Another Easy way is to use forearch command: below is the example.   |makeresults | eval mv=mvappend("5", "15"), total = 0, count = 0 | foreach mode=multivalue mv [eval total = total + <<ITEM>>, count = count + 1] ... View more

Just put all the module files in bin folder of your app and add below code to your python script and you can import any custom module:  Let me know if you are facing any error import os import sys import re ta_name = '<splunk_app_name>' ta_lib_name = '<parent_folder_of_python_pakage>' pattern = re.compile(r"[\\/]etc[\\/]apps[\\/][^\\/]+[\\/]bin[\\/]?$") new_paths = [path for path in sys.path if not pattern.search(path) or ta_name in path] new_paths.insert(0, os.path.sep.join([ta_lib_name])) sys.path = new_paths   Happy Splunking!!! #dataelicitsol.com #bhavik.bhalodia@dataelicitsol.com ... View more

Thanks @inventsekar  ... View more

Just add below python code in your main script and it will work:   import os import sys import re ta_name = '<splunk_app_name>' ta_lib_name = '<parent_folder_of_python_pakage>' pattern = re.compile(r"[\\/]etc[\\/]apps[\\/][^\\/]+[\\/]bin[\\/]?$") new_paths = [path for path in sys.path if not pattern.search(path) or ta_name in path] new_paths.insert(0, os.path.sep.join([ta_lib_name])) sys.path = new_paths     ... View more

Is it possible to share some sample logs? ... View more

Hi @adalbor You can create one python script which will fire Splunk Portal and Fetch All the required information from Splunk Portal and Send it to Splunk Using HEC or on any port. And this script will run at some defined interval. Let me know for more information. ... View more

Can you please provide us the Splunk Document from where you get the above reference? ... View more

Can you please explain what does below sentence represent? This practice does not generate the results you would expect. ... View more

Getting same error. PDF generation from dashboards works fine but schedules don't work properly. ... View more

Hi @lemmons2 Here are the answers of your questions: So to use the Puppet TA does this require the following? a) Install Enterprise Splunk on the PE Server. No b) Install Splunk Puppet TA on the PE Server. No c) Configure Splunk as HF (heavy forwarder) on the PE server. No d) Configure the HF to send the logs its gathered to our institutional Splunk indexer cluster? Yes Does this require that the HF on the PE server have its own Splunk license for the daily ingest of PE server logs? *Answer *: No there is no requirement to purchase a separate license for HF. You can use the license which is used for Splunk Enterprise. Since my organization manages the institutional Splunk infrastructure but doesn't manage the PE server or have access to it, would this be considered risky or unconventional to have an outside organization running a HF that forwards data into our indexers? *Answer *: You can create a HF in your environment and install Splunk Add-on for Puppet Enterprise on that HF. And configure inputs in that Splunk Add-on. If you already have any HF in your environment then no need to create a new one. You can install Add-on on that HF. Are there better ways to do this that allows my organization to centrally manage all aspects of getting the PE server logs into Splunk? Perhaps simply setting up a universal forwarder on the PE server? Answer: I think you will get the answer to this question from question 3. You cannot implement this use case by the help of universal forwarders. If you think this helps you then please upvoted this answer. Thanks, Bhavik ... View more

Hi @memow8 I don't think there is a way to create this in Splunk. But you can implement your own logic outside of Splunk to get this functionality. This logic will fetch time from CSV and that time will use to reschedule report. You can reschedule the report by RestApi. https://docs.splunk.com/Documentation/Splunk/7.2.3/RESTREF/RESTsearch#scheduled.2Fviews.2F.7Bname.7D.2Fdispatch Thanks, Bhavik ... View more

Hi abhijittikekar, Try to run below query. sourcetype=linux:audit type=CWD | table msg, cwd | map [ search sourcetype=linux:audit NOT auid=4294967295 type=SYSCALL comm=chmod OR comm=rm OR comm=chown msg=$msg$ |eval cwd=$cwd$ | table _time, msg, auid,cwd] |map [ search sourcetype=linux:audit NOT auid=4294967295 msg=$msg$ type=EXECVE (a0=chmod (a1=-R a2=777 OR a2=755) OR (a1=777)) OR (a0=rm a2=-r OR a2=-rf) OR (a0=chown) | eval auid=$auid$ , cwd=$cwd$ | table + _time, msg, host, a0, a1, a2, a3,auid,cwd]] | table _time, host, msg, auid, a0, a1, a2, a3, cwd Thanks, Bhavik ... View more

Hi @manalhadrach , You can check error of script by running below query. index="_internal" "cpu.sh" Thanks, Bhavik ... View more

Hi @naagaraj, First of all, it is not advisable to run Splunk on a windows server, but if you still want to use windows server than in your case I think there is an issue with the firewall. You have to allow instances to access 8000 port for a windows server on which Splunk installed. You can check this thing by run below command on an instance from you are trying to access Splunk. telnet ipaddress_of_splunk_server 8000 By use of the above command, you came to know that your instance can connect to Splunk server or not. If your instance can not connect to Splunk server than check rules of firewall of the instance from which you are accessing Splunk. The rules of firewall of the instace from which you are accessing Splunk must contains 8000 port for outbound to access Splunk server. Thanks, Bhavik ... View more

@luke222010, You can try below query : sourcetype="sourcetype_a" |table msgID |appendpipe [|search sourcetype="sourcetype_b" result="success" |table result,msgID ] |stats values(result) as result count by msgID | where count=2 | table result Thanks, Bhavik ... View more

Hi Dannili, Check this thing with the use of KV store lookup, you might get your answer. Thanks, Bhavik ... View more

Hi Patrycja, You can create a datamodel which takes data from an index and reindex them. And after when you try to fetch data from datamodel at that time you can get a result more quickly. And you can apply the time range to search when you try to fetch data from datamodel. Thanks, Bhavik ... View more

Hi, You can configure your requirements in a query. You have to manage your query in such a way that when a search of alert runs holidays it should return 0 events. You can use addinfo and lookup commands. If you are satisfied with a comment then please upvote it. Thanks, Bhavik ... View more

Use below additional two options in inputs.conf and check. [monitor://(file path)] disabled = 0 index = XXXXX sourcetype = XXXXX ignoreOlderThan=(non-negative integer)[s|m|h|d] alwaysOpenFile = 1 ... View more

You can try below syntax in /opt/splunk/etc/system/local/limits.conf and check the change in results. [searchresults] max_mem_usage_mb = 400 maxresultrows = 10000000 tocsv_maxretry = 10 tocsv_retryperiod_ms = 1000 ... View more

Hi, you can use below query to get a list of the users who are outside of the country which does not contain throttled user. *index="authenticatior" action=success | search "location.country"!="" AND "location.country"!="US" | table _time device,username,user_first,user_last,user_managedBy,factor,integration,result,location.city,location.country | lookup mylookup.csv | where isnull(last_date) | fields - last_date | eval _time=strftime(_time, "%m/%d/%y %I:%M:%S:%p") | rename _time as Timestamp location.city as City, location.country as Country user_managedBy as Manager username as "User ID" user_first as First, user_last as Last, factor as Factor integration as Integration result as Result device as Device | sort Last * And use below query to add a user in the lookup. | inputlookup mylookup.csv | append [| makeresults 1 | eval username="Name of User",numberofdays=numberofdays , last_date=_time+86400*(numberofdays) | fields user,last_date] | outputlookup mylookup.csv You have to schedule below query to remove throttled user from lookup when the time will expire so that schedule below query which runs at 12:00 AM(for example) every day. | inputlookup mylookup.csv | where last_date > _time | outputlookup mylookup.csv ... View more

It seems that the format of the field callId is a string and contains space after the value of callId, because of that when you use ***** your problem is solved. ... View more