This ^^^ or permission issues or ... anything else that could cause an error in ES. Did you check all the internal logs of Splunk to see if you get errors when opening the 'Incident Review'? Any other error in any other log files? As @DavidHourani has asked, did you recently upgraded and did you restart Splunk after that? Have to tried to _bump the Splunk instance? I could add so many things to this list, but without more details we will never be able to help. cheers, MuS PS: It looks like you did not get my previous joke about 42 😉 ... View more

Hi henderz, please have a read about the timewrap command https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timewrap#Examples This SPL command provides options to achieve your use case. Hope this helps ... cheers, MuS ... View more

There are 42 matching events ... I reckon this ES has found the answer to everything 😉 cheers, MuS ... View more

Hi there, I just published your question, but you have not posted the complete dashboard XML so this will tricky to answer because we don't know what happens before the posted XML code. Please modify the question to include the complete XML code so people are able to help you. Thanks cheers, MuS ... View more

Hi chaitanya1996, Lookup files should be created, stored and use on search heads. Just read the details of the app and you will get all details needed to learn how you can update the lookup file in a search head cluster. cheers, MuS ... View more

Hi chaitanya1996, Easiest solution for this is to change the script to output the csv into the correct directory $SPLUNK_HOME\etc\apps\<yourApp>\lookups\fuel_stations.csv this will use the updated lookup file immediately when using | inputlookup afterwards. This will only work if the script is not running in a Search Head Cluster; if you plan to run it in a search head cluster you can use this app https://splunkbase.splunk.com/app/4649/#/overview Hope this helps ... cheers, MuS ... View more

Hi bestSplunker, Have a look at this run everywhere search: | makeresults count=100 | eval number=random() | streamstats sum(number) AS total | eval value=if(number > (total * 0.5), 100, 50) | stats count by value `comment("This is creating fake events ...")` | table count | transpose | eval display='row 1' ." / ". 'row 2' | table display This will create a single field with the value of 2 / 98 as an example. I'm unsure if you can do the colouring with green and red. Hope this helps ... cheers, MuS ... View more

You can check index=_internal sourcetype=splunkd for error messages for the instances. cheers, MuS ... View more

Hi MwayneSmith, a very simple approach is to use the lookup (assuming the ksv file is a lookup file?) and search for anything that is NOT in an index: | inputlookup file.csv | search NOT [search your search to get email activity | dedup user | fields user] an improved version of the search would search first the email activity events from an index, add the lookup information and count them: your search to get email activity | stats count by user | inputlookup append=true file.csv | fillnull count any result with count 0 are your users with no email activity. Hope this helps ... cheers, MuS ... View more

Can you please post samples for both results, make sure they are masked before posting and please explain what in the events represents which field if they are not key value pairs. cheers, MuS ... View more

Hi coolkris, try something like this: ( index = i1 sourcetype=s1 "Text to search" ) OR ( index = i2 sourcetype = s2 app_message = "Completed" ) | stats values(field2) AS field2 values(field3) AS field3 by field1 this will search both indexes and sourcetypes and lists values of field2 and field3 grouped by field1 . Hope this helps ... cheers, MuS ... View more

Hi anelson1, This question needs more background information, details to get a correct answer. For example, when you say but only if the term is in the last entry in the paragraph do you want to match the time stamp before as well or not? There are many other question to be answered before this answer can be answered correctly - if that make sense. As an example, if your _raw contains the message like this: Paragraph = "25.12.2019 07:24:06 UTC Initial text entry 25.12.2019 09:50:52 UTC Should this be cancelled? No additional information found 26.12.2019 05:55:51 UTC No issues from this machine today, this should be cancelled" you could use a field extraction like this: | rex "\s(?<last>\w+)\"" | search last="cancelled" | ... But if this will yield the correct results as you expect it is hard to tell without more context. cheers, MuS PS: question, SPL posted here are from a chat with cp-regex-guru and martin_mueller ... View more

What do you mean with redirecting ? Did you create a props.conf and transforms.conf configuration to send these events into a special index? I also don't see any index = option in your posted inputs.conf ¯_(ツ)_/¯ cheers, MuS ... View more

Hi gntavelis, try this on your search head: index=wineventlog (EventCode=4625 OR EventCode=4625 OR EventCode=4634) | table _time user EventCode EventCodeDescription the original post was missing a ) in the SPL. cheers, MuS ... View more

Hi abilann, The regex is looking for a case insensitive match for CPU_COUNT followed by one or more whitespace and puts the following characters that are not a new line in a field called cpu_cores (in a greedy mode). This is a literal translation of the regex. Hope this helps ... cheers, MuS ... View more

Hi abilann, Can you also please post some sample events, because with just the regex it hard to answer. Also, this posted regex is not correct because you have an incomplete group structure and the last ? does not have a preceding token. cheers, MuS ... View more

Hi MicMoo, Please post the two apps and their .conf files so people are able to help you. cheers, MuS ... View more

This a different use case, and I provide another link to a very good post https://www.duanewaddle.com/proving-a-negative/ that explains step by step how this can be done. cheers, MuS ... View more

fixed it 😉 ... View more

Hi shashi12345678, Have a look here https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Cantfinddata it contains a lot of advice what to check, but in general if you can't find your data it is most likely related to an timestamp issue where for example Splunk recognised the timestamp wrong and discarded the events because their were too old or too far from the future. Hope this helps ... cheers, MuS ... View more

Hi, try the limit= argument with ldapsearch https://docs.splunk.com/Documentation/SA-LdapSearch/latest/User/Theldapsearchcommand but as written before, as long as your LDAP server has a limit of 1000 (default for most of the LDAP implementations) you will not be able to retrieve more results. cheers, MuS ... View more

Hi smbateman, Greetings from the future. Recent versions of SCOM allow you to create an email Notification Channel https://docs.microsoft.com/en-us/system-center/scom/manage-notifications-create-email-channel?view=sc-om-2019 that you then have to subscribe to get the alerts send by Splunk using email. Hope that helps ... cheers, MuS ... View more

Hi dbattaglia, I reckon the only way to get this working like this would be in a dashboard and use token to replace the values. I don't think this is possible in ad-hoc search. cheers, MuS ... View more

Hi bjarnedein, this is a two fold issue while you can increase this limit by modifying limits.conf options for the [ldap] stanza to get more results (in theory) you will still hit the server side limit of the LDAP server. You would need to increase both settings to get more results back per query. cheers, MuS ... View more

yep, exactly what I said 😉 You can use extract to test, validate if the transforms stanza works with search results. But out of the box you will get no information, backtracking what transforms was executed against the events. The question in my eyes is misleading because it asks two different things in one post: Is there a way to tell if a regex has been applied to an event? I'm doing field extractions and want a way to confirm the field extractions applied to all the correct events for 2. the answer is extract. One can argue that it actually did not answer the first question and for arguments sake you might get something from running Splunk in debug mode or increasing the TransformsExtractionHandler log channel. But I never really tried, nor checked that. cheers, MuS ... View more