Hello, We have a lookup csv file: 1 million records (data1); and a kvstore: 3 million records (data2). We need to compare a street address in data2 with a fuzzy match of the street address in data1 - the bold red text below -returning the property owner. Ex" data2 street address:    123 main street  data1 street address:    123 main street apt 13 We ran a regular lookup command and this took well over 7 hours. We have tried creating a sub-address (data1a) removing the apt/unit numbers, but still a 7 hour search. Plus if there is more than one apt/unit at the address, there might be more than one property owner. This is why a fuzzy-type compare is what we are looking for. Hope my explanation is clear. Ask if not. Thanks and God bless, Genesius (Merry Christmas and Happy Holidays) ... View more

Hello, This is the result from one of my rows in Search & Reporting (Web). Job Code 039081934400000 (4) 082441325900000 (199)   However, when my code is used in a classic dashboard the results are this.   Job Code 039081934400000 (4) 082441325900000 (199)   How do I control my dashboard output to display like my search output?     | inputlookup job_codes_2024.csv ```all fields in the lookup above begin with the letter j, except for the field cntrl``` | foreach j* ```add line feed at the end of all fields beginning with the letter j``` [| rex field=<<FIELD>> mode=sed "s/$/\n/g"] ```group all fields by the cntrl value``` | stats values(*) as * by cntrl     Thanks and God bless, Genesius ... View more

Hello, I use Microsoft's Visual Studio Code as code locker for my spl, xml, and json Splunk code. Does anyone have  experience running spl code from VSC? I have the Live Server extension installed and enabled. However, it opens into directory listing within Chrome. When I drilldown to the spl file instead of running the code it downloads the file. Thanks and God bless, Genesius ... View more

Hello, The description is not very descriptive. Hopefully, the example and data will be. I have a list of 1500 numbers. I need to calculate the sum in increments of 5 numbers. However, the numbers will overlap (be used more than once). Using this code of only 10 values. | makeresults | fields - _time | eval nums="1,2,3,4,5,6,7,8,9,10" | makemv nums delim="," | eval cnt=0 | foreach nums [| eval nums_set_of_3 = mvindex(nums,cnt,+2) | eval sum_nums_{cnt} = sum(mvindex(nums_set_of_3,cnt,+2)) | eval cnt = cnt + 1]   The first sum (1st value + 2nd value + 3rd value or 1 + 2+ 3) = 6. The second sum (2nd value + 3rd value + 4th value or 2 + 3 + 4) = 9. The third sum would be (3rd value + 4th value + 5th value or 3 + 4 + 5) =12. And so on. The above code only makes it through one pass, the first sum. Thanks and God bless, Genesius ... View more

Hello, I'm trying to find information on how to use Splunk with Visual Studio Code. I have an authentication token on my development instance. I've installed the Visual Studio Code Extension for Splunk on GitHub. I'm lost from here on. What do I enter in the url and webroot fields in the launch.json file? "configurations": [ { "type": "chrome", "request": "launch", "name": "Launch Chrome against localhost", "url": "https://<host name>:8080", "webRoot": "${workspaceFolder}" } ] This opens Splunk in my Chrome browser, but it is an empty search field. I created splnb file in VSC, but when I run it, I receive ERROR: Unauthorized. Thanks in advance for any direction provided. God bless, Genesius ... View more

Hello, Has anyone had issues with the color codes used in your json are not the colors appearing in your visualization?     { "type": "splunk.column", "options": { "legendDisplay": "off", "dataValuesDisplay": "all", "yAxisTitleText": "Volulme (GB)", "xAxisTitleText": "Day", "stackMode": "stacked", "seriesColorsByField": { "over_500_red": "#FF0000", "between_400_and_500_orange": "#FFA500", "between_200_and_400_green": "#008000", "under_200_blue": "#0000FF" } }, "dataSources": { "primary": "ds_search_1" }, "title": "License Usage - Last 14 Days", "showProgressBar": false, "showLastUpdated": false, "context": {} }     Green and blue are not in the chart below. Thanks and God bless, Genesius ... View more

  Hello, Has anyone experienced parsing Windows Event Logs using a KVstore for all of the generic verbiage?  For example - red text (general/static text associated with EventCode number and other values  - this will mostly be the Message/body fields) will be entered into a KVstore; green text (values within the event) will be indexed. In the below example, there are 2,150 characters, of which, 214 characters are dynamic, and need to be indexed. The red(undant) text contains over 1,930 characters.  These are just logon (4624) events. With over 11.5 million logon events per day across our environment, this is ~23 GB. If what I am asking can be/has been accomplished, we could reduce this to 2.3 GB. Thanks and God bless, Genesius   09/11/2023 12:00:00AM LogName=Security EventCode=4624 EventType=0 ComputerName=<computer name> SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=9696969696 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on.   Subject:                 Security ID:                         NT AUTHORITY\SYSTEM                 Account Name:                 <account name>                 Account Domain:                              <account domain>                 Logon ID:                             0x000   Logon Information:                 Logon Type:                        3                 Restricted Admin Mode:               -                 Virtual Account:                No                 Elevated Token:                 Yes   Impersonation Level:                      Identification   New Logon:                 Security ID:                         <security id>                 Account Name:                 <account name>                 Account Domain:                              <account domain>                 Logon ID:                             0x0000000000                 Linked Logon ID:                               0x0                 Network Account Name:               -                 Network Account Domain:           -                 Logon GUID:                       <login guid>   Process Information:                 Process ID:                          0x000                 Process Name:                   D:\Program Files\Microsoft System Center\Operations Manager\Server\Microsoft.Mom.Sdk.ServiceHost.exe   Network Information:                 Workstation Name:         <workstation name>                 Source Network Address:             -                 Source Port:                        -   Detailed Authentication Information:                 Logon Process:                  <login process>                 Authentication Package: <authentication package>                 Transited Services:           -                 Package Name (NTLM only):        -                 Key Length:                         0   This event is generated when a logon session is created. It is generated on the computer that was accessed.   The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.   The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).   The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.   The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.   The impersonation level field indicates the extent to which a process in the logon session can impersonate.   The authentication information fields provide detailed information about this specific logon request.                 - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.                 - Transited services indicate which intermediate services have participated in this logon request.                 - Package name indicates which sub-protocol was used among the NTLM protocols.                 - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. ... View more

Hello, Any Splunkers who can share ALL of the <option name=""> tags available to use with the missile map viz? On Splunkbase, the author states  Customisation options The following options are available to customise: Lines Default color: The color to use for a line when no "color" field is present in the data (default: #65a637) Weight: The weight to use for a line when no "weight" field is present in the data (default: 1) Map Tile set: The map tiles to use Custom tile set: If you wish to use a tile set not in the preset list (e.g. http://tile.stamen.com/toner/{z}/{x}/{y}.png) Latitude: Starting latitude to load Longitude: Starting longitude to load Zoom: Starting zoom level to load However, there is no sample of the syntax. Thanks in advance for your help. God bless, Genesius ... View more