I have the following fields, where some of them might be null, empty, whatnot values. I would like to split the Services values, which might have 1-N values separated by a comma, to separate columns/fields prefixed with "Sp.". For example: | makeresults | eval Platform="p1", Ent="ent1", Ext="100", Fieldx=null(), Fieldy="" , Services="user,role,func1,func2" | append [ | makeresults | eval Platform="p1", Ent="ent2", Ext="100", Fieldx="", Fieldy=null(), Services="user2,role2,func4,func8,func5,role3" ] | fields _time Platform Ent Ext Fieldx Fieldy Services Gives an example like: _time Platform Ent Ext Filedx Fieldy Services 2022-09-30 08:56:11 p1 ent1 100     user,role,func1,func2 2022-09-30 08:56:11 p1 ent2 100     user2,role2,func4,func8,func5,role3   How do I split the Services into a separate fields? I think I cannot just use stats list() by "All_fields" due to those possible null values in other fields. _time Platform Ent Ext Fieldx Fieldy Services Sp.func1 Sp.func2 Sp.func4 Sp.func5 Sp.func8 Sp.role Sp.role2 Sp.role3 Sp.user Sp.user2 2022-09-30 09:07:00 p1 ent1 100     user,role,func1,func2 func1 func2       role     user   2022-09-30 09:07:00 p1 ent2 100     user2,role2,func4,func8,func5,role3     func4 func5 func8   role2 role3   user2  

I have the following sample event 2022-09-29T19:29:22.260916-07:00 abc log-inventory.sh[24349]: GPU5  IOS: 96 2022-09-29T19:29:22.260916-07:00 abc log-inventory.sh[24349]: GPU4 IOS: 96 2022-09-29T19:29:22.260916-07:00 abc log-inventory.sh[24349]: GPU3 IOS: 96 2022-09-29T19:29:22.260916-07:00 abc log-inventory.sh[24349]: GPU2 IOS: 96 2022-09-29T19:29:22.260916-07:00 abc log-inventory.sh[24349]: GPU1 IOS: 76 2022-09-29T19:29:22.260916-07:00 abc log-inventory.sh[24349]: GPU0 IOS: 96 I want to compare the IOS value  for each host and if any one is showing a different value then I want to output the result .In the above events for host=abc all GPU's has IOS value as 96 except for GPU1 which is 76.I want to output the GPU1 and the value of IOS...I tried doing diff but its not working.   Thanks in Advance  

Hello, I have a log file that go like this     2022-09-30 09:43:41,038: INSTANCE=34-bankgw1, REF=237324562, MESSSAGE=IST2InterfaceModel.ResponseVerifyCardFromBank:{"F0":"0210","F2":"970422xxxxxx6588","F3":"050000","F4":"000001000000","F7":"0930094340","F9":"00000001","F11":"277165","F12":"094340","F13":"0930","F15":"0930","F18":"7399","F25":"08","F32":"970471","F37":"273094277165","F38":"277165","F39":"15","F41":"00005782",0822,237324562,VNPAYCE","F49":"704","F54":"0000000000000000000000000000000000000000","F62":"EC_CARDVER","F63":"AAsA7QKwYzZX3AAB","F102":"0000000000000000"}     With a log structure like this, I can't really extract the field that I want with Splunk field extractor. The field that I want to Extract is F39 (which mean status) for monitoring purpose. I'm really amateur when it come to rex so can anyone help me with it?

I need to create a field (30days) with a date 30 days from the date in a given field (pubdate). I believe I have that part working, but can't seem to get the date to convert to the format I want. |makeresults |eval pubdate="2022-09-30,2021-08-31" |makemv delim="," pubdate |mvexpand pubdate |eval epochtime=strptime(pubdate, "%Y-%m-%d") |eval 30days=epochtime + 2592000 |convert ctime(30days) |table pubdate, 30days Which produces: pubdate 30days 2022-09-30 10/30/2022 00:00:00.000000 2021-08-31 09/30/2021 00:00:00.000000   All I want to do is to format the 30days date field the same was as pubdate - "%Y-%m-%d". Everything I'm trying is producing an error.

Please advise on my request. Line from request: | where ('result.code'=-1 OR 'result.code'=1 OR 'result.code'=21 OR 'result.code'=23 OR 'result.code'=SMEV-403) The query looks for messages with all result.code values except SMEV-403. Tell me how can I fix this?

Hello all, New splunker here, so forgive me if this is totally way wrong to do it. I was asked to make a comparison dashboard for application performance before the monthly patch and after. I was able to do so with the following code:         index=erp sourcetype=erp_heartbeat tenant=AX2 earliest=-31d@month latest=-1d@month | eval custate="Post-Update" | append [ search index=erp sourcetype=erp_heartbeat tenant=AX2 earliest=-61d@month latest=-30d@month | eval custate="Pre-Update" ] | chart avg(duration) by trans_name, custate       In a recent touchpoint, it was requested that users be able to change the dates to look at prior months' numbers. I can't figure out how to accomplish this as I'm using specific earliest and latest time modifiers   , so any help would be tremendously appreciated.  Thank you all, as I've gotten this far with your community. 

I destroyed some VMs in my production recently. But I can still them in the page: "IT Essentials Work" => "Infrastructure Overview" => Unix/Linux Add-on. They have inactive status already but how do I completely remove them from the Splunk Cloud? I don't want to monitor them anymore.