Hi @NathanAsh , did you tried the OVER clause in the chart command? index=*.log source=*Report* | eval latestDeployed_version=Deployed_Data_time."|".version | eval latestVersion=Deployed_Data_time."|".version | stats latest(Deployed_Data_time) AS Deployed_Data_time values(env) AS env max(latestVersion) AS latestVersion BY app | rex field=latestVersion "[\|]+(?<version>.*)" | table app version env | chart values(version) OVER app BY env limit=0 | fillnull value="Not Deployed" for more infos see at https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Chart Ciao. Giuseppe ... View more

Hi @Naa_Win , you have to define the frequency of your alert and run a simple search scheduled on the above frequency, if e.g. you want to run your alert every 5 minutes, you should run a search like the following: index=error_idx sourcetype=error_srctyp earliest=-5m@m latest=@m if you have events the alert triggers. choosing a defined period you are sure that the alert triggers only one time on events. Ciao. Giuseppe ... View more

Hi @Harish2 , the most efficient solution is using a lookup, if you aren0t enabled to do this, you have to insert in the input all the conditions, somethin ike this: <form version="1.1" theme="light"> <label>Dashboard</label> <fieldset submitButton="false"> <input type="time" token="timepicker"> <label>TimeRange</label> <default> <earliest>-15m@m</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="env"> <label>Environment</label> <choice value="*">All</choice> <prefix>env="</prefix> <suffix>"</suffix> <default>*</default> <fieldForLabel>env</fieldForLabel> <fieldForValue>env</fieldForValue> <search> <query> | makeresults | eval env="DEV" | fields env | append [ | makeresults | eval env="SIT" | fields env ] | append [ | makeresults | eval env="UAT" | fields env ] | append [ | makeresults | eval env="SYS" | fields env ] | sort env | table env </query> </search> </input> <input type="dropdown" token="server"> <label>Server</label> <choice value="*">All</choice> <prefix>server="</prefix> <suffix>"</suffix> <default>*</default> <fieldForLabel>server</fieldForLabel> <fieldForValue>server</fieldForValue> <search> <query> | makeresults | eval env="DEV", server="amptams.dev.com" | fields env server | append [ | makeresults | eval env="DEV", server="ampvitss.dev.com" | fields env server ] | append [ | makeresults | eval env="DEV", server="ampdoctrc.dev.com" | fields env server ] | append [ | makeresults | eval env="SIT", server="ampastdmsg.dev.com" | fields env server ] | append [ | makeresults | eval env="SIT", server="ampmorce.dev.com" | fields env server ] | append [ | makeresults | eval env="SIT", server="ampsmls.dev.com" | fields env server ] | append [ | makeresults | eval env="UAT", server="ampserv.dev.com" | fields env server ] | append [ | makeresults | eval env="UAT", server="ampasoomsg.dev.com" | fields env server ] | append [ | makeresults | eval env="SYS", server="ampmsdser.dev.com" | fields env server ] | append [ | makeresults | eval env="SYS", server="ampastcol.dev.com" | fields env server ] | search $env$ | dedup server | sort server | table server </query> </search> </input> </fieldset> <row> <panel> <table> <title>Incoming Count &amp; Total Count</title> <search> <query> index=app-index source=application.logs $env$ $server$ ( "Initial message received with below details" OR "Letter published correctley to ATM subject" OR "Letter published correctley to DMM subject" OR "Letter rejected due to: DOUBLE_KEY" OR "Letter rejected due to: UNVALID_LOG" OR "Letter rejected due to: UNVALID_DATA_APP" ) | rex field= _raw "application :\s(?<Application>\w+)" | rex field= _raw "(?<Msgs>Initial message received with below details|Letter published correctley to ATM subject|Letter published correctley to DMM subject|Letter rejected due to: DOUBLE_KEY|Letter rejected due to: UNVALID_LOG|Letter rejected due to: UNVALID_DATA_APP)" | chart count over Application by Msgs | rename "Initial message received with below details" AS Income, "Letter published correctley to ATM subject" AS ATM, "Letter published correctley to DMM subject" AS DMM, "Letter rejected due to: DOUBLE_KEY" AS Reject, "Letter rejected due to: UNVALID_LOG" AS Rej_log, "Letter rejected due to: UNVALID_DATA_APP" AS Rej_app | table Income Rej_app ATM DMM Reject Rej_log Rej_app </query> <earliest>timepicker.earliest</earliest> <latest>timepicker.latest</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentageRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> <form> Ciao. Giuseppe ... View more

Hi @Razzi, you should define the fields that you can use to identify the fields to use: host (it's the host present in each log), process. Then you should create a lookup (called e.g. perimeter.csv) containing the hosts to monitor (supponing that the three services to monitor must be active in all the servers). Then you should run a search like the following: index=<your_index> process IN (TBD1, TBD2, TBD3) | stats dc(process) AS process_count values(process) AS process count BY host | append [ | inputlookup perimeter.csv | eval count=0 | fields host count ] | stats dc(process) AS process_count values(process) AS process sum(count) AS total BY host | where total=0 OR process_count<3 | eval status=if(total=0, "missed host", "missed process") | table host status process | rename process AS "present processes" Ciao. Giuseppe ... View more

Hi @anissabnk, this seems to be a json format, you could use INDEXED_EXTRACTIONS=json or the spath command https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Spath If anyway you want to use a regex, you should use more regexes like the following: | rex "from\"\s*:\s*\"(?<from>[^\"]+)\"" that you can test at https://regex101.com/r/6NQsEb/1 | rex "to\"\s*:\s*\"(?<to>[^\"]+)\"" that you can test at https://regex101.com/r/6NQsEb/2 | rex "intensity\"\s*:\s*\(\"\w+\"\s*:\s*(?<intensity>\d+)" that you can test at https://regex101.com/r/6NQsEb/3 Ciao. Giuseppe     ... View more

Hi @SampathkumarK , in addition to the other hints: in the bottom of the ServerClass form, you have the preview of clients in the serverclass, so you can immediately check if the whitelist is correctly running. Then you can go in the clients form and see the serverclasses enabled for those clients. Ciao. Giuseppe ... View more

Hi @Ram2 , in this case (having only two hosts, please try this: <form version="1.1" theme="light"> <label>Dashboard</label> <fieldset submitButton="false"> <input type="time" token="timepicker"> <label>TimeRange</label> <default> <earliest>-15m@m</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="host"> <label>Server</label> <choice value="*">All</choice> <choice value="host1">host1</choice> <choice value="host2">host2</choice> <prefix>host="</prefix> <suffix>"</suffix> <default>*</default> <fieldForLabel>host</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query> </query> </search> </input> </fieldset> <row> <panel> <table> <title>Incoming Count &amp; Total Count</title> <search> <query> index=app-index source=application.logs $host$ ( "Initial message received with below details" OR "Letter published correctley to ATM subject" OR "Letter published correctley to DMM subject" OR "Letter rejected due to: DOUBLE_KEY" OR "Letter rejected due to: UNVALID_LOG" OR "Letter rejected due to: UNVALID_DATA_APP" ) | rex field= _raw "application :\s(?<Application>\w+)" | rex field= _raw "(?<Msgs>Initial message received with below details|Letter published correctley to ATM subject|Letter published correctley to DMM subject|Letter rejected due to: DOUBLE_KEY|Letter rejected due to: UNVALID_LOG|Letter rejected due to: UNVALID_DATA_APP)" | chart count over Application by Msgs | rename "Initial message received with below details" AS Income, "Letter published correctley to ATM subject" AS ATM, "Letter published correctley to DMM subject" AS DMM, "Letter rejected due to: DOUBLE_KEY" AS Reject, "Letter rejected due to: UNVALID_LOG" AS Rej_log, "Letter rejected due to: UNVALID_DATA_APP" AS Rej_app | table Income Rej_app ATM DMM Reject Rej_log Rej_app </query> <earliest>timepicker.earliest</earliest> <latest>timepicker.latest</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentageRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> <form> Ciao. Giuseppe ... View more

Hi @apomona , with my search you have the list of servers where the EventCode 4776 is't present in the last two minutes. The other time is required to have (if present) the last occurrence of the event: index="ad_windows" EventCode=4776 earliest=-60m@m | eval period=if(_time>now()-120,"Last","Previous") | stats count(eval(period="Last")) AS count latest(_time) AS _time BY host | append [ | inputlookup DomainController.csv | eval count=0 | fields host count ] | stats sum(count) AS total latest(_time) AS _time BY host | where total=0 | eval _time=if(_time=0,"No events in the period",_time) | table host _time Ciao. Giuseppe ... View more

Hi @apomona , answering to your questions: in _time you have the last occurrence of the EventCode, if there isn't any occurrence in the period, you don't have any value, in this case you could add a message instead of zero: index="ad_windows" EventCode=4776 earliest=-60m@m latest=@m | eval period=if(_time>now()-60,"Last","Previous") | stats count(eval(period="Last")) AS count latest(_time) AS _time BY host | append [ | inputlookup DomainController.csv | eval count=0 | fields host count ] | stats sum(count) AS total BY host | where total=0 | eval _time=if(_time=0,"No events in the period",_time) | table host _time Avoid to use Real time, because these searches are very heavy for the system: each search takes a CPU and release it when finisces, but RT searches never finish. It's better a scheduled search, even if every minute. Expire, in Splunk there isn't an expiring period for an alert; the expiring period that you see in the alert is for the results (usually 1 day or 1 week) one year I think that's too large and disk space consuming. No, if the alert doesn't trigger an alert condition you don't have a message, if you want a message, you have to use a different search, but what's the utility of a message that's all ok in an alert? an alert should trigger only an error condition, not an OK conditon. Ciao. Giuseppe ... View more

Hi @Josh1890 , please try this: <your_search> | stats dc(User) AS user_count values(User) AS user BY DeviceID | where user_count>1 Ciao. Giuseppe ... View more

Hi @Josh1890 , as @ITWhisperer said, some sample coud help to better understand your requirement. Anyway, if I correctly understood, you want to know if the new_id was assigned in the past to some different users; in other words, if there are more users with assigned the same new_id, is this correct? It isn't so cluear for me the reation between new_id and past_id. Anyway, in this case, you could try to run something like this: <your_search> | stats dc(user) AS user_count values(user) AS user BY new_id | where user_count>1 Ciao. Giuseppe   ... View more

Hi @apomona , this search is an alert that triggers when the EventCode is missed saing that for the missed host you didn't received any event i the last minute, bt you haven't information about when you received the last event. if you want a report about the periods when the eventCode is missed, you should use a different search: index="ad_windows" EventCode=4776 earliest=-60m@m latest=@m | eval period=if(_time>now()-60,"Last","Previous") | stats count(eval(period="Last")) AS count latest(_time) AS _time BY host | append [ | inputlookup DomainController.csv | eval count=0 | fields host count ] | stats sum(count) AS total BY host | where total=0 | table host _time in this way, you check if all the hosts in the lookup sent events with the above EventCode and, when missed, also the last event in the last hour. Ciao. Giuseppe ... View more

Hi @apomona, the question is: on how many servers do you want to check if the above EventCode isn't present? or, in othe words, have you a monitoring perimeter? if yes, put it in a lookup (called e.g. perimeter.csv) containing at least one column (called host), and then run a search like this: | index=wineventlog sourcetype=xmlwineventlog EventCode=4776 | stats count BY host | append [ | inputlookup | eval count=0 | fields host count ] | stats sum(count) AS total BY host | where total=0 if you haven't a perimeter and you're sure that at least in the last hour you received at least one event with this EventCode, you could try: | index=wineventlog sourcetype=xmlwineventlog EventCode=4776 earliest=-60m@m latest=@m | eval period=if(_time>now()-3600,"Last","Previous") | stats dc(period) AS period_count values(period) AS period latest(_time) AS _time BY host | where period_count=1 AND period="Previous" I prefer the first solution because gives you more control: using the second one, you check only hosts in tha last hour. About the second question, avoid to use Real Time alerts because a Real Time search takes a CPU and doesn't release never! It's alway better to run a scheduled search (e.g. every 5 minutes), choose the frequency more adapt to your requirements. About the condition, using my solution you can trigger the alert when you have results (results>0). Ciao. Giuseppe ... View more

Hi @SumitSharma , this app isn't certified for Splunk Cloud. In addition ths app doesn't seem to be free (I could be wrong about this!). anyway, you should consider this app as a custom app and modify it to remove the part containing scripts that probably will block the upoad in Splunk Cloud. The app ins't accessible so I cannot be more detaied. Ciao. Giuseppe ... View more

Hi @Ram2, In the code you shared there are some missing parts. the, these aren't few hosts so I hint to use a lookup containing two columns: env host like the folowing: env host DEV amptams.dev.com DEV ampvitss.dev.com DEV ampdoctrc.dev.com SIT ampastdmsg.dev.com SIT ampmorce.dev.com SIT ampsmls.dev.com UAT ampserv.dev.com UAT ampasoomsg.dev.com SYS ampmsdser.dev.com SYS ampastcol.dev.com (remember to create also the Lookup Definition). in this way you could use in cascade two dropdown lists in this way: <form version="1.1" theme="light"> <label>Dashboard</label> <fieldset submitButton="false"> <input type="time" token="timepicker"> <label>TimeRange</label> <default> <earliest>-15m@m</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="env"> <label>Environment</label> <choice value="*">All</choice> <prefix>env="</prefix> <suffix>"</suffix> <default>*</default> <fieldForLabel>env</fieldForLabel> <fieldForValue>env</fieldForValue> <search> <query> | inputlookup perimeter.csv | dedup env | sort env | table env </query> </search> </input> <input type="dropdown" token="host"> <label>Server</label> <choice value="*">All</choice> <prefix>host="</prefix> <suffix>"</suffix> <default>*</default> <fieldForLabel>host</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query> | inputlookup perimeter.csv WHERE $env$ | dedup host | sort host | table host </query> </search> </input> </fieldset> <row> <panel> <table> <title>Incoming Count &amp; Total Count</title> <search> <query> index=app-index source=application.logs $env$ $host$ ( "Initial message received with below details" OR "Letter published correctley to ATM subject" OR "Letter published correctley to DMM subject" OR "Letter rejected due to: DOUBLE_KEY" OR "Letter rejected due to: UNVALID_LOG" OR "Letter rejected due to: UNVALID_DATA_APP" ) | rex field= _raw "application :\s(?<Application>\w+)" | rex field= _raw "(?<Msgs>Initial message received with below details|Letter published correctley to ATM subject|Letter published correctley to DMM subject|Letter rejected due to: DOUBLE_KEY|Letter rejected due to: UNVALID_LOG|Letter rejected due to: UNVALID_DATA_APP)" | chart count over Application by Msgs | rename "Initial message received with below details" AS Income, "Letter published correctley to ATM subject" AS ATM, "Letter published correctley to DMM subject" AS DMM, "Letter rejected due to: DOUBLE_KEY" AS Reject, "Letter rejected due to: UNVALID_LOG" AS Rej_log, "Letter rejected due to: UNVALID_DATA_APP" AS Rej_app | table Income Rej_app ATM DMM Reject Rej_log Rej_app </query> <earliest>timepicker.earliest</earliest> <latest>timepicker.latest</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentageRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> <form>  Ciao. Giuseppe ... View more

Hi @Splunkerninja , does the search in [Settings > License > License Consuption > last 60 days > divided by index] run? I only copied this search. Ciao. Giuseppe ... View more

Hi @Splunkerninja, do you want to calcuate the icense consuption or the number of events per index and per day? In the first case see at [Settings > License > License Consuption past 60 days > by Index], or run this: index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by idx fixedrange=false | join type=outer _time [search index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | dedup _time stack | stats sum(stacksz) AS "stack size" by _time] | fields - _timediff | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)] In the second case, you could try something ike this: index=* | bin span=1d _time | chart count OVER index BY _time Ciao. Giuseppe ... View more

Hi @Devi13, please try this: index=abc host IN () | eval col=_time."|".response_time | stats max(response_time) AS "Maximum Response Time" values(col) AS col BY URL | mvexpand col | rex field=col "^(?<_time>[^\|]+)\|(?<response_time>[.+)" | where "Maximum Response Time"=response_time | table URL "Maximum Response Time" _time | sort - "Maximum Response Time" Maybe it's also possible using eval in the stats command. Ciao. Giuseppe ... View more

Hi @Devi13, what do you mean with "respective time"? if you're meaning time info about the search (es. min_time, max_time, search execution_time, etc...) you could add "| addinfo" at the end of your search and choose the info you want. for more infos see at https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Addinfo Ciao. Giuseppe ... View more

i @Roy_9 , you shared too few information to help you: Which kind of scripts are you speaching ? which OS are you using? Have you a lustered or stand alone SH ? Why do you want to execute these scripts on SH? Ciao. Giuseppe ... View more

Hi @michaelteck , if you give to the monitor command a path, Splunk reads all the file in this path. You can exclude events older than a data (e.g. 1 day ago), adding a parameter to the input stanza ignoreOlderThan = 1d Ciao. Giuseppe ... View more

Hi @karthi2809, after a stats command you have only the fields present in the stats command, so in your case you don't have priority and message fields that you would use in the evals after the stats. Locate the eval before the stats and add the related fields to the stats. Ciao. Giuseppe ... View more

Hi @pichertklaus, if you're sure that in the files (written bu syslog-ng) there are all the events, you have to search in the Splunk inputs. Are you sure that there aren't duplicated data in these files? because Splunk doesn't index twice duplicated data, event if having different file names. Then, are you sure about the parsing? if the missed events are in the first 12 days of each mont, maybe there's a timestamp parsing issue related to the timestamp format. di you checked if there are some events grouped in the same events? maybe the issue is in the event breaking rules. Ciao. Giuseppe ... View more