I have set up alerts in Splunk and usually I hard-code the recipients email id in the TO field, and it works flawlessly. But in this case , I cannot hardcode the user email id in the alert's TO field, because the user ID has to be extracted from the event (from the event that satisfies the alert condition). Example (sample event that will satisfy the alert query): 40.145.234.438 329x399740x1 PERSON1 [09/Mar/2020:05:29:23 -0400] "DELETE /rest/api/2/issue/TES1-2/butchers?username=PERSON2 HTTP/1.1" 204 - 40 "https://phutan-dev.mayhem.com/browse/RES1-2" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36" "1k35v6f" IF the word butcher is identified then the event should be picked (I can handle until this) and from the event extract PERSON1 and PERSON2 field and trigger email to these two PERSONS as PERSON1@mayhem.com. PERSON2@mayhem.com through the alert. I have extracted PERSON1 and PERSON2 from the event. I'm just looking to append @mayhem.com to them and trigger alert emails to these two persons only. ... View more

I have been dumped with events what appears to be memory info. memTotalMB memFreeMB memUsedMB memFreePct memUsedPct pgPageOut swapUsedPct pgSwapOut cSwitches interrupts forks processes threads loadAvg1mi waitThreads interrupts_PS pgPageIn_PS pgPageOut_PS 92101 66926 7175 77.6 21.4 3497702952 3.6 909526 998772788 4232481396 16909785 302 1012 4.07 0.00 7876.48 341.04 41.79 I am supposed to display it in a tabular format like memTotalMB, memFreeMB etc... as the headers and 9201 , 66926 etc.. as their values . Could anyone help me with the query please ? ... View more

In the dashboard, I have created three multi-select input fields. CONTINENT, COUNTRY , STATE Example : When I click on the CONTINENT drop down as "Asia", the COUNTRY drop down multiselect field automatically populates with asian coutries such as India, China, Japan etc... Now I select "India" in the COUNTRY field and STATE gets populated with Indian States such as Delhi, Goa etc... This works fine. Say, for STATE the background spl running for the multiselect value population is something like this index = $continent_token$ | host=$country_token$ | table STATE The issue arises, when I select multiple values in any of the fields, then the next field doesn't populate any values. It only works when I select one field. Example : If I multi-select INDIA and CHINA under COUNTRY field then the STATES doen't populate anything. If i select only one, then only it populates. Could anyone guide me on how to deal with this???? I want to be able to see the STATES of both INDIA and CHINA if I select (multiselect 2 countries) . Just to add more clarification. In our system index value is CONTINENT, COUTRY is HOST and STATE is SourceType So basically looking to select multiple hosts and then should able to see sourcetypes from all those hosts to be populated. Also to be able to select multiple indexes and the hosts of all those selected indices should come. Thank you. ... View more

I have a lookup file called PriceFactot.csv. I have defined this lookup table and then in query I use | inputlookup PriceFactor.csv and get my data. The thing is, PriceFactor.csv's content changes twice a day. SO each time I have to upload/define the new lookup in splunk , or else in the query in shows me stale data. Is there anyway to make Splunk to keep reading the lookup file or dynamically update itself etc...or any other suggestion?? ... View more

We don't want our end users to be able to see the SPL running behind the reports in the dashboard. They are clicking on the lens icon and seeing the search and then mess around with it. Can we make the dashboard just read-only. (no funny business of checking the source code, commands, etc) ... View more

I have a lookup table from a csv that looks like this name exam1 exam2 exam3 john good bad bad peter bad bad best ken best bad bad and the list continues with almost 100 rows. I want to know whether there is a 'best' under each exam. So, I am thinking to implement foreach , which should give us a result something like this, exam1 OK exam2 NO exam3 OK (because for exam1 and exam3 there was atleast someone who performed 'best' but for exam2 no one has 'best' This is what I tried | inputlookup exam.csv | foreach * [eval final = if(<<FIELD>>=="best","OK","NO")] But I can't make the command work. 😞 ... View more

I have a look up csv file added, which looks like this, The header contains subject names and student name, and then subsequent rows contain performances for each pupil MATH ENGLISH NAME SCIENCE good bad Timmy best good good John better better bad Alek good good bad Priya good beter best Arun best The above table means Timmy is 'good' at MATH, 'bad' at ENGLISH and 'best' at SCIENCE. SImilarly John is 'good' at MATH and ENGLISH and 'bad' at SCIENCE. etc... I want to know how many kids are good, bad and best at each subject. in stats table and if possible in a visualization. e.g. 3 kids are good at MATH(Timmy, JOHN , Priya) 2 kids are best at SCIENCE (Timmy, Arun) My query starts like, | inputlookup marks.csv | stats ........ ... View more

My csv is placed on desktop So I am using | inputcsv "C:/Users/JM/Desktop/rap.csv" Splunk is not able to read. It says the csv couldn't be opened for reading. I tried this before couple of months back with a similar .csv and it had worked. not sure why is it not working this time...unable to figure out why it is unable to read. ... View more