DATETIME_CONFIG = CURRENT != NONE  Current set the timestamp from the Aggregation queue time.  None in this instance sets the timestamp from the time handed over to Splunk by the modular input script.  Splunk then still needs to send the data to an indexer, which is where the _indextime will be set. Yes the data is cooked and time set on the HeavyForwarder but note the _indextime is NOT.  An easy way to see this in action is to look at any of your data being ingested by DBConnect with _time being set to Current. The _indextime will usually be negative,  but every once in a while you'll see it jump to a few seconds usually due to a blocked output queue. And of course any difference between the HeavyForwarder and Indexer time will of course cause times to be off as well.  ... View more

You have a couple different ways to do this.  if you have say 10000 items in the lookup table.. but 10Million in the index many of which are NOT in the lookup then you probably want to use it as part of the search.  index=<indexname> [ | inputlookup <filename> | fields combinedrules{} | format]  | append [ | inputlookup <filename> | eval sourcetype=lookupfile ] |stats dc(sourcetype) AS sources by combinedrules{}  | eval Search_Index=if(sources > 1,"Yes","No") | eval Inputlookup_File = "Yes" If you want to know if a value is IN the index but not the lookup file.. then:  index=<indexname> | append [ | inputlookup <filename> | eval sourcetype=lookupfile ] |stats dc(sourcetype) AS sources values(sourcetype) AS sourcetype by combinedrules{}  | eval Search_Index=if(sources > 1 OR NOT match(sourcetype,"(lookupfile)"),"Yes","No") | eval Inputlookup_File =if(match(sourcetype,"(lookupfile)"),"Yes","No") |fields combinedrules{},Search_Index,Inputlookup_File ... View more

So the dataset here is important so not sure which of these you're really looking for.  If you just want to search all the data and combine it by user. (index=accounts user=*) OR (index=employees  user=*  emp_details=*  emp_information=*) | stats latest(emp_details) AS emp_details latest(emp_information) AS emp_information values(index) AS indexes by user  But that assumes you want to combine things regardless of if user exists in 1 or 2 indexes.   If you just want to do a search for users in one index ONLY if they exist in the other index..  index=employees emp_information=* emp_details [ | search index=accounts user=* | stats count by user | fields user | format ] | table user, emp_details, emp_information  The problem here though is you don't get a notification if the user existed in accounts but NOT in employees.  If you're looking for something else please describe it.  ... View more

Just checking but are you using the same user for both operations? The SMTP authentication requires the user have admin_all_objects as a capability. ... View more

Can you give an example of the search you are attempting on the lookup. ie | lookup or | inputlookup ... View more

Try: ... | stats min(earliest) AS earliest max(latest) AS latest by theSrc |rename theSrc AS DNS.src | format ] BY DNS.query_type ... View more

You need to pull the week number out of the date. | eval week_number=strftime(date,"%W") If you then want to calculate the results for the current vs other weeks you can do some other evals such as |eval this_week_number=strftime(now(),"%W") | eval weeks_ago=this_week_number - week_number Need more information to determine how you would want the stats to look. ... View more

Here are a few options that could point you in the right directions. (index=netfw message_tag=RT_FLOW_SESSION_DENY) OR (index="netdhcp" ip=*)| lookup emotet_ip.csv lookup_ip AS dest| search rule=emotetc2block OR index="netdhcp" |eval dest=coalesce(dest,ip) | stats count,values(nt_host) AS nt_host by dest src_ip | sort -count OR (index=netfw message_tag=RT_FLOW_SESSION_DENY) OR (index="netdhcp" ip=*) |eval dest=coalesce(dest,ip) | stats count,values(nt_host) AS nt_host,values(src_ip) AS src_ip by dest|mvexpand src_ip| lookup emotet_ip.csv lookup_ip AS dest| search rule="emotetc2block" ... View more

Ok so from the data set you have given there is only ever one value for source2 per host. If there is not only one value for this field do you expect to see it duplicated multiple times in the output. Either way try starting your search with: index=index1 OR index=index2 | some crazy struff | more crazy stuff If you are not working on fields that collide in any way that is. And what exactly is the use case you're trying to solve for. Usually a table with host and 2 random fields can be hard to understand so there may be a better solution. ... View more

There are many options for this type of operation but we need to see a bit more of the example data to know the best way to get to a solution. Can you post the original search and (sanitized) example data. ... View more

If you are still having an issue please post the query and example output. ... View more

_json is a built in sourcetype which should automatically parse this event. If you are setting this to a different sourcetype then it will not parse though. Suggest you first try: | spath as this should force the json to be parsed. ... View more

Try this: index=dns host=ns1 ((notify AND serial) OR serial) somezone.net |rex "\s+serial\s+(?<serial_test>\d+)" | transaction serial_test,zonename max_events=2 startswith=notify endswith=transferred| where duration>600 |table duration ... View more

Here you are doing a very unique operation of comparing two tables and choosing to combine them by a field, and combining ALL fields in the table. This is only faster because you have one field to compare and have already run a dedup on the tables. If at any point you required multiple matches or have multiple fields to match on or the search retrieves only a small number of events and the lookup table is tens of thousands or more the lookup table method would be the appropriate option. ... View more

The Nagios Splunk Add-On is not 100% configured by default. Have you created the $SPLUNK_HOME/etc/apps/Splunk_TA_nagio-core/local/inputs.conf on the Universal Forwarder/Deployment Server? [monitor://$NAGIOS_HOME/var/nagios.log] sourcetype = nagios:core [monitor://$NAGIOS_HOME/var/host-perfdata] sourcetype = nagios:core:hostperf [monitor://$NAGIOS_HOME/var/service-perfdata] sourcetype = nagios:core:serviceperf ... View more

This is going to need both js and css to to work. See the answer here: https://answers.splunk.com/answers/587089/multiselect-table-rows.html You'll really want to create an app specifically for this dashboard/collection of dashboards so you don't mess with the static css/js for the search app. ... View more

The service templates are stored in 2 locations. There will be a .conf under the module that you created the service template of /opt/splunk/etc/apps/{DA-Module}/default/itsi_service_template.conf AND there will be configuration in the KVSTORE. This is NOT a simple task to extract from the kvstore and re-import to the prod kvstore. If this is not the template of all templates that took days / weeks to develop I really would suggest you just stare and compare a new one in prod. Otherwise DEV needs to be IDENTICAL to prod or you'll be editing JSON files by hand. ... View more

Simple way to convert the text string to multiple lines is with makemv. | eval body= username. " user attempted to delete " . activity_count . " logs by performing the below activities :" . mvjoin(activity,": ") . ": and removed the logs on host " . src | makemv delim=":" body ... View more

That is because the splunk server is using the rest API to communicate to itself on 127.0.0.1 . If you were using mcollect to write to the metric index, then it would replace the host with the name of the search head running the report. To keep confusion to a minimum I find it best to stay away from using host AND sourcetype for anything in metric indexes. ... View more