I have a dropdown whose value once input needs to be used in two different ways in the same search query. One of the indexes require that value to be as is but the other index requires the value to be altered.    I'm doing something like what ive mentioned below but that doesn't seem to be working. Any help is appreciated.     dropdown token value is selected_client with the initial value being "*" (index = indexA OR index = indexB) AND (clientForIndexA = domain1 OR clientForIndexB = domain2) | eval domain1 = if("$selected_client$" == "*", "*", "$selected_client$") | eval domain2 = if(domain1 == "*", "*", replace (sync_ml_domain, "\." , "-")) | eval domain2 = if(domain1 == "*", "*", replace (sync_ml_domain, "_" , "-"))    

Hi Team! Someone please explain to me what each parameter is responsible for in such a search tag: <search> <query>system="SWAP_total" host = crm.narsdade.com | bin _time span=1d | dedup _time | eval requestLasts = requestLimit - requestCount | table requestCount, requestLasts | rename requestCount AS "Requests done", requestLasts AS "Requests to go" | transpose | eval foobar_slice = column + " (" + 'row 1'+")" | fields foobar_slice, "row 1"</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search>   what is system..host.. and other attributes means for..

Hello, I've tried figuring this out on my own but I couldn't find any related threads which would fixed my problems. I'm trying to install Splunk enterprise on my Ubuntu 20.04.5 LTS Server as root. I've tried both .deb and .tar versions by following the docs . I've also tried following the new installation manual video.   After starting splunk with ./splunk start  and accepting the license I was prompted to rename the default account, i continued with enter to use the default admin name. Then I changed the default password and waited for the RSA key gen and preliminary checks. After that I am prompted with:    Starting splunk server daemon (splunkd)... PYTHONHTTPSVERIFY is set to 0 in splunk-launch.conf disabling certificate validation for the httplib and urllib libraries shipped with the embedded Python interpreter; must be set to "1" for increased security Done Waiting for web server at http://127.0.0.1:8000 to be available........splunkd 4932 was not running. Stopping splunk helpers... Done. Stopped helpers. Removing stale pid file... done. WARNING: web interface does not seem to be available!   I've also checked the logs but could't figure out the problem on my own:   Last entries of cat /opt/splunk/var/log/splunk/splunkd.log  09-21-2022 19:55:57.924 +0200 INFO  PipelineComponent [4932 MainThread] - Pipeline vix disabled in default-mode.conf file 09-21-2022 19:55:57.932 +0200 WARN  IntrospectionGenerator:resource_usage [5097 ExecProcessor] -   SSLOptions - server.conf/[sslConfig]/sslVerifyServerCert is false disabling certificate validation; must be set to "true" for increased security 09-21-2022 19:55:57.942 +0200 WARN  Thread [4932 MainThread] - MainThread: about to throw a ThreadException: pthread_create: Resource temporarily unavailable; 55 threads active. Trying to create QueueServiceThread 09-21-2022 19:55:57.944 +0200 WARN  IntrospectionGenerator:resource_usage [5097 ExecProcessor] -   SSLCommon - PYTHONHTTPSVERIFY is set to 0 in splunk-launch.conf disabling certificate validation for the httplib and urllib libraries shipped with the embedded Python interpreter; must be set to "1" for increased security 09-21-2022 19:55:57.945 +0200 ERROR ExecProcessor [5097 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk-dashboard-studio/bin/save_image_and_icon_on_install.py" /bin/sh: 1: Cannot fork 09-21-2022 19:55:57.945 +0200 ERROR ExecProcessor [5097 ExecProcessor] - Couldn't start command "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_assist/bin/selfupdate_modular_input.py": Resource temporarily unavailable 09-21-2022 19:55:57.948 +0200 WARN  IntrospectionGenerator:resource_usage [5097 ExecProcessor] -   SSLOptions - server.conf/[kvstore]/sslVerifyServerCert is false disabling certificate validation; must be set to "true" for increased security 09-21-2022 19:55:57.949 +0200 ERROR ExecProcessor [5097 ExecProcessor] - Couldn't start command "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_assist/bin/supervisor_modular_input.py": Resource temporarily unavailable 09-21-2022 19:55:57.952 +0200 WARN  IntrospectionGenerator:resource_usage [5097 ExecProcessor] -   Thread - MainThread: about to throw a ThreadException: pthread_create: Resource temporarily unavailable; 2 threads active. Trying to create KVStoreServerStatusInstrumentThread 09-21-2022 19:55:57.953 +0200 ERROR ExecProcessor [5097 ExecProcessor] - Couldn't start command "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_assist/bin/uiassets_modular_input.py": Resource temporarily unavailable 09-21-2022 19:55:57.954 +0200 ERROR ExecProcessor [5097 ExecProcessor] - Couldn't start command "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_instrumentation/bin/on_splunk_start.py": Resource temporarily unavailable 09-21-2022 19:55:57.954 +0200 ERROR ExecProcessor [5097 ExecProcessor] - Couldn't start command "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_monitoring_console/bin/dmc_config.py": Resource temporarily unavailable 09-21-2022 19:55:57.954 +0200 INFO  IntrospectionGenerator:resource_usage [5097 ExecProcessor] -  terminate called after throwing an instance of '15ThreadException' 09-21-2022 19:55:57.955 +0200 ERROR ExecProcessor [5097 ExecProcessor] - Couldn't start command "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_monitoring_console/bin/mc_auto_config.py": Resource temporarily unavailable 09-21-2022 19:55:57.956 +0200 ERROR ExecProcessor [5097 ExecProcessor] - Couldn't start command "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py": Resource temporarily unavailable 09-21-2022 19:55:57.956 +0200 INFO  IntrospectionGenerator:resource_usage [5097 ExecProcessor] -    what():  MainThread: about to throw a ThreadException: pthread_create: Resource temporarily unavailable; 2 threads active. Trying to create KVStoreServerStatusInstrumentThread   ulimit -n -u open files                      (-n) 1024 max user processes              (-u) 62987   Does anyone know what I am doing wrong?   Please help me I have no spluck> : (

I want to exclude duration results if greater than 7 days. So i used search NOT but it is not working. Can someone help here? Query index=sentinelone | eval duration=tostring(now()-strptime(installedAt,"%Y-%m-%dT%H:%M:%S.%6N"),"duration") | table _time installedAt agentDomain duration |search installedAt!="Null"    

I'm looking for a way to set a token when the column exists (regardless of value).   Tried these with no luck.  <eval token=if(isnotnull($row.MyCol$),useValue=$row.MyCol$,null())> <eval token=case($row.MyCol$ != &quot;&quot; , useValue=$row.MyCol$)  Thoughts? 

Hello dear Splunk experts! I've stuck with one search and can't figure how to do this.  Did a lot of searching here on this friendly community but couldn't find the answer despite that saw a lot of similar tasks with solutions. I have a dataset like this: sg1 sg1_approval sg2 sg2_approval sg3 sg3_approval value1 approved value2 not approved value3 delayed   And I want to get something like this: sg sg_value sg_approval sg1 value1 approved sg2 value2 not approved sg3 value3 delayed   What is the best way to achieve this? I've found some examples around transpose, eval or stats functions but these didn't solve my task completely. And to add a bit of complexity to this task - how to calculate sum of particular cells in rows with particular values of columns. I have this dataset: sg1 sg1_approval sg1_now sg2 sg2_approval sg2_now sg3 sg2_now sg3_approval value1 approved 4 value2 not approved 2 value3 5 delayed value2 not approved 3 value3 approved 5 value4 1 approved   And want to extract it as: sg_approval sg_now approved 10 not approved 5 delayed 5   So that sg_now column contains sum of all values in sg1_now, sg2_now and sg3_now sorted by sg1_approval, sg2_approval and sg3_approval. Thank you very much in advance! Regards

Hello Do field values have to be consistent for ES or doesn't it matter?  So in the wineventlog if src is sometimes the IP and other times the fqdn does ES care?  Same with the user field, if sometimes the field value is bob@domain or domain-bob or bob$ does it matter? Thanks R00ster

Hi All, I have a large number of Windows logs in directory. How can I automatically delete them from the disk space after Splunk saves them and the folder size will be bigger than 5 gigabytes? Where can I write such configuration? Thanks in advance!