Hi @retro-bloke  This is a perfect case for eventstats command.  Here's an example of how to do it | makeresults | eval _raw="account_email,true_ip,device_id,request_id bob@foobar.com,1.1.1.1,abc,123 sid@foobar.com,1.1.1.2,def,456 bob@foobar.com,1.1.1.2,ghi,789 bob@foo.com,1.1.1.3,jkl,999 " | multikv forceheader=1 ``` ^^^ create dummy events ^^^ ``` | eventstats count AS dups:account_email BY account_email | eventstats count AS dups:true_ip BY true_ip | eventstats count AS dups:device_id BY device_id | eventstats count AS dups:request_id BY request_id | addtotals dups* | where Total > 4 | table account_email,true_ip,device_id,request_id  Hope that helps ... View more

Just remove the group by clause then...   ...<your query>... | search Status="failed" | stats latest(*) AS *   By default, Splunk lists events with the latest first so you could even do this   ...your base query... Status="failed" | head 1     ... View more

Hi @Naga1  The are a number of methods. As you have not provided any example of the DataError field values, I'll assume they are short and concise.  Generally, the simplest and most efficient way is do exclude them at base search time.  Something like this ...your search query... NOT DataError IN("value1 to exclude", "value1 to exclude") ``` this will exclude the 2 DataError messages you want to ignore``` | stats count BY DataError Or, it can be just as quick to do the stats count on all values and then exclude the ones you do not want to see afterwards. ...your search query... | stats count BY DataError | search NOT DataError IN("value1 to exclude", "value1 to exclude") It really depends on the data. Anyway, hope that helps get you going. ... View more

Hi @pc1234  Here's a run anywhere example showing you a method to do this...   | makeresults | eval _raw="user,login_attempt_status smith,failed smith,failed smith,succeeded smith,failed jones,failed jones,failed jones,succeeded smith,failed smith,failed smith,failed smith,failed" | multikv forceheader=1 | streamstats count | eval _time=_time+(count*60) | sort _time | table _time user login_attempt_status ``` ^^^ above just creates dummy events ^^^ ``` | sort user _time ``` events need to be sorted by user and _time for following streamstats command to work ``` | streamstats reset_on_change=true window=3 count BY user login_attempt_status ``` count previous 3 login_attempt_status and reset count on group by changes ``` | stats max(_time) AS _time latest(*) AS * BY user ``` what's the latest ``` | where count=3 AND login_attempt_status="failed" ``` alert on this condition ```   Hope that helps ... View more

Good luck and if you do find out why it's not working for you then it would be good to update this question with the answer. ... View more

Yeah, I like this, @yuanliu  I did pick up a few typos in your SPL that caused the max result to be the second max.  I've fixed it up and here it is for completeness... ... | foreach *-step* [eval time_step = mvappend(time_step, printf("%04d", '<<FIELD>>') . ":<<FIELD>>")] | eval time_step = mvsort(time_step) ,max = mvindex(time_step, mvcount(time_step) - 1) ,second_to_max = mvindex(time_step, mvcount(time_step) - 2) ,max = split(max, ":") ,second_to_max = split(second_to_max, ":") ,"Step that is taking maximum time" = mvindex(max, 1) ,maxtime = tonumber(mvindex(max, 0)) ,"Step that is taking next maximum time" = mvindex(second_to_max, 1) ,nextmaxtime = tonumber(mvindex(second_to_max, 0)) | table Id "Step that is taking maximum time" maxtime "Step that is taking next maximum time" nextmaxtime   ... View more

The Splunk docs indicate it all should work, but maybe the Splunk UF and Splunk Enterprise are not aligned at this version.  You could try a Support ticket but Splunk would probably want a supported UF version installed to do anything. Like @isoutamo and you said, it works fine when testing the config on Splunk Enterprise (v8.2.7 for me).   The only other thing I can think of, is there is a small mistake in the config you have pushed out.  Double/triple check the sourcetype names match.  Maybe try adding a new stanza entry, using [source::<you file>], which has a higher precedence than sourcetype stanzas, and see if that works. It gets pretty hard to help when you are not able to see the environment and the real configs in use.  All I can say from what I seen, is that it should be working, so either it's a versioning issue with the Splunk UF (can it be upgraded) or the config has a small mistake.     ... View more

The aim was only ever to demonstrate how lookups could be used.  Further filtering of results can be done with "search", "where", or the "regex" commands. I'm unclear with the problem you have outlined as you have presented it all as tables.   What is the lookup and what are the raw events.  Maybe present the SPL you already have with examples of the raw events. If you want to have the lookup match (table 1?) on the raw events (table2?) then you just need to do two lookups.  Here's a run anywhere example | makeresults| eval _raw="ip,location 1.1.1.1,NY 2.2.2.2,CA 3.3.3.3,TX 4.4.4.4,GA" | multikv forceheader=1 | table ip location | outputlookup mytemplookup.csv ``` 1. create a lookup file (table1)``` ``` 2. create some dummy events (table2)``` | streamstats count | eval ip1=if(count=2, ip, null()) ,ip2=if(count=4, ip, null()) ,name=case(count=2, "name2", count=4, "name4") | table ip1 ip2 name ``` 3. the following uses the lookup and filters results ``` | lookup mytemplookup.csv ip AS ip1 OUTPUT ip location | lookup mytemplookup.csv ip AS ip2 OUTPUT ip location | search ip1=* OR ip2=* | table ip* location name The first two parts simply create some dummy data to demonstrate (an example) how  you would use the SPL in the third part of the query to produce your output.  Obviously, you'll need to alter this to work with what you have got so far.     Hopefully that makes sense ... View more

Can you confirm the version of Splunk universal forwarder agent you are using.   Maybe it is an older version and the props.conf settings do no work on it. ... View more

The Splunk docs are a good place to get more acquainted with SPL commands   https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Lookup https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Inputlookup 1. a) The name=* does a couple of things: it filters events that have name=<value>, and it also tells Splunk query that you are interested in this field so extract it as a key value pair.  This may be important depending on the search mode you are using (fast, smart, verbose).   And yes, it is a must for the lookup to work.  b) In this case, the event "name" field equates to a lookup csv header "name".   If the search had a field called name1 then the lookup syntax is "lookup employee.csv name AS name1" c) Yes, though note, altering your base search filters may also alter your result output.  Like most scripting languages there are many ways to do things, which have there pros and cons.  But generally, if you know you are interested in a field, (or fields), then using them in the base search helps ensure they are auto extracted and ready for subsequent usage. 2. Yeah, my mistake.  You can filter for matches like this.     index=testindex name=* | lookup employee.csv name OUTPUT positon company | search company=*   If the lookup has a match (and assuming the event does not have a field called company) then event will be enriched with the company field result For the second query, here are some comments...   index=testindex name=* ``` append the whole lookup file to the search results ``` | inputlookup append=true employee.csv ``` output the fields I'm interested in ``` | fields name address phone position company ``` summarise/transform the results into a table using name as the grouping jey``` | stats values(*) AS * BY name ``` add a new field with a tested value ``` | eval intestindex=if(isnotnull(company), "yes", "no")    As you may have noticed, the stats command changes the output so you do not see the _raw events anymore. Play around with it to keep learning.  Remove the bottom line and repeat search to see how each line changes the result set. If this has answered your question then please mark this as solution provided. ... View more

If it is valid JSON and you want to use INDEXED_EXTRACTIONS then this is all that is needed. [sourcetype] INDEXED_EXTRACTIONS=json Note the implications of using this setting though. https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Propsconf#Structured_Data_Header_Extraction_and_configuration     ... View more

Hi @jenkinsta  I think timechart would be better suited for this.  Something like index=nessus | timechart span=1month count BY severity  The counts are group by month then Hope that helps ... View more

If the pasted JSON is correct then this is badly formatted JSON "host:""apl-12345"   ... View more

Hi @CloudGuy  Here are some example methods Only outputs results matched against name field in lookup file index=testindex name=* | lookup employee.csv name OUTPUT positon company Outputs all results and tests whether a match in lookup file existed index=testindex name=* | inputlookup append=true employee.csv | fields name address phone position company | stats values(*) AS * BY name | eval intestindex=if(isnotnull(company), "yes", "no") Hope that helps ... View more

Hi @umd06  You have not specified whether it is a search head cluster (SHC) or not.  An SHC should automatically replicate lookups between its SHC members.  If it isn't, you may have a replication issue.  Check the _internal logs for issues. For standalone search heads, there is no auto mechanism to replicate lookups to other standalone search heads.  ... View more

Hi @xouu  That doesn't make sense as the base search does not have a lookup in it.   That error also indicates that the remote search peers do not have the look up definition but that should not prevent the search from completing. I assume you are have the Splunk admin role and have access to the _internal indexes? Are the servers in your Splunk Enterprise environment all at the version?  ... View more

On a SPlunk universal forwarder agent you'll need a restart to pick up any changes, which would help explain why this is not working. If you do not have access this a restart can still be done via the deployment server, under the Apps tab, where you need to ensure the Restart Splunkd checkbox is ticked for the deployed app. If you have access to the _internal index you can check for a restart of the agent with the following search index=_internal sourcetype=splunkd host=<your host> My GUID Hopefully, you'll see some positive changes once this is done. ... View more

Hi @power12  Here are some examples of how to do it...   | makeresults | eval mytime="2023-05-18T08:11:52.000-07:00" ,mytime_epoch=strptime(mytime, "%FT%T.%3N") ``` convert to epoch seconds - ignore the timezone unless you want to account for it ``` ,mytime_reformated=strftime(mytime_epoch, "%F %T") ``` format time ``` ,mytime_nested=strftime(strptime(mytime, "%FT%T.%3N"), "%F %T") ``` can nest the time functions too ``` ,mytime_replace=rtrim(replace(mytime, "(T|\..*)", " ")) ``` OR string manipulation would work in this case too ```    Hope it helps ... View more