I have tried the below query as per your suggestion, But not getting the result, index=_audit sourcetype=audittrail action=success AND info=succeeded | eval secondsSinceLastSeen=now()-_time | eval timeSinceLastSeen=tostring(secondsSinceLastSeen, "duration") | stats count BY user timeSinceLastSeen | append [| rest /services/authentication/users | rename title as user | eval count=0 | fields user ] | stats sum(count) AS total BY user timeSinceLastSeen, ... View more

your query is showing who is successfully logged into splunk.. not the user not logged in splunk.  ... View more

I am looking the for the search query to show of any of the user not logged into splunk.  For example, we have 1500 user accounts but only 1200 user logged into splunk for last 90 days and remaining 300 user are not logged, so i want to list the 300 users. i have retention period of 1 year. ... View more

Thank you for your kind response, I am getting 10 detections if there are10 rows in the result But the average time to detect should be an average of all the time differences from 1 alert mean time.  Please find the attached screenshot for more information.  Splunk alert splunk_attack_1 triggered 2 times, i want to take the avg of time and display only one result with difference.  Sample result  _time search_name    event time Hour at Source Mean Time to Detect 2/5/2024 19:47:10       Splunk_Attack_1 2/5/2024 17:47:10       2 Hr 3 Min 19 Secs.000000   2/5/2024 19:20:10       Splunk_Attack_1 2/5/2024 17:20:10       2 Hr 7 Min 18 Secs.000000   2/5/2024 19:30:35       Splunk_Attack_2 2/5/2024 18:30:35       1 Hr 37 Min 12 Secs.000000   2/5/2024 18:20:15       Splunk_Attack_2 2/5/2024 18:20:15       1 Hr 26 Min 15 Secs.000000   2/6/2024 18:05:15       Splunk_Attack_2 2/6/2024 18:05:15       1 Hr 26 Min 15 Secs.000000   2/7/2024 16:55:15       Splunk_Attack_3 2/7/2024 14:55:15       2 Hr 0 Min 18 Secs.000000   2/8/2024 16:35:15       Splunk_Attack_3 2/8/2024 14:35:15       2 Hr 20 Min 18 Secs.000000   2/9/2024 16:10:15       Splunk_Attack_3 2/9/2024 14:10:15       2 Hr 40 Min 18 Secs.000000    Expected Result  _time search_name    event time Hour at Source Mean Time to Detect 2/5/2024 19:47:10       Splunk_Attack_1 2/5/2024 17:47:10       2 Hr 3 Min 19 Secs.000000   2/5/2024 19:20:10       Splunk_Attack_2 2/5/2024 17:20:10       2 Hr 7 Min 18 Secs.000000   2/5/2024 19:30:35       Splunk_Attack_3 2/5/2024 18:30:35       1 Hr 37 Min 12 Secs.000000     ... View more

we have nearly 700+ index configured in splunk and more than 1000+ sourcetypes associated with it. So  I will need to find out which index and sourcetype is not used by user in any of the savedsearch, dashboard, macro, Ad-hoc searches, alerts. I was looking into audit index for last 90 days but didnt get accurate result.   i  will need splunk query to get the report to show unused index and sourcetype.  ... View more

Hi, thank you for the update, i have the above query but getting the result for few  events not all. please see the attached screenshot.  ... View more

I am measuring the lag diff=_time - event_time ... View more

This answer is not relevant to my question.  I am looking for the splunk query to get the index and sourcetype delay. very simple..  ... View more

I have given the example of 5 hours span time log delay in last 30 days.. its not specific to particular sourcetype. I want to see if any log delay in splunk.  ... View more

we see a delay of over five hours in indexing. Is there a way to find out where these events "got stuck" or please let me know query to get the how much time log delay ... View more

When I look at the average and max size of the events, I see that the Max event size sometimes is exactly 300,000 bytes, which is suspicious. Please let me know did the event fields change ? if we receiving 10 events in one chunk of 300,000 bytes ? ... View more

Thank you, I am getting the result but unwanted fields are coming like jira, macro, filename. How to get rid of this from result ... View more

I am looking to find out the license usage for particular dataset in events. Please let me know if any clue.  index=aws sourcetype=aws accoutn=123456    ... View more

This is not working at all, We will get all the searches running in splunk. because there is no keyword to identify whether search is savedsearch or Ad-hoc search or Reports.  ... View more

There is no reason field in audit log to explaing the info, even i am not finding it anywhere splunk documentation.  Is there any other way to get the search query stopped by user using splunk queries?  ... View more