When using the Field Extractor can you use the same name for a field? will it append or add to the original field create Example I am extracting from the _raw data Found that some of the _raw data didn't match when I highlight when using regex match I was getting the red x as the example below, that should of captured it since both logs are identical in patterns. So I extracted twice on a single field on two data sets. will it append? And add it onto the field of data to look for?   ... View more

My search query: Index=xxx <xxxxxxx> |eval Date=strftime(_time,"%Y-%m-%d") | lookup holidays.csv HolidayDate as Date output HolidayDate | eval should_alert=if((isnull(HolidayDate)), "Yes", "No") | table Date should_alert | where should_alert="Yes" So I've been trying to create an complicated alert. unfortunately it failed, and is looking for guidance. The Alert is setup is supposed to fire if there are no results OR more than 1 unless it's the day after a weekend or holiday, in which case, this is to achieve the alert to look for 0 results OR  anything other than 1 I've added below the following: Trigger conditions: Number of results is not equal to 1 so when a date appears on the Muted date(holiday.csv) I want. turns out it had 0 events that day. and the 0 events/results triggered the alert and fired on Easter date. Also when we Mute a dates does it make it return 0 events? so technically it will still fire on the dates due to my trigger condition, how can we make sure it mutes on the holiday.csv lookup file , and yet alert on 0 events that are not on the holiday.csv ... View more

So jumping into this search  question https://community.splunk.com/t5/Alerting/How-can-I-query-to-get-all-alerts-which-are-configured/m-p/288845 my search I am using: | rest /servicesNS/-/-/saved/searches splunk_server=local | search disabled=0 |table title, disabled, action.hangout_chat_alert, action.email I came a across the question of there is any documentation on what the 1, 0 or Blank means? on some of the fields . I have this alert that only has HangoutChat alert setup when I run this query below It shows title disabled=0  action.hangout_chat_alert=0 and action.email=0 I'm confused as to why email and hangout are returning the value 0 shouldn't it be like. disabled = 0 is returning me all alerts that are active and 1 is alerts that are actually disabled. title disabled=0  action.hangout_chat_alert=0 and action.email=blank my understanding with the 1 , 0 , and blank is 1 is enabled 0 is disabled and blank is that it was not setup with that action. Now on the original post you can see Mr @woodcock is explaining below that alert.track=1 means its a alert and 0 means its a report. with all the other ones I don't believe it works the same . is there a documentation that has this topic covered? and how does my alert above fall into with action.email=0 even though I clearly have not set that action with my alert.  only hangoutchat as the action.   ALL APPS: |rest/servicesNS/-/-/saved/searches | search alert.track=1 | fields title description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule Search app only: |rest/servicesNS/-/search/saved/searches | search alert.track=1 | fields title description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule   ... View more

I have a Holiday.csv file that imports dates for specific holiday dates. example: 2024-04-01 2026-12-29 2028-06-26 I am working on muting alerts during a day after the dates. So, if the holiday was on Monday, it shouldn't fire on Tuesday, if the holiday was on Tuesday, it shouldn't fire on Weds, etc. The weird one is if the holiday is on a Friday, then we actually don't want the alert to fire on Monday this is what I have for my query.  just not sure how I would add in the Friday scenario if I did   strftime(_time+86400,"%Y-%m-%d")  ```to add one day```  index=<search> | eval Date=strftime(_time,"%Y-%m-%d") | lookup holidays.csv HolidayDate as Date output Holiday | eval should_alert=if((holidays.csv!="" AND isnull(Holiday)), "Yes", "No") | table Date should_alert | where should_alert="Yes" If something like this is possible in Splunk, I think it would work: if holiday is a Friday, add 3 days, otherwise add 1 day ... View more

Splunk is there a way to dump out all ServiceNow add on setup for each/all alert? trying to grab all alerts that has this action and put in a table with all the setup it has : state, CI, contact  type, assignment group ,....ect     ... View more

    I've created two dropdown menu that takes in tokens in my search 1 drop down I get to select server (Token $server$) 2nd drop down to help filter the dashboard into individual applications number I have token($appnumber$) the host usually appears as host = servername-appnumber I tried this: host="$server$-$appnumber$" what am I doing wrong? and advice or help would be appreciated ... View more

index=test pod=poddy1 "severity"="INFO" "message"="IamExample*" | rex field=message "IamExample(?<total>).*" | rex field=message ".*ACCOUNT<accountreg>.*):" | rex field=message ".*Login(?<login>.*)" | rex field=message ".*Profile(?<profile>" | rex field=message ".*Card(?<card>)" | rex field=message ".*Online(?<online>) " | stats count(total) as "Total" count(accountreg) as "Account" count(login) as "Login" count(profile) as "Profile" count(card) as "Card" count(online) as "Online " Choosing a bar chart to display has "Total" show on the left hand side is there a way remove it? also hovering over the chart its showing the count is there a way to make it display like this example below? field, count , percentage we want to divide Account , Login , Profile, Online it by Total that we have above          ... View more

Using Splunk Cloud  Add-on for Salesforce I had Configuration all setup and it gave me a green light saying Successfully add an account but when I move over to Input tab I get "request failed with status code 500 splunk saleforce add on input" Error  on version 4.9 I ran a update on the app it is now on  Version 4.10.0   and now I get this on the Input Page     ... View more