I am on splunk cloud and have been using this functionality which is pretty useful to determine what timezone our users are in. It just seems to have stopped since last Tuesday we just got our environment upgraded to Version:8.2.2203.4 it is returning the fields for timezone and metro but no data  Any ideas ? (where x.x.x.x = ip address) | makeresults 1 | eval src_ip = "x.x.x.x" | iplocation src_ip allfields=true | transpose gives column row 1 City Houston Continent North America Country United States MetroCode   Region Texas Timezone   _time 1663100176 lat 29.7604 lon -95.3698 src_ip x.x.x.x I've raised a case but interested if anyone else has experienced this

Hello, We have Splunk in my new company and I am trying to understand Splunk and the environment. So, they have firewall logs (from one product) in 3 different indexes, one for traffic, one for threats and for other firewall logs. Is this normal? Seems a bit inefficient especially with regards to organization of logs and when searching. They also have combined 2 different firewall products into one of the indexes. I thought each product should have its own index? The person who did the deployment said that this was done for efficiency but this somehow seems to be counterproductive. Am I missing something when I have to search 3 different indexes to get complete results for a certain IP? Any advise is appreciated, Thank you, CM

Hello team !!  Im working whit CDR of SMS and I have to find a way to visualize that two fields are repeated more than 10 times in a minute Could you help me find a way to do it? This is a part of my CDR  14:00:06.495844|2022-09-13 14:00:06.495847|2022-09-13 14:00:06|MT|3385251555|56271948588 origin:3385251555 dest:56271948588 I want to see when it repeats the same origin and the same destination more than 10 times in 1 minute Thank you very much for your help and time  

Hey all, So I found a question here about using multiple inputs.conf files.. how it's possible with multiple apps but not just one. My question is, would this work if you copied the single app you have to a new directory?  Say you have App 1, you copy it to App 2. Since the contents are the same.. as long as you did not try to monitor the same log files.. would this work and be considered two apps?

Hi MC team,  One of our current requirements for a Security Incident Management solution is to be able to provide quick context around an asset.  One of the most time consuming tasks that an incident responder faces is to track down what the device being alerted on does, what its criticality is and who is the owner.  The most effective way to do this is to integrate with an Asset Management /CMDB solution.  Is this something that Mission Control can or is looking to do? Thank you kindly, Mike

I am a fairly new to Splunk, and I am having a lot of trouble using the table lookups.   I have a lookup CSV table (team_info) that looks like this: team_id,active,group team_a,1,team a ops team_b,0,team b marketing team_c,1,team c netops   My search is extracting field using regex:   index="sys_alerts" | rex field="Message" "...<teamID>..." | eval app="Application A" | lookup team_info team_id as teamID OUTPUT active as active, group as group   When I run the search the teamID is being extracted successfully but I do not see the active or group fields in the events.   What am I doing wrong or missing?   Thanks in advance.

hello In a first dashboard, i use 2 dropdown list the first dropdown list concerns a relative time choice and the second dropdown list concern a site choice I need to retrieve in a second dashboard (there is also the same dropdown list in this dash)  the choice done from these 2 dropdown list by executing html link     <form> <label>TEST</label> <fieldset submitButton="false"> <input type="dropdown" token="period"> <label>Période</label> <choice value="1654466400.0">Lundi 6 Juin 2022</choice> <choice value="1655071200.0">Lundi 13 Juin 2022</choice> <choice value="1655676000.0">Lundi 20 Juin 2022</choice> <choice value="1656280800.0">Lundi 27 Juin 2022</choice> <change> <eval token="debut">period</eval> <eval token="fin">debut+432000</eval> <eval token="debut_4w">relative_time(debut,"-4w")</eval> <eval token="fin_4w">relative_time(debut,"-0w")</eval> </change> <default>1655071200.0</default> <initialValue>1655071200.0</initialValue> </input> <input type="dropdown" token="site" searchWhenChanged="true"> <label>Espace </label> <fieldForLabel>site</fieldForLabel> <fieldForValue>site</fieldForValue> <search> <query>`index_mes` | dedup site | table site | sort + site</query> <earliest>-7d@h</earliest> <latest>now</latest> </search> <choice value="*">*</choice> <default>*</default> <initialValue>*</initialValue> </input> </fieldset> <row> <panel> <html> <a href="/app/spl_pub/bpe?form.site=$form.site|u$&amp;form.period.earliest=$form.period$&amp;form.period.latest=$form.period$" target="_blank">Cliquez ici</a> </html> </panel> </row>     it works for the site by adding | search site="$form.site$"  in the second dashboard for every search but it doesnt works for the time so what is wrong in the html link and how to take into account the time choice done in the first dashboard in the second dashboard? thanks