliest=-24h latest=-0h |dedup IpAddress|table IpAddress ]    

Hi eveybody, I have a series of alerts that generate new events that are sent to a specific index and also send an email to a web application, but there is no way to identify these "correlated events" by unique id. My goal is to be able to relate these indexed events to the event created in the web application using only a number, but this number must be assigned by splunk. Do you know of a way to assign an increasing numerical value to each new event sent to the index?

We had a user leave and before he did he asked that I change the ownership of all his reports to another employee.  I did that.  Today I found out that he owns a lookup.  When I look in knowledge objects orphans, it wasn't in there.  From what I've found online, lookups are completely different.  Is there anyway in Splunk to find everything a user owns?  I would rather be proactive and find things the the user didn't mention, rather than wait for notification that something isn't working. TIA, Joe

I am looking for suggestions as to how best to implement an alerting request made by my users.  Summary A query is run to count the number of events. The time weighted difference (in percentage) between one period of the next will be used to trigger the alert if the threshold is met. Query I have a query which I am already using on an existing dashboard. I am using TSTATS to count events, then a REX to group the events based on the first 3 characters for a field (DRA).      | tstats prestats=t count where index="foo" sourcetype="bar*" DRA=C* by DRA, _time | rex field=DRA "^(?<pfx>\D\S{2}).*" | timechart span=5m count by pfx useother=f limit=0 usenull=f       The groups and the number of these 'groups' will vary, but the result will be similar to the below : _time C27 C31 C33 2022-10-12 13:00:00 116 2 70 2022-10-12 13:05:00 287 3 20 2022-10-12 13:10:00 383 6 45 2022-10-12 13:15:00 259 7 41 I suspect the maximum number of DRA codes that we will see will be 25, although I can break this up into different queries and play with some timing and priorities with the running of the searches. Goal The goal is to alert when any percentage changes from one period  to the next by more than a set percentage.  So, for example, in the above, I might want an alert at 13:05 that 'C33' had changed by ~72% from the previous period. I Have Tried Using a mix of streamstats, eval and trendline statements, have the following which will alert for a single 'C' code.     | tstats count as count where index="foo" sourcetype="bar" DRA=C27* by _time span=5m | timechart sum(count) as total_count span=5min | streamstats current=f window=1 last(total_count) as prev_count | eval percentage_errors=round(abs(prev_count/total_count)*100,1) | fillnull value=000 | trendline wma5(percentage_errors) AS trend_percentage | eval trend_percentage=round(trend_percentage,1) | fillnull value=0 trend_percentage | table _time, total_count, prev_count, percentage_errors, trend_percentage       Problems and Concerns How can I modify my query to account for the variable nature of the DRA code - both in name (Cxx) and in the number of DRA codes returned? I have added 'by' clauses almost everywhere, but have not had success. Each 5 minute period can see up to 70k events per DRA. Any thoughts on running all of the calculations across all extracted DRAs every 5 minutes? Any suggestions or comments on my line of thinking are appreciated.