Try one of these: index=mail sourcetype="phish-campaign-logs" attributes.campaignname="Undelivered Phishing Campaign - FY21Q2 - 062421" | spath output=eventtype attributes.eventtype | stats count(eval(eventtype="Data Submission")) AS Data_Submission, count(eval(eventtype="Email Click")) AS Email_Click, count(eval(eventtype="Email View")) AS Email_View, , count(eval(eventtype="No Action")) AS No_Action, count(eval(eventtype="TM Complete")) AS TM_Complete, count(eval(eventtype="TM Sent")) AS TM_Sent BY attributes.campaignname | addtotals   OR  index=mail sourcetype="phish-campaign-logs" attributes.campaignname="Undelivered Phishing Campaign - FY21Q2 - 062421" | spath output=eventtype attributes.eventtype | chart dc(id) by attributes.campaignname eventtype | addtotals ... View more

Try this index=X sourcetype=Y (transaction_type= “refund" earliest=-1d@d latest=@d) OR (transaction_type= “sale" earliest=-30d@d latest=@d) | eval sales=if(transaction_type= “sale”, total,0) | eval returns=if(transaction_type= “ refund”, total,0) | stats values(sales) as sales sum(returns) as returns by company_name, mid, card_number | where sales!=returns ... View more

Try this index=* EventCode=4738 Account_Expires!="-" | eval is_interesting=strptime(Account_Expires,"%m/%d/%Y") | where is_interesting>now() AND is_interesting < relative_time(now(),"+7d@d") | table user status Account_Expires is_interesting ... View more

Someone from your team or company should've admin access. Its much easier to get the information through them.  ... View more

Try like this For requirement 1 (index=A sourcetype=A) OR (index=B sourcetype=B) | stats dc(sourcetype) as stCount by Category Enviroment | where stCount=2 For requirement 2 (index=A sourcetype=A) OR (index=B sourcetype=B) | stats dc(sourcetype) as stCount by Category Enviroment | where stCount!=2   ... View more

https://community.splunk.com/t5/Deployment-Architecture/Why-is-cluster-master-reporting-quot-Cannot-fix-search-count-as/m-p/150433 ... View more

Try method from this (change $row._time$ with $row.Time$. For latest, add 3600) https://community.splunk.com/t5/Splunk-Search/Drilldown-pass-the-earliest-and-latest-from-a-timechart/td-p/337915 ... View more

Is the sourcetype assignment correct on the 1 UF? The host value can be overridden during Event parsing on HF/Indexer, so you may want to check if some TRANSFORM is applied to that sourcetype. ... View more

Go to Splunkbase page for all those app and see if they're compatible with Splunk 8.2.2. If they're you don't have to upgrade (you may want to read the Release Notes for newer version of apps to see if a new feature got added that you might like). Read this for forwarder compatibility: https://docs.splunk.com/Documentation/VersionCompatibility/current/Matrix/Compatibilitybetweenforwardersandindexers#Determine_forwarder-indexer_compatibility ... View more

Most probably  ignoreOlderthan is the culprit here. Splunk may have got restarted and found the file to be older than 5 days and ignored it (put it in the "ignored" list). It'll stay ignored even after new data is being added. Only restart will make it re-evaluated its file monitoring list and data got ingested. If the data is updated once every 7 days, keep your ignoreOlderthan match that.  What kind of updates does the file get, new data gets appended OR it's completed re-written? ... View more

Have a look at this Splunk doc: https://docs.splunk.com/Documentation/Splunk/7.0.0/Installation/ChoosetheuserSplunkshouldrunas#Use_managed_service_accounts ... View more

You can disable the inputs in different app. You just have to ensure that name of that "disabling" app is set appropriately that it takes precedence over the Splunk_TA_Windows. Have a look at this link to know that. https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Wheretofindtheconfigurationfiles#Summary_of_the_effect_of_directories_on_configuration_precedence  Basically just use any starting letter that comes before "S" (capital S). ... View more

You can't use management pages as default dashboard. You can just bookmark that (Triggered Alert) page and use that bookmark to login to Splunk. It should take you to Triggered alert page after login. ... View more