For SPL try this: <your base search> | extract kvdelim=":" pairdelim="," ... View more

Example File Name:/admin/logs/abc/inventory/04-04-2022-101634-all-b5.xxx File Name Format: %d-%m-%Y-%H%M%S-all-b5.xxx _time value assigned to events:2022-04-04 10:16:34 props.conf [mysourcetype] TRANSFORMS=timestampeval transforms.conf [timestampeval] INGEST_EVAL = _time=strptime(replace(source,".*(?=/)/",""),"%d-%m-%Y-%H%M%S") This takes the "source" metadata value (which is the path and file name), removes the path, then extracts the date from the filename. The time defaults to 00:00:00. All events in the file will have the same _time when imported.   Run below anywhere search to test  | makeresults | eval source="/admin/logs/abc/inventory/04-04-2022-101634-all-b5.xxx" | eval _time=strptime(replace(source,".*(?=/)/",""),"%d-%m-%Y-%H%M%S") ... View more

Not sure if this is what you are looking for ?   index=k8s_events namespace=ecom-middleware NOT method=OPTIONS response_code>200 | bin _time span=1d | stats count by path _time | streamstats window=5 sum(count) as total_count avg(count) as avgCount by path | fields _time path total_count avgCount   Say you run that search over the last 30 days, where each row is a unique day with path . And each row has a '_time' field, and an 'avgCount' field. The avgCount field will be the average events per day, during that day and the 4 days preceding it.   ... View more

Hi you would need to forward audit logs from splunk UF to splunk indexers. https://community.splunk.com/t5/Getting-Data-In/Does-Splunk-Universal-Forwarder-forward-audit-events/m-p/403192     ... View more

Could you please paste the result of the output that you want? The question doesn't make sense to me, when you say sum(expense) by ID, it means sum(expense) by distinct ID in splunk language and it will always be the value of expense as shown in the input table. Please tell us the output result in tabular format that you want. ... View more

I do not think you can change the path explicitly in SPL https://community.splunk.com/t5/Getting-Data-In/How-to-change-the-location-a-saved-search-outputs-a-CSV-file-to/m-p/204917   however, you can write cron jobs to move the file on OS level. ... View more

you would need to format the output <your search> | table count index sourcetype time results | eval _raw = mvzip(mvzip(mvzip(mvzip(count, index, " "), sourcetype, " "),time, " "),results, " ") | outputtext usexml=false | rename _xml as raw | fields raw | fields - _* | outputcsv append=t results.txt ... View more

see if this helps !   https://community.splunk.com/t5/Splunk-Search/Export-results-to-txt/m-p/105583 ... View more

try this:     index=connections | stats max(_time) as connection_time values(user) as user by ip_address | join type=left ip_address [ search index=events event_id=* | rename ip as ip_address | stats max(_time) as provoked_time values(event_id) as event_id by ip_address ] | convert ctime(*_time)   ... View more

you need to use this regex on search head  go to  Settings » Fields » Field extractions » Add new   Destination App: <your_app> Name: <name> Apply to: choose sourcetype : named <your_sourcetype> Type: Inline Extraction/Transform: \d{2}:\d{2}:\d{2},(?<src_ip>(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))\,(?<dst_ip>(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))\,(?:[^:\n]*:){2}\d+,\d+,\d+,(?<src_port>\d+)\,(?<dst_port>[^\,]+)(?:[^,\n]*,){5}(?<action>[^\,]+)   let me know if this helps!         ... View more

Pls refer this: https://community.splunk.com/t5/Dashboards-Visualizations/How-can-I-get-the-Table-cell-colorization-rendering-for-every/td-p/289392?_ga=2.212990160.571977538.1648667563-1053383095.1646419186&_gl=1*uitn7u*_ga*MTA1MzM4MzA5NS4xNjQ2NDE5MTg2*_gid*NTcxOTc3NTM4LjE2NDg2Njc1NjM. ... View more

Try this: index=connections | stats max(_time) as connection_time ip_address user | join type=left ip_address [ search index=events event_id=* | rename ip as ip_address | stats max(_time) as provoked_time values(event_id) as event_id by ip_address ] | convert ctime(*_time) Upvote/Accept if it works.  ... View more

Hi there are two ways to do this. 1st way : put the specific error in the main search and you will find the all the storenumber counts with that error.   index=* host="log*" "store license for" "Error" | rex field=_raw "Store\s(?P<storenumber>.*)" | stats count by storenumber     2nd way: Extract the error from the raw data and display/filter in the statistics.   index=* host="log*" "store license for" | rex field=_raw "Store\s*(?P<storenumber>\d+)\n*.*ERROR(?<Error>.*)" | stats count by storenumber Error     let me know if this helps! ... View more

Hi please make sure "show only popular " box is unchecked in Settings > Source Types to get all the list of sourcetypes. also look for the sourcetypes on the server it is created so if you have create a sourcetype on the DB connect splunk server then look there to delete the specific sourcetype. Please refer to this document:  https://docs.splunk.com/Documentation/Splunk/8.2.5/Data/Managesourcetypes#Delete_a_source_type  ... View more

yes you can use this regex in props.conf.  if you want to add a search time field extraction within props.conf, just use EXTRACT   [your-sourcetype] EXTRACT-<class> = [<regex>|<regex> in <src_field>] * Used to create extracted fields (search-time field extractions) that do not reference transforms.conf stanzas.   for reference see : http://docs.splunk.com/Documentation/Splunk/8.2.5/Admin/Propsconf Please keep in mind that this will require a refresh/debug= http[s]://[splunkweb hostname]:[splunkweb port]/debug/refresh     ... View more

Hey Not sure if there is any other easy way to do this but you can give this a try: <user search> |eval tagged=mvzip(user,builtinadmin) | mvexpand tagged | makemv tagged delim="," | eval user=mvindex(tagged,0) | eval builtinadmin=mvindex(tagged,1) | table dest user builtinadmin let me know if this helps! ... View more

Hello , if its a dynamic list of hosts you could create a lookup table for hosts using settings » Lookups » Lookup table files » New Table Lookup File. and use below search  index=<your_index> [inputlookup hosts.csv | table host ] Select date range on the top right side of the search bar to get the appropriate results.   let me know if this helps!   ... View more

Hey could you please try this :   | makeresults | eval _raw="Mar 31 18:18:35 LUM-EVERE-PAFW-R8-17-T1 1,2022/03/31 18:18:35,015701001564,TRAFFIC,drop,2305,2022/03/31 18:18:35,10.81.13.68,34.240.162.53,0.0.0.0,0.0.0.0,prodedfl_access_1289,,,not-applicable,vsys4,prodedfl,prodcore,ae1.1512,,Syslog_Server,2022/03/31 18:18:35,0,1,60353,443,0,0,0x0,tcp,deny,66,66,0,1,2022/03/31 18:18:35,0,any,0,7022483376390954281,0x8000000000000000,10.0.0.0-10.255.255.255,Ireland,0,1,0,policy-deny,920,0,0,0,Production,LUM-EVERE-PAFW-R8-17-T1,from-policy,,,0,,0,,N/A,0,0,0,0,2d8c02f8-e86f-43cf-a459-01acdb26580a,0,0,,,,,,," | rex "\d{2}:\d{2}:\d{2},(?<src_ip>(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))\,(?<dst_ip>(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))\,(?:[^:\n]*:){2}\d+,\d+,\d+,(?<src_port>\d+)\,(?<dst_port>[^\,]+)(?:[^,\n]*,){5}(?<action>[^\,]+)"   let me know if this helps!    Thanks, Mayur  ... View more

try this:     | rex field=url_field "http(|s):\/\/(?<url>[^\/]+)"   ... View more

could you please tell us how your output should look like from those sample logs. ... View more

try this : | tstats latest(_time) as latest earliest(_time) as earliest where source=*restart.log by source | eval diff=latest-earliest | convert ctime(latest) ctime(earliest) ctime(diff)   ... View more