Hi    I have a lookup which looks like this no  name     student     rollno 1      john           yes           12 2       George     no             2345 3      jin                yes          111   How can i iterate through this lookup by the 'no' field and display each entry as a result . I only need one result at a time so when i first run the search the result should be no  name     student     rollno 1      john           yes           12   When i run the same search after a minute the result should be   no  name     student     rollno 2       George     no             2345     Please help

I have 3 Search Heads and 3 Indexers with Replication Factor =1 and Search Factor=1. My requirement is to increase this to RF=3 and SF=2 Each indexer has around 800GB of data. Now if I increase the replication factor to 3 does it mean each indexer will end up with around 2.4TB of data post data rebalancing. And what would be the approximate data size in each indexer if RF is set to 2.

Hi,  I need help to extract some field from below logs format. (Im so bad at this). Oct 11 16:06:24 123.12.123.12 SVPN-USR[29489]: {"id":"6767676767","msgid":"6767676767","userInfo":{"userName":"wani","groupId":1519,"groupPath":"/Group ADL/SSAeF","authMethods":""},"clientInfo":{"ip":"123.12.123.12","vip":"123.12.123.12","osType":"WINDOWS","macAddr":"","deviceID":""},"msg":"[accessIP: 123.12.123.129 virtualIP: 123.12.123.12] User wani for session XXXXXXXXXXXX visit ip source ->ip 123.12.123.12 port 10123!","timeStamp":1665475584,"time":"2022-10-11 16:06:24","type":"userlog","logSubType":"access_resource","rcip":"123.12.123.12","actionResult":"success"}   Oct 11 16:06:24 123.12.123.12 SVPN-USR[29489]: {"id":"6767676767","msgid":"6767676767","userInfo":{"userName":"wani","groupId":1477,"groupPath":"/Group ADL/SSADS","authMethods":""},"clientInfo":{"ip":"123.12.123.12","vip":"123.12.123.12","osType":"WINDOWS","macAddr":"","deviceID":""},"msg":"[accessIP: 123.12.123.12 virtualIP: 123.12.123.12] User wani for session XXXXXXXXXXXX visit ip source ->ip 123.12.123.12 port 443!","timeStamp":1665475584,"time":"2022-10-11 16:06:24","type":"userlog","logSubType":"access_resource","rcip":"123.12.123.12","actionResult":"success"}   I want to extract the action result value, for example: action_result = success   Please help!

Hi @gcusello  I am using HTML & Plain Text option in email alerts and am trying to make certain texts bold and adding hyperlinks etc. It is not taking the tags, but displays the tags as it when i check the mails received. How     

동일한 데이터를 로컬 및 원격 검색(연합 검색)을 통해 검색 속도와 비교합니다. 그러나 자동 조회를 사용하는 검색의 경우 검색 속도가 100배 이상 다릅니다. 원격 검색이 훨씬 빠릅니다.(로컬 검색은 10분, 원격 검색은 30초) 왜 이런 속도 차이가 나는지 궁금합니다. 예시) 색인=방화벽 작업=허용 * ACTION은 자동 조회 설정입니다.

Using version 2.1 of the infoblox TA, it is not extracting all the fields correctly. The named_message field seems to have the text 'view 2:' in it, which for the dns_response extraction will extract this to the dns_view field. However, it only does this for the single extraction, but there are a number of other extractions that do not have this dns_view field and therefore none of the extractions work. In particular, the reply_code never gets set, so this results in all reply_codes in the Network Resolution datamodel ending up as 'unknown'. Has anyone seen this behaviour before and know what the solution might be?  

Hi All, I'm getting the below   splunk add oneshot ./kaseya.txt -index main -sourcetype asset‌ ‌kaseya-edge:agent ERROR: certificate validation: self signed certificate in certificate chain Couldn't complete HTTP request: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed   Since I'm working on my development laptop, I don't care if this is signed or not.  What I need is a way of stopping the error. TIA, Joe

Hello all, I have configured services in ITSI that have KPIs based on KPI Base Searches, and for some reason users with the itoa_user role cannot view the content of the Service Analyzer.  The structure shows up in the tree view, but the nodes are all greyed out.   The tile view displays "No results found". The itoa_analyst role has no issues, and if I make itoa_user inherit power then the content loads, but that's not an acceptable workaround.  I also tried to add the differences in capabilities that itoa_user has with power and itoa_analyst roles, but that didn't work either. When I run the KPI Base Search in a normal search window with itoa_user role then it still doesn't run.  With itoa_analyst it does.  The KPI Base Search calls an accelerated data model and I am working in a distributed and clustered (only idx layer) environment. All objects are shared with Global team. I have no idea what is restricting the itoa_user role. Could anybody help? Thanks! Andrew

Hello, I have the search built that generates the results I want. But, the goal is to also be able to track high number of online orders after someone made a retail order. index=data sector=Retail | stats earliest(_time) as firstretailapp latest(_time) as lastretailapp by username | join username [| search index=data sector=Online | stats earliest(_time) as firstonlinesale latest(_time) as lastonlinesale by username] | convert ctime(firstretailsale) ctime(lastretailsale) ctime(firstonlinesale) ctime(lastonlinesale) When these results populate, I can not get the firstonlinesale to be a later date than the lastretailsale. I have tried | eval difference =time1-time2, and where difference >1 and other command searches to try and match up something but am unsuccessful.  Thanks!

I'm trying to create a timechart at intervals of one month however the below code produces the sum of the entire month, I want the value on the 1st of each month, please let me know any solutions to get value any alternate to span to get intervals as on 2022-10-01 2022-09-01 2022-08-01 `source=all_month.csv place=*alaska* mag>=3.5 | timechart span=mon@mon1 count BY mag`    (index="sales") | fillnull value="undefined"| bucket _time span=mon@mon1 | chart count by _time stock

Hi all, I would like to create a table with details involved from two different index created. I'm facing difficulty in combining the data from both two indexes with common columns but different event structure. How to start a query to merge/combine fields from different indexes? As mentioned, both indexes consist of one similar field which is user=john. Here are the details:   IndexA fieldA1=user (john) fieldA2=description   IndexB fieldB1=user (john) fieldB2=Workstation fieldB3=EventCode   Expected result: user| EventCode| description| Workstation john|      4740     |locked out| Lenovo..   could someone point me to the right direction on how to start a Splunk Cloud query to merge into one table? Many thanks.