A few things to check here: you are using summareisonly in the tstats search, are the DMA searches running and summaries are available? compare apples with apples, use your base search from the data model with your get-_index search talking of base search: does it return the expected results? Knowledge objects available to the DMA searches? permissions? Just a starting point, but good to check ... cheers, MuS ... View more

Hi there, well you need to adapt the example to match your fields in the events 😉 cheers, MuS ... View more

Hi ChandrikaYalam, You are actually not unable to upload the data, you uploaded the tutorial data just fine. Your Splunk instance is just telling you that it is not able to show you a preview of the data, because it is zipped. All you need to do is click the big green next button on the screen and follow the instruction from the docs http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/GetthetutorialdataintoSplunk Hope this helps ... cheers, MuS ... View more

Hi there, another one would be tstats which is lighting fast, because it does not look at any _raw data : | tstats count WHERE index=* by sourcetype, index cheers, MuS ... View more

Indeed this is the right command to do such a thing, here is an example : Base search here | map search="| sendemail to=$recipient$ subject="words here" from=splunk@company.com message="We have this $Number$ for you"" Here are more examples https://answers.splunk.com/answers/186045/how-can-i-use-a-combination-of-map-and-sendemail-t.html cheers, MuS ... View more

You are welcome! Converted to an answer, and you are welcome (again 😉 ) to accept it. cheers, MuS ... View more

If you are really trying to monitor UNC shares I recommend reading this answer https://answers.splunk.com/answers/218965/how-monitor-logs-on-a-unc-path.html and regarding the wildcarding; this should work \\shared\test\...\logs\xxx* cheers, MuS ... View more

Nope, that will not work. But you can use any kind of regex as transforms to get around this JSON in JSON problem. See this answer https://answers.splunk.com/answers/319646/how-to-write-the-regex-to-extract-data-inside-squa.html to learn how it can be done. Additional hint: the regex mentioned in this answer will not work for your JSON in JSON thing ... try \\"([^\\]+)\\":([^,]+) for a start 😉 cheers, MuS ... View more

Are you sure you delete the right passwd file, and restarted Splunk immediately after deleting it? Also, did you enter the changeme pwd anywhere else (like just in the terminal, in a text editor or so) just to validate there is no weird keyboard behaviour or weird keyboard layout issue? ... View more

Hi abhi04, first you run your search to get the events and add an eval statement to check if the field exists or not, and if not assign it the value. Try this: your search here | eval SSLProxyEngine = case(isnull(SSLProxyEngine), "NONE", isnotnull(SSLProxyEngine), SSLProxyEngine, 1=1, "unknown") the last option is for events that does not match anything 😉 Hope this helps ... cheers, MuS ... View more

Agreed to check and verify permissions along the path to reach the file, and even some sysadmins try to tell a different story - you need execute permission on a directory to be able to cd into it 😉 cheers, MuS ... View more

Or like recommended in the other question https://answers.splunk.com/answers/668401/need-to-find-conf-files-on-a-splunk-interface-only.html#answer-667686 by using the Web Terminal App https://splunkbase.splunk.com/app/1607/ and run btool in there. cheers, MuS ... View more

Enhancement post from the future 😉 Replace the second search with this tstats search to get lighting fast search performance : | inputlookup YourLookupHere | eval count = 0 | join type=outer sourcetype host     [ | tstats count(sourcetype) AS count     WHERE index=_internal OR index=* by sourcetype host  ] | where count == 0 |  table host sourcetype | sort host cheers, MuS ... View more

Might be a permission issue. If you can use the Web Terminal and run btool you would get a list that you can use to copy / paste. cheers, MuS ... View more

... worked only on that day til 11:59pm ... sounds like this is related to a log rotate happening then. Might be worth reading this first http://docs.splunk.com/Documentation/Splunk/latest/Data/Howlogfilerotationishandled and afterwards this answer https://answers.splunk.com/answers/185453/why-copytruncate-logrotate-does-not-play-well-with.html cheers, MuS ... View more

Yes, that looks better because in the first try you used rename ip as search which will mess up the returned list of results. Usually I test the lookup based subsearch on its own until format returns the list I want to search for or want to exclude from a search. cheers, MuS ... View more

Hi mallempatisreedhar, You did not provide a lot of information, so this will be a very generic answer. But the more important question is: what tool will you use to upgrade the universal forwarder? One thing to start with: even it is possible you should not use Splunk deployment server to upgrade an universal forwarder. So, here is a list of examples based on the tool you might use: if you use Puppet -> https://answers.splunk.com/answers/58396/puppet-module-to-deploy-universalforwarder.html if you use Chef -> https://github.com/chef-cookbooks/chef-splunk if you use Ansible -> https://galaxy.ansible.com/scathatheworm/splunk-forwarder/ if you use another tool, ask Google for help there are a lot of instructions available. Hope this helps ... cheers, MuS ... View more

Hi eduardKiyko, looking at your schedule = 0 * * * entry it looks like your are missing one additional * . Therefore this is not a valid cron schedule and Splunk uses the default option for schedule. From the docs https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf schedule = [<number>|<cron schedule>] * How often to run the specified PowerShell command or script. * You can specify a number in seconds, or provide a valid cron schedule. * Defaults to running the command or script once, at startup. Find more details on valid cron notation here https://en.wikipedia.org/wiki/Cron#Overview Hope this helps ... cheers, MuS ... View more

Okay, lets take a different approach here ... join is not the join one knows in the DB world. join is one of the most inefficient SPL commands, and has a lot of limitations, by using sub searches, that you can hit even without knowing you hit them http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches#Subsearch_performance_considerations On the other side stats is one of the most efficient SPL commands you can use, more here https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html or here http://sideviewapps.com/slides/2017_05_02_sideview_let_stats_sort_them_out.pptx That said, if you combine two searches as base filter, and make them as specific as possible by using all metadata fields index , source , sourcetype , and host as well as all needed fields like foo=* and/or bar=* and add the fields command http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fields after the first | you will tell Splunk just to look for and return these fields. In addition using stats you will make Splunk to use map reduce and parts of the search results are pre-processed on the indexers. Any search using sub searches will be most likely run twice as long (there are exception) and put more load on the servers. So by using a join you actually do exactly what you mentioned as reason you don't want to use a stats search 😉 Hope this makes more sense now, and give it a try and compare the run times of the join search and of the stats search ... I'm pretty confident you will no longer use join after this comparison 😉 cheers, MuS ... View more

Hi karthikmalla, give this a try: index="someindex" user="ABCD" OR index="windows" | eval username=case(isnotnull(user), user, isnotnull(username), username, 1=1, "unknown") | fields username, firstname, lastname | stats values(*) AS * by username add a table to sort it as needed. Hope this helps ... cheers, MuS ... View more

Well anyone with Splunk installed can check their local cli.py in $SPLUNK_HOME/lib/python2.7/site-packages/splunk/clilib ... cheers, MuS ... View more

Hi dwong2, there are multiple options for this problem, but it is hard to provide the one solution that works best for you without more details. So, lets start with using a sub search: Use the search that returns the least results in the sub search, this is because sub searches have some limits that can bight you http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches#Subsearch_performance_considerations . A simple example would be : index=2 [ search index=1 | fields SomeFieldYouWant | format ] That will search index=2 for a single result found in index=1 http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Format The next level is to use return with a sub search: index=2 [ search index=1 | fields SomeFieldYouWant | return ] That will search index=2 for a list of OR results found in index=1 http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Return The much better option is to ignore all kinds of sub searches, joins, appends, transactions at all and just use stats ; Read more about the stats approach here https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html or here http://wiki.splunk.com/Virtual_.conf the March 2016 session of @sideview Hope this helps ... cheers, MuS ... View more