I've been given output of a query that makes use of the "last 30 days" time range, and need to know exactly what "last 30 days" means. The data is aggregated, so the output does not have a date field in it. I do not have access to Splunk directly so I cannot run test queries.  For example, if the query is run on 8-31-2022, does "last 30 days" give me 8/2 to 8/31 or would it be 8/1 to 8/30?

Good afternoon! I have a problem setting up alerts. Most allerts, with the exception of one, are processed incorrectly. Alerts are processed by scheduled, last 1 minute. By wrong - I mean their false positives, that is, they are constantly triggered by scheduled, even if the request conditions are not met during this period of time.   Despite the fact that requests in alerts work out correctly - as we need, I am convinced that the problem is in the syntax, since the settings for the correct alert and the problematic alerts are the same.   Examples:   Alert that works fine: index="main" sourcetype="testsystem-script11" | transaction maxpause=10m srcMsgId Correlation_srcMsgId messageId | table _time srcMsgId Correlation_srcMsgId messageId duration eventcount | fields _time srcMsgId Correlation_srcMsgId messageId duration eventcount | sort srcMsgId _time | streamstats current=f window=1 values(_time) as prevTime by subject | eval timeDiff=_time-prevTime | delta _time as timeDiff | where (timeDiff)>1   An example of a problematic alert (I thought that the problem was in Cyrillic characters, but I tried without them, it does not help):   index="main" sourcetype="testsystem-script99" resultcode>0 | eval srcMsgId_Исх_Сообщения=if(len('Correlation_srcMsgId')==0 OR isnull('Correlation_srcMsgId'),'srcMsgId','Correlation_srcMsgId') | eval timeValue='eventTime' | eval time=strptime(timeValue,"%Y-%m-%dT%H:%M:%S.%3N%Z") | sort -eventTime | streamstats values(time) current=f window=1 as STERAM_RESULT global=false by srcMsgId_Исх_Сообщения | eval diff=STERAM_RESULT-time | stats list(diff) as TIME_DIF list(eventTime) as eventTime list(srcMsgId) as srcMsgId_Бизнес_Сообщения list(routepointID) as routepointID count as Кол_Сообщений by srcMsgId_Исх_Сообщения

Hi all - I am having trouble pulling out mv fields into separate events. My data looks like this: I'd like to pull each event out into it's own line, but I'm having trouble with the carriage returns and getting the fields to pair correctly (i.e., error 1232 is with server 1).  Example search:       | makeresults | eval error="1232 2345 5783 5689 2345 5678 5901", server="server1 server2 server3 server4 server6 server9 server7" | makemv delim=" " error | makemv delim=" " server | eval uniquekey=mvzip(server,error, ":")         How do I separate these fields into their own events so the data looks like: 1232 server1 server1:1232 2345 server2 server2:2345 5783 server3 server3:5783

Good morning, Curious to see if anyone has used a similar dataset in Splunk and/or any suggestions on the best way to create a usable solution. I have a list of IP addresses, and for each IP address there is a list of allowable systems (IPs) . If any of the IP addresses communicate with systems outside of the allowable list I want to be alerted. I know I can probably create individual alerts for each of these but would like to be able to process these in bulk. For example, if Splunk could periodically cross reference the IP list against the network data to see if there are any violations. Could a lookup table be used for this?

I have 2 fields: the values of fieldA are present in fieldB and I need to remove the first part of fieldB up to the values present in fieldA. For example: fieldA = BP498 fieldB = "A1John/Doe SmithBP498 XX XX XX" Desired: fieldB="BP498 XX XX XX" Thanks in advance.

Hi, I am trying to run a python script on my universal forwarder which send data to splunk cloud instance. I have added the path in inputs.conf and there is not events found in my index. While checking on splunkd logs, there shows a error "The system cannot find the file specified". what could be the problem?

I want to create a Bar chart with the logs where the key would be the stats count field name and value would be the sum value Query :  search1 | eval has_error = if(match(_raw, "WARNING"),1,0)| stats sum(has_error) as field1| join instance [search2 | eval has_error = if(match(_raw, "WARNING"),1,0)| stats sum(has_error) as field2| join instance [search3 | eval has_error = if(match(_raw, "WARNING"),1,0)| stats sum(has_error) as field3|join instance [search4  | eval has_error = if(match(_raw, "WARNING"),1,0)| stats sum(has_error) as field4]]] | stats sum( field1), sum(field2), sum( field3), sum( field4) Current result: field1 field2 field3 field4 30 44 122 6   Expected result: Field Count field1 30 field2 44 field3 122 field4 6

Hi team, we have performance log in splunk, but the storage policy is only for 3 month. so i can't see data metric trend from splunk for whole 1 year. Is there anyway splunk can ingest data into MongoDB? so that I can use powerBI to connect to MongoDB, and do analysis in PowerBI. Thanks, Cherie

For the type of data I am trying to extract, Event Sampling really speeds up the query. This works fine when executing SPL queries, but I have not been able to figure out how to do this in a dashboard. Found some older posts where "rand" was used, but apparently that did not speed up the query.   Is it possible to specify Event Sampling directly in a Search Query or in the Dashboard in some way?

I am using the query as below and visualizing it in a line chart.  There is date field coming on the line chart and I want to remove it through XML without removing time field? Can someone guide me .  (I was able to remove it in query using field format command but it was not super helpful as I was not able to see visualization.)  Also, I was able to remove the hover through this article - Solved: How to disable mouse hover on bar chart in XML - Splunk Community But not the date.  This one is very close to what I want to do, but didn't solve my case on the line chart.  Solved: How to delete the date category on a visualization... - Splunk Community Query for reference index=xyz sourctype=abc earliest = -60m@m latest = @m |eval ReportKey="Today" |append [search index=index=xyz sourctype=abc earliest = -60m@m-1w latest = @m-1w |eval ReportKey="LastWeek" | eval _time=relative_time(_time, "+1w")] |append [search index=index=xyz sourctype=abc earliest = -60m@m-2w latest = @m-2w |eval ReportKey="TwoWeeksBefore" | eval _time=relative_time(_time, "+2w")] |append [search index=index=xyz sourctype=abc earliest = -60m@m-3w latest = @m-3w |eval ReportKey="ThreeWeeksBefore" | eval _time=relative_time(_time, "+3w")] |timechart span = 1m count(index) as Volume by Reportkey