Old post, but just wanted to mention I'm also still seeing this (Splunk 8.2.6 to Splunk 9.0.0).  The message implies this might cause a conflict/issue... we might want to either improve it or document what needs to be corrected/checked from the user's part? ... View more

@fedejko You should be able to join the two sets together, like this, for example (reusing your two queries): | rest /services/saved/searches | search title="*Rule" action.notable=1 | fields title | eval has_triggered_notables = "false" | join type=outer title [ search index=notable search_name="*Rule" orig_action_name=notable | stats count by search_name | fields - count | rename search_name as title | eval has_triggered_notables = "true" ] That adds a field has_triggered_notables which will indicate if a rule has triggered notable and you can then filter out the results to your liking, for example, to show only the rules which did trigger notables: | where has_triggered_notables = "true" ... View more

Could you please try using the Splunk management port (default: 8089) as in the example here? All the REST API endpoints are exposed over that port and not the default Splunk UI Web port (8000). For example: // Create a Service instance var service = new Service(Scheme.Https, "localhost", 8089, new Namespace(user: "nobody", app: "search")) // Log in await service.LoginAsync("admin", "yourpassword"); ... View more

You could use eval tokens: https://docs.splunk.com/Documentation/Splunk/7.2.3/Viz/tokens#Define_token_filtering_and_formatting For example: <eval token="new_token">replace('mac_address_token', ":", "")</eval> ... View more

This is mentioned by a colleague here: https://answers.splunk.com/answers/716685/splunk-universal-forwarder-suddenly-stop-receiving.html I've also checked internally, and this issue was reported as SPL-155042 and might have had to do with Symantec Endpoint protection blocking the process. If you use that, it might be worth disabling it via a rule to whitelist the UF input executables. It was confirmed that upgrading to the versions listed below fixed the issue. The fix to restart the various Windows inputs on a UF was SPL-144368 , included in versions 6.5.8+, 6.6.7+. That should also be in any 7.x versions. ... View more

You can't use a variable as the regex parameter in the rex command. There are alternatives using map and sub-searches mentioned in various Splunk Answers post for which you can search if you want to go that route. Here's an example: https://answers.splunk.com/answers/386488/regex-in-lookuptable.html But, do you really need to? Also, why use sed mode here? Don't you want to simply extract the product and company values? For example: | rex field=API_URL "api\/Company\/(?<company>.*?)(\/Product\/|$)(?<product>.*)" BTW, https://regex101.com/ is a great resource to work with and test your regexes. ... View more

I've updated my answer to reflect that. Should be faster/more flexible. ... View more

Then this should do it: <base search> | stats values(uri_path) as uri_path by src | where mvcount(uri_path) = 2 AND isnotnull(mvfind(uri_path, "^account\/logon$")) AND isnotnull(mvfind(uri_path, "^member\/savedcard")) | stats count by src You can substitute stats with tstats if uri_path is an indexed field. YMMV. ... View more

You can add values(src) to the stats command then? Or am I misunderstanding completely? Do you mean these URIs only? Specific ones? ... View more

I assume you've already checked things like Antivirus & Firewalling? Reading elsewhere it would seem the newer versions (6.6.7+ of the UF) have a fix to restart the winhostmon.exe based input after such a failure, so your solution would likely be to upgrade your UFs. ... View more

Care to elaborate? ... View more

This answer post might help if you haven't seen it already: https://answers.splunk.com/answers/590013/db-connect-inputs-data-timestamp-is-in-est-but-spl.html If not, we'll need more details to help you (DB Connect version, DB Connection/Session/Query TZ settings, what you tried exactly, etc...). ... View more

What version of Splunk? I've just tried this on my local test instance (7.2.3) and "Last 7 days" shows up correctly for fr-FR. ... View more

Your question would benefit from an added example to make it clearer. ... View more