One of these could work: index="my index" sourcetype="my sourcetype" action="heartbeatfailure" | bucket _time span=1d | eventstats count BY _time host action | table _time host action failure_reason count | where count>2 index="my index" sourcetype="my sourcetype" action="heartbeatfailure" | bucket _time span=1d | stats count values(failure_reason) AS failure_reason BY _time host action | table _time host action failure_reason count | where count>2   ... View more

Yes you could do that. ... View more

Could you provide a sample an event or string that meets your criteria?  ... View more

Just add the outputlook command to the end of your search query. | outputlookup <lookup_file_name>.csv   ... View more

index=commerce ((loginSuccessful=true) OR ("profile email!="<null>" AND email!=null)) | eval login_ct=CASE(loginSuccessful="true", 1) | stats sum(login_ct) AS login_ct BY profile email ... View more

For LOL or “Living off the Land" attacks, the ideal tool is an EDR/HIDS solution that provides you with raw logs, e.g. Carbonblack, or Sysmon which is free. ... View more

There's windows event logs do not monitor NTFS. You may be able get kerberos auth to fileshares but thats about it. ... View more

Base search refers to the initial part of the query, for example, it may look like this: index=<index_name> sourcetype=<source_type> | table _time id, type, status, duration As long as you have the fields ( d, type, status, duration) available, this should work:     <base_search> | chart avg(duration) AS avg_duration BY type status | eval LAST_VAL=0 | foreach IN_QUEUE_* [ | eval CURRENT_VAL=<<FIELD>> | eval AVG_TIME_<<FIELD>>=<<FIELD>>-LAST_VAL | eval LAST_VAL=CURRENT_VAL ] | table type AVG_TIME_*       ... View more

If a user logged in from the office, how would you tell if/when they logged off or offline? ... View more

Not sure if you want one time use alert or one alert per run. For the latter: configure the Trigger to "Once" which will limit the alert to one per run.   ... View more

The lookup name is lookup_sfdc_usernames, not lookup_sfdc_usernames_kvstore.  1. Check if you have any data in the lookup: | inputlookup lookup_sfdc_usernames   If 1 doesn't work: Check if the above lookup in configured in lookup definition. Check if the populating search "Lookup - USER_ID to USER_NAME" is scheduled.  Once  you have the lookup working, you should modify the dashboards to point to this lookup.     ... View more

  <base_search> | chart avg(duration) AS avg_duration BY type status ... View more

Wow, you did provide fair warning, there's a lot to unwind here. Just on a high level, the very generous use of multiple append and joins forces the search and processing to occur in a certain sequential order which is likely the cause of the delay. In particular, the join in your base search 2 would the first I would focus on. When using a join, the subsearch actually runs before the main search. See if this is the issue by deleting the join in your 2nd search and see how it impacts performance. ... View more

If you're willing to provide the query of the base searches, i'll be happy to help optimize it. ... View more

How are you generating the multivalued filters for services_type and type? Are you using base searches in the dashboard? ... View more

It'll be easier if you can provide a sample query for the first and second search. ... View more

You can utilize condition match to set the link target. https://kinneygroup.com/blog/mastering-splunk-drilldowns-with-conditions/   ... View more

I'm not sure if there are other ways, but I've only used CURL to submit an package for cloud vetting. https://dev.splunk.com/enterprise/docs/releaseapps/cloudvetting ... View more

You have to have the app validated before it can be installed on Splunk Cloud.  https://dev.splunk.com/enterprise/docs/releaseapps/cloudvetting ... View more

You will have to build a dashboard and configure the drill down to open the URL value of the field. ... View more