My situation with this error: I had established my own certs (including a CACert.pem file) and placed them in a folder: /opt/splunk/etc/auth/my_certs ... and everything worked fine, except for ldap-search it was complaining of an 'invalid CA public key file' in the SA-ldapsearch/default folder is the file ssl.conf with an entry: [sslConfig] sslVersions = tls caCertFile = cacert.pm   Well.. because my CA cert was named "CACert.pem" -- the add-on couldn't find it. I copied my CACert.pem to 'cacert.pem' -- and everything worked well again.   @jreuter_splunk wrote: sslConfig is case sensitive. Indeed it is.      Good luck.     ... View more

Sorry.. I don't know what you mean. You could just look for the file: string. So something like: | rex field=mystring "file:(?P<filelocation>[^<]*)" this just looks for "file:" and then grabs whatever comes after it. ... View more

What is your search time frame? A user would have to fail 40 times within your search time frame to qualify as an alert. Is that what you're expecting? ... View more

Are you trying port 8000 or port 8089 -- command port is usually 8089. ... View more

Do you mean something like this?: |rest /servicesNS/-/-/saved/searches | table title eai:acl.app eai:acl.owner actions search So maybe with your criteria, it'd be: |rest /servicesNS/-/-/saved/searches | table title eai:acl.app eai:acl.owner actions search | where title LIKE "%Purchase%" OR title LIKE "%search%" OR title LIKE "%booking%" Alerts generally have actions so you could add a filter for those, or there may be other ways to do it: |rest /servicesNS/-/-/saved/searches | search NOT actions="" | table title eai:acl.app eai:acl.owner actions search | where title LIKE "%Purchase%" OR title LIKE "%search%" OR title LIKE "%booking%" ... View more

Are you saying that the field is blank or that the column is gone in your results? ... View more

You're looking for a way to persist some search results -- and then further filter them? There's a few mechanisms for that with Splunk. I think one is the closest to what you're looking for: https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Loadjob See also: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Savedsearch https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Usesummaryindexing There's likely a few others that also would help. Good luck. ... View more

@zacksoft in your uuery human_time and sub_time are both formatting sub_time -- so they'll be the same. If you change your last line to display: |table human_epoch_time sub_time human_time You should see the diff between human_epoch_time and sub_time ... View more

No problem. I believe $click.value$ will give you the field that is clicked. However, you may want to use a specific field regardless of where on the row the click occurs. When that occurs I think $row.$ is the choice for that behavior. At any rate... good luck. ... View more

Not much to go on here... Maybe you can provide some more details around what you've tried and what your current data set or query attempts are... Broadly you can look at these: https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Search https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Where https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchTutorial/Useasubsearch ... View more

Here's a search with numeric values - that you can look at: index=_internal sourcetype=splunkd kb=* | table _time sourcetype kb | eval threshold = if(kb<80,"UNDER","OVER") | streamstats current=t window=3 list(kb) as last_three list(threshold) AS all_threshholds values(threshold) AS last3_threshhold | eval ALERT = if(last3_threshhold != "UNDER","All 3 were OVER","") | eval GOOD = if(last3_threshhold != "OVER","Last 3 were all good","") ... View more

How we did that was to pull together the list of inputs and then add a streamstats like this: | streamstats current=t window=3 values(status) AS last_three by input_name Something like this: index=_internal sourcetype=dbx_job_metrics | sort input_name _time | table input_name _time status | streamstats current=t window=3 list(status) as last_three values(status) AS values_three by input_name | search values_three != "COMPLETED" You'll need to adjust a little to get your > 80% in there.. but that's the basics of it. ... View more

That's a tougher question. The only way I'd know how to do that is to leave the values in a string, split it, and then use mvindex to index the 12th value in the split. | makeresults | eval message = "this,is,the,fourth,fifth,sixth,value" | eval new_mvfield = split(message,",") | eval FOURTH = mvindex(new_mvfield,3) | eval FIFTH = mvindex(new_mvfield,4) | eval LAST = mvindex(new_mvfield,-1) ... View more

Does your resulting table only have a single row in it? Or are there multiple rows? dc returns a single value, but I think values returns a multi-value field. I'm just shooting in the dark at this point but maybe: Change dc(dest) AS host count -> values(dest) AS host count Swap the field names -> dc(dest) AS hash values("match_hash") as host_count Remove the "by "intel_name". I did notice that you seem to be quoting the other fields, but not dc(dest)? ... View more

hmm.. tough to say. At least you're saying that the token doesn't work no matter where you try to use it. That gets us back into the normal territory. I'm confused how you're using a stats command, but also generating the rest of the notable fields. Maybe you can post a few more details of your search output, or the notable that comes out of it. ... View more

So you're saying that a token in the "Drill-down Name" field of your Notable isn't working, but the same token when used in the "Drill-down Search" field gets passed correctly to the drill-down search? If that's what you're seeing -- then that is a bit nasty.. I'd start to wonder whether your browser is telling you the truth? Clear browser cache? ... View more

Notable link is on Lower right... under Adaptive Responses.. ... View more

When you see the incident in Incident Review -- Have you ever looked at the 'notable' drill down? This will drill down to the raw event in the notables index. Check to make sure your field is there. Sometimes field names get manipulated in the notable so they don't collide with the fields in the notable index. ... View more

I'm adding this as a separate question... ... View more

More details: The key 'requirement' here is to create a lookup file in the same 'app/lookups' directory. I thought that manipulating these values might do that -- but I'm finding that these settings don't seem to have any reliable impact. At the end of the day -- if you run |outputlookup lookup_file.csv in a search, because the "createinapp' parameter has a default of 'true' -- the outlook file will be created in the lookups folder in the app where the search is running -- NOT in the app where the search is defined. If you run |outputlookup createinapp=false lookup_file.csv in a search, the lookup file will end up in ../system/lookups. I do not see a way to force a lookup file to end up in a specific applications lookups directory. Anyone have any solutions for that? ... View more

Instead of creating a lookup file from the .csv that is provided, why not just ingest the .csv file into an index? Something like this: 1) Setup a new input file monitor to watch for the provided .csv files to be added to a directory. 2) Have the other team copy any new file into that directory. 3) Splunk ingests input .csv file into new sess_id_csv index 4) Create a scheduled report that correlates the two indexes 5) Provide access to this report by the teams or have the report e-mailed back to the group that provided the .csv file. There's always more than one way to do it. But, this is more 'self-service' for your groups. Good luck. ... View more