If you add a search filter for a role then the filter applies to *all* searches made by users with that role. IOW, if you add "Source=123456" to the search filter with the intention of restricting results from index=A, it also will restrict the results from index=B and all other indexes. ... View more

Entire CMC dashboards cannot be cloned, but you can copy individual panels.  Click on the Open In Search icon (magnifying glass) to open the query in a new tab.  Modify the query as desired and then save it in a custom dashboard. It's not clear which dashboard you wish to put in the service desk's app.  If it's the custom dashboard created above, then just save the dashboard in that app.  If it's the CMC dashboard, edit the navigation menu to add the CMC dashboard to the app's menu bar. ... View more

See if this gets you started. <<your search for events>> ```Determine if the event is from today or yesterday ``` | eval day=if((now() - _time) >= (now() - relative_time(now(), "@d")),"today", "yesterday") ```Keep the most recent event today and yesterday for each URL | dedup url, day ```List the actions for each URL``` | stats list(action) as actions, values(*) as * by url ```Keep the events with different actions | where mvcount(actions) = 2 ```Keep the events where the first action is 'allowed' and the second is 'blocked'``` | where (mvindex(actions,0)="allowed" AND mvindex(actions,1)="blocked") ... View more

@netmart wrote: I wanted to filter Cisco ISE Logging Activities by authentication, authorization, and accounting. So far, I've been able to filter by Accounting, but not the other two. Why not the other two?  What happens when you try? In Cisco ISE Logging, TACACS Accounting has been linked to splunk server. What does it mean to link to a Splunk server? And I am running the following filter: <ISE Server> AND "CISE_TACACS_Accounting" AND Type=Accounting | stats count(_time) by _time. Have you tried adding the other types to the query? <ISE Server> AND ("CISE_TACACS_Accounting" OR <<name for ISE authenticaton>> OR <<name for ISE authorization>>) AND (Type=Accounting OR Type=Authentication OR Type=Authorization) BTW, there's little value in counting events by timestamp. ... View more

We are not Splunk Support - we're users like you. To properly troubleshoot an issue using regular expressions, we need to see some sample (sanitized) data.  Currently, I'm concerned that events with "22" in the timestamp will be sent to nullQueue. The preferred way to specify the index for data is to put the index name in inputs.conf.  If the index name is absent from inputs.conf, data will go to the default index.   ... View more

Have you tried the table command? index="acoe_bot_events" unique_id = * | lookup "LU_ACOE_RDA_Tracker" ID AS unique_id | search Business_Area_Level_2="Client Solutions Insurance" Category="*" Business_Unit = "*" Analyst_Responsible = "*" Process_Name = "*" | eval STP=(passed/heartbeat)*100 | stats sum(heartbeat) as Volumes sum(passed) as Successful avg(STP) as Average_STP by Process_Name, Business_Unit, Analyst_Responsible | eval Average_STP=round('Average_STP',2) | table Process_Name, Analyst_Responsible, Business_Unit, Volumes, Successful, Average_STP   ... View more

The indexers extract fields from events as they are read from the index.   As @PickleRick implied, the effort put into that extraction is determined by the search mode (Fast, Smart, or Verbose).  Each extracted field takes up memory for processing and network bandwidth to send to the SH.  Using the fields command helps reduce the number of fields retained so you have memory and bandwidth. Indexers do not decide if a field is interesting or not - the SH does that. ... View more

Yes, the fields command can affect the amount of data returned to the SH.  It's something I recommend to all of my customers as a way to improve search efficiency. Just to be clear, the command does NOT extract any fields.  It merely says which ones should be discarded (- option) or retained (+ option).  Actual extractions are done by the rex command or the EXTRACT setting in props.conf. ... View more

The fields command is a distributable streaming command because it *can* run on indexers.  That does not mean it cannot run on search heads. It's also possible you are confusing "search-time" field extraction with something that only occurs on a search head.  Indexers also perform search-time field extraction. ... View more

The cause is in the error message: "certificate verify failed: self signed certificate in certificate chain".  Make sure all of the search heads have the same PEM file. ... View more

@RSS_STT wrote: split function proving error. I'm not sure what to make of that, but take it you get an (undescribed) error with the code I provided.  I found a missing argument so please try the revised SPL. ... View more

The output of the values and list functions are always in lexicographical order.  That destroys any relationship that might exist between/among fields. The solution is to combine related fields into a single field before stats and then break them apart again afterwards. | eval tuple = mvzip(keyword, doc_no) | stats values(tuple) as tuple by token_id | eval pairs = split(tuple, ",") | eval keyword = mvindex(pairs,0), doc_no = mvindex(pairs, 1) | fields - tuple, pairs   ... View more

Splunk offers several free online courses that should help you.  Go to https://education.splunk.com/Saba/Web_spf/NA10P2PRD105/guestapp/catalog/browse/categ000000000003041?selectedTab=LEARNINGEVENT and look for "Intro to Splunk", "Introduction to Dashboards", "Using Fields", and "Visualizations". ... View more

Do not mess with software that ships with Splunk.  You may break something and/or lose support. Open a support case or go to https://ideas.splunk.com to report the vulnerabilities. ... View more

Splunk requires the certificate file to be in PEM format with individual certificates in a specific order.  See https://docs.splunk.com/Documentation/Splunk/9.4.1/Security/HowtoprepareyoursignedcertificatesforSplunk ... View more

A fresh installation of Splunk on a system that has never run Splunk before will have a built-in 30-day Trial license.  Once the trial license expires, it automatically becomes a Free license, which has several limitations. A fresh installation of Splunk on a system that already has Splunk on it will not get a new trial license.  The instance will continue to use the current license. If the instance is not being used for Production, you can go to https://dev.splunk.com to get a Dev license.  Sign in as Admin then go to Settings->Licensing to install the license. ... View more

What instance type (standalone, etc.)?  What platform?  Have you tried updating the license? ... View more

I was able to eliminate the _time column by changing the event tag to a table tag. <table> <search> <query>index=_internal | fields - _time | table ApplicationName, ApplicationPath, LastRun</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="refresh.display">progressbar</option> <fields>["ApplicationName","ApplicationPath","LastRun"]</fields> </table>   ... View more

Please share your query so we can see how you're creating the column header.  I suspect you need to remove "_time" from the table command. ... View more

Contact Splunk Education at education_amer@splunk.com ... View more

It's been a while since I've done this, but it may help to put the library in the app's bin/lib directory. ... View more

Investigate the data source to determine why it does not have the AppDomain field.  Perhaps it's not present and perhaps it's present under a different name.  For the latter, add an EVAL or FIELDALIAS definition to map the field to the expected name. I advise against changing third-party dashboards.  Once you do that, it becomes your responsibility to keep the dashboard up-to-date.  Updating the app will not update the dashboard because it will be a local change that overrides the default that ships with the app. ... View more

Include the library in the bin directory of the app that contains your custom command. ... View more

The first search is looking for non-empty AppDomain fields, but the second search shows the events do not have an AppDomain field at all.  That will keep the dashboard from displaying data. ... View more

I asked for searches and you gave me screenshots of not searches.  How does that help you? ... View more