Haha thanks brother. That's very kind of you, especially when your SPL skills are far better than mine, hands down 🙂 I believe reverse won't be required here, because last in streamstats would pick the oldest value from the bucket, which is 10 mins old, which I think the author is looking for. I can certainly be wrong though, so reverse can be used to fix it, if author shall choose to do so. ... View more

Maybe this can help: index=mcafee sourcetype=Meg earliest=-10m latest=now() |bucket span=10m _time | streamstats current=t time_window=10m window=1 last(status) as prev_status | stats values(_time) as Time values(sender) as Sender values(dest) as Destination values(status) as Status values(prev_status) as prev_status by host|sort-Time | search status="Emailed Deferred" AND status==prev_status ... View more

You have multiple ways to extract these events. You can extract them on your search head using fields extractor, you can also extract them using your props.conf, by using different regexes for different fields. Whatever suits your current requirement the best. I'm using both the methods to extract some fields with different types of data. ... View more

Yeah. This will not work on Universal forwarders. You'll have to implement it on your Indexers. It'll work then. ... View more

Could you try the regex which I gave on the props.conf only and see if that breaks the events for you. Please restart the service as well. Where is your props.conf stored? HF, Indexers? ... View more

Save it as an alert. That should do the trick for you, whenever your alert detects if a service isn't running. index="index-name" source=ps host="hostname*" process="process_name" | dedup host process | join host [search index="index-name" source=ps host="hostname*" process="process_name" | stats latest(host) latest(_time) by host |eval lastSeen='latest(_time)'|fields host lastSeen] |eval status=if(lastSeen<(_time - 300), "not running","running") |table host status process | search status = "not running" If it doesn't help, you can save the specific condition status = "not running" in aler settings -> Trigger Conditions -> Trigger alert when and from the drop down, select custom and define the condition there. Hope this helps, ... View more

\The section ** Schedule PDF Email Delivery ** will fulfil your requirement, by sending you the PDF of your dashboard via email. https://docs.splunk.com/Documentation/Splunk/8.0.3/Report/GeneratePDFsofyourreportsanddashboards Let me know if it helps. Thank you, ... View more

No worries, my friend. ... View more

Hello my friend, Your post have been the most insightful. I'll like to add one thing. I recommend Bloodhound app for Splunk to my customers, which specifically designed for identifying user's bad practices , in order to enhance the performances in their environment. A great app to look at what you're looking. https://splunkbase.splunk.com/app/3541/ ... View more

You can try this: ^(Con.+ess|Pul.+ole|RSI.+|VPN.+ulse|test|Users) Made a few tweaks with your data here. You can try and test it with more data. https://regex101.com/r/NFBLP2/1 Let me know if it helps. ... View more

After reading your comments on Rich's answer, I think I got your requirement. Let's say that you ran this search at 3 PM, and now want to compare the value of LastConsumptionCount at 3 PM with it's value, which you got at 2 PM, exactly 1 hour back. Am I correct? If so, then try this: source="/home/we/plex/movies/meter.elec" earliest=-1h latest=now() | streamstats current=t time_window=1h window=1 last(LastConsumptionCount) as prev_ConsumptionCount | eval difference = LastConsumptionCount - prev_ConsumptionCount | timechart span=1h max(difference) as difference ... View more

@isaacso, if it worked then please accept it as the answer to help others, if they run in the same issue in the future. Thank you, ... View more

Your earlier H/W resources were less than the minimum requirements for ES. I think even after adding the ess_admin role, it wouldn't have worked. https://docs.splunk.com/Documentation/ES/6.1.1/Install/DeploymentPlanning ... View more

A point which I forgo to add was that, even if the SPL is efficient, it usually takes one search at least 1 CPU core to run and execute. Now with 100s of searches running at the same time, will choke your search head and will create a bottleneck for itself, before it can help you solve the bottlenecks of other servers in your infrastructure, causing a big headache of queued searches, high CPU utilisation on itself. Something, which we would definitely want to avoid. ... View more

Metrics can help you in this situation, but the chances of that area little slim. Here are some pointers that you may wish to consider before using it. Using Metrics will definitely save disk space and may improve the search performance, which is highly required for your condition, provided the SPL code for the search is highly efficient. Using time and resource consuming commands like transaction, join etc will nullify the efficiency introduced by Metrics. implementation isn't as easy as compared to ingesting normal data, as it is very peculiar about the formatting of the data. Also to consider is the effort that you'll have to put it to convert the data into the appropriate format before ingesting (Will require some scripting magic). The data formatting may seem difficult and even off putting to the folks who are using Splunk at your organisation. I have people in my team, who do not like it at all. Splunk uses Metrics data to send it's internal logs, and even their dashboards at times take ages to fill the data. Which again brings us back to the SPL, which may or may not be efficient, even if made by a Splunk expert (Boils down to what do you want to achieve with the data). Unfortunately, I cannot direct you to an old thread, where this topic was discussed at length before, cannot recall/find of any threads like it here. ... View more

That's what Rich is asking. my friend. Helping to clarify his question more, when the incident, let's name it INC001 for our example, gets reassigned from assignment_group A to assignment_group B in ServiceNow, does ServiceNow send some sort of event to Splunk, saying that INC001 has been reassigned to a new group? If so, only then we can conjure up some SPL to help you change the assignment. If not, then it's not possible, cos there's no other way for Splunk to know if the assignment group of the Incident was changed. Hope this helps you to clarify the doubts here. ... View more

Assuming your current and the last consumption cound from an hour ago are stored inside the same field called LastConsumptionCount, you can try something like this: source="/home/we/plex/movies/meter.elec" | streamstats current=t time_window=1h window=1 last(LastConsumptionCount) as prev_ConsumptionCount | eval difference = LastConsumptionCount - prev_ConsumptionCount | timechart span=1h max(difference) ... View more

As @richgalloway rightly pointed, you should look into increasing the value of TRUNCATE (Defaults to 10,000). Splunk logs it's complain regarding the truncate issues in splunkd.log inside $SPLUNK_HOME/var/log/splunk. You can check it, to make sure you're facing the same issue. ... View more

If you can hide the sensitive details from your SPL code for both the report and the alert, and share them here, we can help you to find the problem and fix it. ... View more

You're trying to install a version, which is not compatible with 7.3.X, although it says on the splunkbase page. The compatible version is 6.0.1. ... View more

Haha not as fast as you, my friend. Your command on SPL is really amazing and I follow your answers to learn a lot as well 🙂 @to4kawa ... View more

Are you seeing any error messages in yiur splunkd logs for it? They can help you to get to the solution. ... View more