Update: there will be soon an update to the app released which works on Splunk 7.1.x. It also features the option to only reload one specific entity, and can now be used in production environment because it excludes by default certain entities. Link to the app: https://splunkbase.splunk.com/app/1871/#/details cheers, MuS ... View more

Hi ninadbhaskarwar, you can use eval and strptime() to use your Execution_Date field as _time . Here is just an example: ... | eval _time = strptime(Execution_Date, "%d/%m/%Y") | ... Read more about strptime here http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/DateandTimeFunctions#strptime.28X.2CY.29 Hope this helps ... cheers, MuS ... View more

yeah, sorry to hear. It looks like CentOS does not like it very much .... I had planed to update the app anyway, and to use a LDAP egg instead. Feel free to accept the answer if it was helpful 🙂 cheers, MuS ... View more

Hi kennethhartley1, It's I again 🙂 The app hits the REST endpoint /services/apps/local/$$title$$/package to create the app package, and https://$row.splunk_server$:$row.mgmt_port$/static/app-packages/$row.name$.spl to download the package to your computer. Try to do it with an account that has the admin role to be sure to have the correct capabilities. Nevertheless I summon @martin_mueller the creator of the app just in case he needs to add something. Hope this helps ... cheers, MuS ... View more

Hi Kennethhartley1, The approach you took is not the best option, and as you already noticed will break a lot of things for various reasons. The easiest way to achieve this, is to create an app and make sure all your dashboards, reports are shared in this app. Next use this Splunk app https://splunkbase.splunk.com/app/2613/ to export the whole app from the Splunk instance - it is all done in the Splunk UI. After that you can install the exported app wherever you need. Hope this makes sense, and helps ... cheers, MuS ... View more

You don't have to install the package, the package is included in the TA .... but you need to make sure that the included version has all needed dependencies available. cheers, MuS ... View more

Well, in theory tokens are replaced in a dashboard before the search runs, so this should work as long as ABC_hosts uses the proper format of a macro `ABC_hosts` so, just try it and see if it works for you 😉 cheers, MuS ... View more

Hi Log_wrangler, is that on Windows? there are some things that seams not to work on Windows, like this one here https://answers.splunk.com/answers/550028/how-to-convert-64-bit-number-from-decimal-to-hex.html?childToView=592719#answer-592719 maybe you juts found another feature 😉 cheers, MuS ... View more

hmm, exactly as already posted and described below .... ... | eval correlation_field=case(isnotnull(IP), IP, isnotnull(IPaddr), IPaddr, 1=1, "unknown") | stats values(*) AS * by correlation_field cheers, MuS ... View more

I don't know ¯\_(ツ)_/¯ you can log an enhancement request for it if you like 😉 ... View more

Add see here https://answers.splunk.com/answers/8505/is-it-possible-to-use-wildcards-in-sourcetype-props-conf-stanzas.html#answer-38650 @jrodman 's comment from 2012 why you should not rely on it ... ... View more

Hi there, the regex works fine. Here are a few things to check: Did you apply the props.conf / transforms.conf on the parsing instance (the first full Splunk instance that receives the events)? Did you restart that Splunk instance after you applied the props/transforms? no typo in the sourcetype name? maybe use TRANSFORMS-nullQueue-tcpdenied307-firefox = tcpdenied307-firefox just to make sure the <class> is uniq. it only applies to new data coming in, not historical data cheers, MuS ... View more

You know that you can run a REST search on a remote server? If it is a search peer, simple run the search and add splunk_server=MyHeavyWeightForwarder to it, or run a remote search from the CLI : $SPLUNK_HOME/bin/splunk search "| rest /services/apps/local | search disabled=0 | table label version" -uri https://MyHeavyWeightForwarder:8089 BUT, This will only work if you either changed the default password or allowed remote logins. cheers, MuS ... View more

Okay, that's a different requirement now ... is it: you want the last occurrence of a string? you want the last occurrence of a string followed by value="nomatch" ? ... View more

Hi mmdacutanan, sample events would be helpful, but basically you can use the very expensive negative lookahead regex to get the last occurrence of PS1234_IVR_DM like this : (\bPS1234_IVR_DM\b)(?!.+\b(?<input>\1)\b) The above is the regex you can use. Hope this helps ... cheers, MuS ... View more

Hi there, Short version of the story: .spec files must exist for modular inputs, and they are processed by Splunk as a kind of template for the modular input. cheers, MuS ... View more

A reload deploy-server will update any changes in the Apps/TA's and the deployment client will get the updated Apps/TA's. If the Apps or some App in your serverclasses is configured to restart Splunk it will also restart Splunk after the deployment. Hope this makes sense ... cheers, MuS ... View more

Hi responsys_cm, You are entering danger zone, here: You can parse cooked data again, without any problem. You just need to change one little setting, you can read more about it here : https://answers.splunk.com/answers/168491/routing-data-to-index-using-sourcetype.html#comment-168781 Also, pay attention to the remark made by @jrodman ! I would also recommend adding a dedicated heavy weight forwarder to do the re-parsing of the events, instead doing it on the indexers. Another option is to wait until after .conf18 - hint https://conf.splunk.com/learn/session-catalog.html?search=FN1919#/ 😉 Hope this helps ... cheers, MuS ... View more

Hi hunterpj, I would strongly recommend against doing an automation of restarting Splunk. I saw customers doing such a thing, and running into troubles because of rouge scripts, or forgot about it..... If I have to restart Splunk remotely and controlled, I use this approach https://answers.splunk.com/answers/529270/after-deploying-apps-using-the-deployment-server-d.html cheers, MuS ... View more

Just an addition here: the debug refresh app should not be use in any production system (as mentioned in the app readme), because it will kill all TCP/UDP inputs regardless which can lead to event loss. cheers, MuS ... View more

Hi vikfnu, yes, you can improve this search by not using join ! Nope, as long as you use join this will break sooner than later, because of all the obvious and hidden limits of the sub search http://docs.splunk.com/Documentation/Splunk/7.1.2/Search/Aboutsubsearches#Subsearch_performance_considerations But back to your SPL, try this instead: index=mine source=File4.csv OR source=File1.csv OR source=File2.csv OR source=File3.csv | eval " Analysis Field4" = case(like(f1,"Y"), "Compliant", like(f2,"Y"), "NonCompliant") | eval AnalysisField1 = case(like(field2,"Y"), "Compliant", like(field2,"N"), "NonCompliant") | eval "Analysis Field3" = case (like(fa,"Y") AND (like(fb,"Y") OR like(fb,"N") ), "Compliant", like(fa,"N") AND (like(fb,"Y") OR like(fb,"N") ),"NonCompliant") | eval JointAnalysisField1UField3=case (like("Analysis Field1”,”Compliant”) AND (like("Analysis Field3”,”Compliant”) OR like("Analysis Field3”,”NonCompliant”) ), "Compliant”, like("Analysis Field1”,”NonCompliant”) AND (like("Analysis Field3”,”Compliant”) OR like("Analysis Field3”,”NonCompliant”) ),"NonCompliant”) | eval finalanalysis= if ( match( JointAnalysisField1UField3, "Compliant”) AND match ("Analysis Field1”,”Compliant”), "COMPLIANT”, if(match( JointAnalysisField1UField3, "NonCompliant”) AND match ("Analysis Field1”,”NonCompliant”), "NONCOMPLIANT”, "UNDEFINED)) | stats values(*) AS * by Field1 This will do the same as your multiple join search, it gets all various events from all 4 csv files and performs 'analytics' on them, and and shows results by Field1 . To add more sources, sourcetype, and/or indexes simply expand the first base search by adding what you need. One thing I noticed: You use multiple variations of field names, like upper and lower case, added spaces in front, and so on. You use ” instead of " - this is a big difference in SPL If a field value is literal "Y" use it like this FA="Y" instead of like(FA,"Y") Be consistent with filed names, and be sure to use the right " , also please read all the answer posts, you listed above, again. You found the right advice still you use join 😉 cheers, MuS ... View more

google shows this as first https://publications.lexmark.com/publications/pdfs/lexmarkt522/eng/messages.pdf ... View more