It sounds like what you want to do is join two datasets based on a couple common field. Is that correct? There are a few commands in Splunk that let you do this and it depends upon your use case which you would use. Could you post example data (not real data) with the appropriate field names and an example of what you would like to see as the result? ... View more

Try this REST endpoint (/services/search/jobs/export). The "v2" is the problem. ... View more

Did this get what you want? If so, please accept the solution. If not, let me know and I'll try and fix whatever isn't right in it. Thanks. ... View more

Have you set up the remote server as a search peer? If so is it showing as healthy in the search peers UI? Is the remote server a full Splunk install (not a UF)? This does work with 9.x, although I did have to make a tweak yesterday but it should work now. The code above has been updated. However, the tweak I made should not have corrected the issue you are having. In fact when I tried it on 9.x without the tweak I didn't get an error. So, the fix is probably not related to your issue. ... View more

What is the error? ... View more

That is a good option. I think my way would  work as well, but I like the output of something like this better. It looks cleaner. ... View more

After thinking about it more for a bit I think this should work and do the same thing as != for each field/value pair but still allows me to use | format. | format "ip=* AND (NOT" "" "" "" "NOT" ")" I think this should give me the same results. Does this look right?  ... View more

How about something like this? I took your data and saved it into csv lookups called file1.csv and file2.csv. Also, based on your example data I believe you should have four results returned because the line with "roll numbers" set to 10 does not have a matching "Registration #". | inputlookup file1.csv | lookup file2.csv "roll numbers" as "roll numbers", Name as Name, "Registration #" as "Registration #" OUTPUT "Row#" as row_num | search NOT row_num=* | streamstats count as "Row#" | table Row# "roll numbers" Name "Registration #"   ... View more

@gcusello's answer is not disrespectful in anyway. Nothing that he said was demeaning or implied malice. I have received much help from @gcusello in the past and his answers have always been respectful. I think you are reading into something that is not there. ... View more

Ah! I did not know you could put an id on the search element in the xml and reference that from JavaScript. Splunk's XML dashboard and accompanying JavaScript documentation is abysmal. Thanks a ton sir. ... View more

Oh, also make sure to set the permissions on the macro to at least shared within the app. You might want to make it globally shared. ... View more

This is possible now with straight SPL using the REST API. The below solution was originally inspired by SA-rest_get_lookup, but I've made some changes to fix some issues. Create a macro called remotelookup (Settings -> Advanced search -> Search macros). Destination app: Wherever you want it Name: remotelookup(2) Definition: rest splunk_server=$server$ /services/search/jobs/export search="| inputlookup $lookup$ | foreach * [eval <<FIELD>> = replace(replace(replace(replace(<<FIELD>>, \"\\n\", \"@@NewLine@@\"), \"\\r\", \"@@CarriageReturn@@\"), \"\\\"\", \"@@DoubleQuote@@\"), \"NULL\", \"@@NULL@@\")] | fillnull value=NULL | rename _* AS tmp_*" output_mode=csv | fields value | makemv tokenizer="([^\n]+)" value | eval header=mvindex(value,0), value=mvindex(value,1,mvcount(value)) | makemv tokenizer="(\"[^\"]+\"|[^,]+)" header | mvexpand value | makemv tokenizer="(\"[^\"]+\"|[^,]+)" value | eval tuple=mvzip(header,value,"#####") | fields tuple | eval primarykey=md5(tostring(tuple)) | mvexpand tuple | rex field=tuple "^(?P<field>.*)#{5}(?P<value>.*)$" | eval field=trim(field,"\""), value=if(value=="NULL","",trim(value,"\"")) | fields primarykey field value | eval {field}=value | fields - name, field, value | stats values(*) as * by primarykey | fields - primarykey | rename tmp_* AS _* | fieldformat _time=if(isint(_time),strftime(_time, "%s"),_time) | foreach * [ eval <<FIELD>> = replace(replace(replace(replace(<<FIELD>>, "@@NewLine@@", " "), "@@CarriageReturn@@", ""), "@@DoubleQuote@@", "\""), "@@NULL@@", "NULL") ] Arguments: server,lookup Validation Expression: $server$!="" AND $lookup$!="" Validation Error Message: You must provide a server and a lookup. You can then call it this way. | `remotelookup("server name", "lookup.csv")` If you want to sync a local lookup to match the lookup on another server you can do this in a report and set it to run on a schedule. | `remotelookup("server name", "lookup.csv")` | outputlookup lookup.csv One thing to note is that the server where the macro exists needs to have the remote server as a search peer so that it can access that server's REST API (Settings -> Distributed search -> Search peers). Update: 2023-06-06: Changed method for create an mv field from a string to work with Splunk 9.x ... View more

So, I tried this and have a couple days worth of data. Here is the SPL I used. I have it running every morning at midnight and it pulls from a window of yesterday. | dbinspect index=* | stats max(rawSize) as rawSize, values(index) as index by bucketId | eval _time=now() | bin _time span=1d | stats sum(rawSize) as rawSize by _time, index | collect index="summary" I would expect day two to be larger than day one. Alas, it is not. It was in fact -83GB different. So, I'm not sure this method will work. : ( ... View more

Yeah, i had thought about the freezing buckets as well. I think if I ran it every day at midnight and set the time range to yesterday I shouldn't have to worry about frozen buckets. If the time range is small enough that it would never fall outside the frozenTimePeriodInSecs and so long as my search window stays the same for each run I think that would work. I could then collect that into a summary index. Then after I get a couple days worth of summaries I could start doing the delta to get the previous day's change in bytes. ... View more

Oh, I think I see what you are saying. I could potentially summarize the data every day and then subtract yesterday's bytes from todays bytes ... that might work. ... View more

Unfortunately, that won't work for getting me internal index bytes ingested per day as buckets can span multiple days. ... View more

No, I don't want license consumption. I already know how to get that using the above SPL. I'm looking for bytes ingested for the  internal indexes. ... View more

Yes, it would be nice if it watched the file and reloaded the config when the server file was updated. I think the only real option is to set up your process that updates the machine list to reload  the deploy-server  after the list is updated. ... View more

The regex for the encrypted password values needs to be updated. Encrypted vales can start with more that just $1$ now.  I've seen $1$, $7$, and $6$. I use \$[0-9]\$ for the regex ... Windows C:\Program Files\Splunk> Get-ChildItem -Recurse *.conf | Select-String -Pattern '\$[0-9]\$.' -List Linux find ./etc/ -type f -name "*.conf" -exec grep -iH "\$[0-9]\$." {} \; find ./etc/ -type f -name "*.conf" | xargs grep -iH "\$[0-9]\$."   ... View more