Hello, I have a heavy forwarder install on a server to monitor a certain log file. We used to read that log just fine, but after some bug fixed about log generation(on server side) and that server restart, I can't read that log file at all.  Our inputs.conf was           [monitor:///data/ESB/ACH/LOG/] disabled = 0 sourcetype = napas.itso.app.achlog index = napas.ach.app.log           And it still can read all the logs file in there, but can't read the one that we need. I have restarted the agent, restart the server and restart splunkd connection but it still can't read the one that we need. We can read /data/ESB/ACH/LOG/iib_log_summary_2022-07-12.log but can't read /data/ESB/ACH/LOG/iib_log_detail_2022-07-12.log   We check the read permission on both file but they're the same. How can I troubleshoot it? ... View more

Hello, I encounter a bug in exporting a panel in my dashboard, on my end, it's just open a new tab with nothing in it, but on my customer's side, it's show How can I go about this bug? ... View more

Hello, I have an alert that output a csv file that look like this Person Number_of_login Login_fail Person A 1   Person B 6 2 Person C 4 1   I run this search everyday and append upon the csv file. Upon a few days it'll look like this Person Number_of_login Login_fail Person A 1   Person B 6 2 Person C 4 1 Person A 2 1 Person B 7 1 Person C 4   .....       Now at the end of the month, I want to calculate the total number of login and number of login fail for each person, and also to calculate the percentage of login fail for each one. As far as I know addcoltotals don't have "by" like stats do (like stats count by Person). I want my final table to look like this Person Number_of_login Login_fail Person A 3  1 Person B 13 3 Person C 8 1 So how do I go about this? ... View more

Hello, My alert produces a table like this:   Time |ID | FILE_NAME |STATUS _time1 |3 |file1.csv |SUCCESS _time2 |5 |file2.csv |DATA_ERROR     I want to send an Inline table that only contains STATUS=DATA_ERROR. But in the body of the email, I still want to use the token $result.Time$ and $result.FILE_NAME$ from the STATUS=SUCCESS. Email body example: 1. File name success detail: File name: file1.csv Effective time: _time1 2. Data error detail: ID |FILE_NAME|STATUS 5  |file2.scv        |DATA_ERROR So it's basically, hide the STATUS=SUCCESS row- but still use its values in the token email. Thank you in advance ... View more

Hello, My alert result is a table like this I set recipent as token $result.EMAIL_LIST$ and Trigger is [For each result], but for each row it send an email as expected. I want it to send to the corresponding recipent their own block of data (Inline in email), for example NASB 1 row, COOBACK 4 rows, SEAB 9 rows, etc. I'm thinking about grouping them by EMAIL_LIST but the table don't look good and neat anymore. Does anyone have a solution for this. Thanks in advance. ... View more

Hi everybody, I have a DBinput that work normaly, valid connection, query that show data, etc. But the data very often, once or twice a day stop indexing data and I have to manually enable then disable it to make it work normal again. When I use     index=_internal source=*dbx2* mi_input://<my source>     Then the result was the job just dead stop at [action=start_executing_dbinput], no other action like check rising column, or action complete. Since it don't show anything other than stopping at action=start, no bug or error code, I don't know how to deal with it other than manually restart the job. Can anyone help me with this? ... View more

I have a csv file that I upload through Lookup Editor which have a Time column in this format 15/06/2021 14:35:00 I want to convert it to Splunk readable time or an Unix time format so I can filter out the row between two certain date (between 14/06/2021 and 7/7/2021). I have try |inputlookup sample.csv |eval time = strptime(Time,"%m/%d/%Y %I:%M:%S %p") |table time But it return "No result found". How do I go about this? Or my strptime have any errors in formatting? ... View more

Hi, I have a search that produce the following table   Organization|Amount|AcquirerBank Or_A |2000 |1234 Or_A |4000 |2345 Or_B |1200 |3456 |4020 |4567 Or_C |1456 |5678   And then I have a csv file that provide the bank code with the bank name as a mapping csv as   AcquirerBank|BankName 1234 |BankA 2345 |BankB 4567 |BankC 5678 |BankD   The target table should look something like this   Organization|Amount|AcquirerBank|BankName Or_A |2000 |1234 |BankA Or_A |4000 |2345 |BankB Or_B |1200 |3456 | |4020 |4567 |BankC Or_C |1456 |5678 |BankD    I try to use join like this   index=index |table Organization, Amount, AcquirerBank |join AcquirerBank [inputlookup bank_mapping.csv |table AcquirerBank, BankName] |table Organization, Amount, AcquirerBank, BankName   But I encounter 2 problems: 1. My index have around a million events, and [join] have a limited number of events it can join, so my result table was lack in result. 2. Also [join] don't show enough results if the mapping csv don't have the data, as the example above, if I use [join], OrB with the field Acquirer that don't exist in mapping csv will not show up. Anyone have a alternative to [join] that can resolve above problems? Thank you in advance. ... View more

Hi, I have a list of events span across more than a year, the event will contain type of card, transaction status. I want to have a table with a drop down box for user to choose month and count the event by month, the month before, status, type of card, and finally caculate the rate between them. For example, if the users  choose April, then MONTH-1 will be March, and the table will br like this:     CARD|STATUS|MONTH|MONTH-1|RATE VISA|1 |3 |6 |100% VISA|0 |8 |4 |50% MC |99 |5 |9 |90%     I then encounter 2 problem: 1. I try to test out by simple display them all by using stats     index=index |stats count by date_month date_year STATUS CARD     but it don't display [CARD|STATUS|date_month|count] like I thought it would be, it blank, it still show if I only use date_month or don't use it at all. 2. I don't know how to stats count by in two seperate months, I could display them all and then search by using token, but then I won't br able to show the month before side by side and then caculate them. Then there's also problem with different year, and 01/2022 and 12/2021. If anyone know the solution for these problems I'll be very appriciate. Thank you in advance.     ... View more

I try to use the query   eval ID = if(ORG="MC",ID=substr(ID,-6),0)   Basically, I want in my result, if ORG="MC", I want to extract the last 6 characters of the field ID that go with it, otherwise stay the same. But the result table always show ID as False if ORG="MC" How do I fix my query or have to go the other way? ... View more

Let's say I have this query   index = x |stats count as Total, sum(AMMOUNT) as TAmmount BY MERCHANT, SUBMERCHANT   I want to make a comparison by percentage between this month to the average of TOTAL three month ago. How do you go about using timewarp to  archive that goal? ... View more

I have a rather complicated query that go like this:     index=* source=* earliest=-4mon@mon latest=@mon RESPONSE_CODE="0" | bin _time span=1mon | stats count AS MonthTotal1 SUM(AMOUNT) AS MonthTotal BY MERCHANT_CODE, SUBMERCHANT_CODE, _time | eval lastMonthStart = relative_time(now(),"-mon@mon") | stats sum(eval(if(_time>=lastMonthStart,MonthTotal,0))) AS 1M_Total sum(eval(if(_time>=lastMonthStart,0, MonthTotal))) AS 3M_Total values(eval(if(_time>=lastMonthStart,MonthTotal1,null()))) AS Transaction sum(eval(if(_time<lastMonthStart,MonthTotal1,null()))) AS THREE_MONTHS BY SUBMERCHANT_CODE, MERCHANT_CODE | eval 3M_Total_avg = round(3M_Total/3,2) | eval RATE_Total = round((1M_Total/3M_Total_avg)*100,2) | search RATE_Total>=200 OR RATE_Total=0 | join MERCHANT_CODE [search index = * | dedup MERCHANT_CODE | table MERCHANT_CODE, BANK] | table MERCHANT_CODE SUBMERCHANT_CODE, BANK, 1M_Total, RATE_Total       It seem complicated but the gist is I have to compare the lastest month total value of transaction to the average of 3 months before it for each sub-merchant, if the rate is >200%, show it in a table. The typical event go like this (I'll omit some unnecessary parts):     2021-10-25 13:52:33 TRANSACTION_ID="144479283"AMOUNT="10000", MERCHANT_TRANSACTION_CODE="17797161285", RESPONSE_CODE="0",MERCHANT_CODE="MOMOCE", SUBMERCHANT_CODE="22312"     Something to note: - Each MERCHANT can have several SUBMERCHANT, or don't have one at all, so the field SUBMERCHANT is not always exist in events. - Each MERCHANT have a BANK associate to it, but in another table.  I have a query just for SUBMERCHANT as a baseline to compare results, but somehow the query above, and even if I use (eventstats) instead of (stats), all show all different results than the baseline.  Does anyone have anyideal to untangle this mess, I'll really appreciate! ... View more