Hi  Consider this event structure :     {"result" : {"dogs" : [{"name" : "dog-a", "food":["pizza", "burger"] }, {"name" : "dog-b", "food":["pasta"] }] }}     Now want to filter the dogs by name and present them relevant food. When I try this search(with the relevant index):     result.dogs{}.name = dog_a| table result.dogs{}.food{}     I Am getting this result: pizza burger pasta    I Am expecting to get only dog-a foods(pizza and burger)  

Hello-   I am attempting to create a heat gauge off the average of two timestamp fields to determine average time an issue was worked. I'm running into issues as these fields are stored as strings in the ISO 8061 format. I'd like to know if there's a good way to convert this string as simply as possible or to be able to extract certain portions of the string to be able to use a numeric value from the average calculations (ideally extract the MM:SS from the ISO string.)   Thanks!

Hello-   I am attempting to make a table and hopefully be able to integrate it into a dashboard. Goal is to interrogate on two fields and pull stats accordingly. FieldA has multiple values- table is to show all values of FieldA. Utilize stats count for how many daily transactions have been processed by each unique value of FieldA.  Then the portion I am having difficulties with- with the daily count for each unique value of FieldA, I want to interrogate that count by FieldB to see how many of that count is a hit for any value of FieldB. This is the code I am using: table FieldA FieldB | fields "FieldB", "FieldA " | fields "FieldB", "FieldA " | stats count by FieldA , FieldB| sort -"count"   The second count of FieldB hits out of the count of FieldA instances is always showing up as zero, despite having values other than zero in FieldB. FieldB values should all be numeric. 

Hi, I would like to set time ranges from 2 different types of inputs, Dropdown and Time, as shared tokens into a panel. Currently, this is the code I have, the Dropdown has 4 options, and the Time input appears depending on the last dropdown option. I am stuck on passing the time range from the Time input into the "custom_earliest" and "custom_latest" tokens.     <fieldset submitButton="false"> <input type="dropdown" token="field1"> <label>Time Selection</label> <choice value="yesterday">Yesterday</choice> <choice value="-7d">Last 7 Days</choice> <choice value="mtd">Month To Date</choice> <choice value="custom">Custom Time</choice> <change> <condition label="Yesterday"> <set token="custom_earliest">-7d@d+7h</set> <set token="custom_latest">@d+7h</set> <unset token="showCustom"></unset> </condition> <condition label="Last 7 Days"> <set token="custom_earliest">-4w@d+7h</set> <set token="custom_latest">@d+7h</set> <unset token="showCustom"></unset> </condition> <condition label="Month To Date"> <set token="custom_earliest">-5mon@mon+7h</set> <set token="custom_latest">@d+7h</set> <unset token="showCustom"></unset> </condition> <condition label="Custom Time"> <set token="showCustom">Y</set> </condition> </change> <default>yesterday</default> <initialValue>yesterday</initialValue> </input> <input type="time" token="customTime" depends="$showCustom$"> <label>Time Range</label> <default> <earliest>-3d@d+7h</earliest> <latest>-2d@d+7h</latest> </default> </input> </fieldset>     Any help would be appreciated, thanks!

Dear all, I want to combine 2 search job into 1 job. My first search job is to search all the alert_id occur in the past 24 hours and listed them as a table. 2nd search job is to find among all the alert_id in the first search job and try to match which alert_id has an event of packet filtered . I am able to generate a desired result by using the "map search" index="security_device" sourcetype= security_log "abnormal Protocol" alert_id | table alert_id | map search="search index="security_device" sourcetype=security_log "Filter action" $alert_id$" maxsearches=500 | table filter-discard However, I notice that using a map search is very in-efficient. It is taking forever if I select for 30 days. Can anyone recommend me a better way to do it.  FYI, I have tried the nested search, but no luck, it return a 0 result to me index="security_device" sourcetype=security_log "Filter action" [ search index="security_device" sourcetype=security_log "abnormal Protocol" alert_id | table alert_id ] | table filter-discard Thank you.

Hi all, I am quite new to Splunk and now trying to create a dashboard panel using a query that does the following: pulls the required fields from an index based on textfield input checks on one specific field "opsID" from the index against a field "code" in a csv i uploaded if it is present in the csv, I just want to return a simple output that I could use to display in a table form The csv looks something like this: code, notes 123, User 456, Admin 789, User   Example of my query: index=userdatabase "abc12345" | eval abc=[|inputlookup Lookup.csv | where code=opsID| fields notes] | eval isPresent=if(abc!="", YES, NO) | table username, isPresent   However I am getting errors like Error in 'eval' command: The expression is malformed. An unexpected character is reached at ')'. I tried for a few days can't seem to figure it out my mistake, hence hoping for some help over my basic question.. I got a feeling my logic could be wrong to begin with

Hi Splunkers. I have two level of logs (NOTICE,ERROR), for Error logs(json), method_name and message is automatically getting extracted but not for NOTICE logs, So i have written my case statement like below in UI  and its working fine but im not sure how to deploy this in props.conf   index=index_name sourcetype=sourctype_name log_level=NOTICE |eval message =case(method_name='protopayload.table.create'=="table created",method_name='protopayload.table.delete'=="table deleted") i dont want to write case statement for error logs as its already getting extracted fine. to be precise:- i want my fields extraction to happen automatically for error logs (as its getting extracted automatically) and want my case statement work only for notice logs.   Please assist on this        

Hello, I am using rex to remove everything after a specific character, but i need to keep the specific character. Currently, I am using this - | rex mode=sed field=Cluster "s/[k].*//g" Unfortunately it is also removing the 'k'. Can I amend this argument slightly so it removes everything after k but the k remains? Unfortunately I don't have any / to work with. Thanks!

Hello!   i am sending from a host to splunk cloud logs from the disk usage. Here is an example how the events are:       /dev/nvme4n1p1 xfs 50G 555M 50G 2% 25M 33K 25M 1% /var/www         where "2%" field is called as "Use_". How can i create an alert/search when this number (without the percentage symbol) is higher than 80 ?   Thanks!

Hi all,   For our environment we want to ingest VMWare data for ITSI. The documentation tells us we need an OVA, so we installed one. However, this took a long time. And now I see we need a seperate Scheduler since the searchhead is actually on Windows, which I did not notice in time is apparently not possible to combine with a Scheduler. It is also a bit vague to me how the connection works. With the scheduler you link a vCenter, so the scheduler needs a connection to the vCenter as well? And this data is then used on the DCN to also connect with the vCenter? My main question is: Is it possible to skip the scheduler and edit a conf file on the DCN itself to start ingesting VMWare and vCenter data right away? We have a limited time schedule since this is just a test environment and the ITSI license doesn't last forever.  Regards, Tim