We had a user leave and before he did he asked that I change the ownership of all his reports to another employee.  I did that.  Today I found out that he owns a lookup.  When I look in knowledge objects orphans, it wasn't in there.  From what I've found online, lookups are completely different.  Is there anyway in Splunk to find everything a user owns?  I would rather be proactive and find things the the user didn't mention, rather than wait for notification that something isn't working. TIA, Joe ... View more

I'm working with the "Jira Issue Input Add-on" and in Jira we have created custom fields.  Splunk ingests issues and the custom field data looks like this   customfield_10101: SA-1017 customfield_10107: 3 customfield_25402: [ [+] ] customfield_25426: [ [+] ] customfield_25427: { [+] }   There are 1,049 custom fields.  I would like to use the names for the custom fields and have created a csv file with this   customfield_custom_field_number,custom_field_name customfield_10000,Request participants ... customfield_27904,Target Date   I'm trying to avoid having all the renames in props.conf.  Is there any way of taking the field name in an event and using the lookup renaming it to what is found in the lookup? ... View more

I’m working with a kvstore since the Netskope IP information needs updating.  I figured out how to add to it using this SPL     | makeresults | eval Data="aaa.bbb.ccc.ddd/mask" | eval Desc="Netskope" | eval Type="netskope_ip" | outputlookup append=true override_if_empty=false my_kvstore     I found multiple examples of how to delete curl -k -u admin:yourpassword -X DELETE https://localhost:8089/servicesNS/nobody/kvstoretest/storage/collections/data/kvstorecoll/5410be5441... The thing is I can’t find the data path.  I can’t use the above command replacing the path the correct path if I can’t figure out the correct path.  Any suggestions? TIA, Joe ... View more

I'm working with a csv file with this header Filenm,EIN,Status,Business Function,Maintained By, Region,Manufacturer Name,Building Name,Service Area,Model Name,Model Number,Serial Number,AM Tag Number,Equipment Type,Equipment Type Description,Network Connection Type Wired,IP Address v4 Wired,Nuvolo Flag,MAC Address Wired,Equipment Status Detail,Network Connection Type Wireless,IP Address v4 Wireless,IP Address Type Wireless,IP Address Type Wired,MAC Address Wireless,Host Name,Fully Qualified Domain Name,OS Version,Asset Type,Contains ePHI,Application Software Name What I would like to do is have Splunk transform to closer to Splunk field names.  Such as filenm,ein,status,business_function,maintained_by,region,manufacturer_name,building_name,service_area,model_name,model_number,serial_number,am_tag_mumber,equipment_type,equipment_type_description,network_connection_type_wired,ip_addres_v4_Wired,nuvolo_flag,mac_address_wired,equipment_status_detail,network_connection_type_wireless,ip_Address_v4_wireless,ip_address_type_wireless,ip_ddress_type_wired,mac_address_wireless,host_name,fully_qualified_domain_name,os_version,asset_type,contains_ephi,application_software_name The only thing I've been able to find is putting something in the TA transforms.conf like this [edge_asset_header] DELIMS = "," FIELDS = "filenm","ein","status","business_function","maintained_by","region","manufacturer_name","building_name","service_area","model_name","model_number","serial_number","am_tag_mumber","equipment_type","equipment_type_description","network_connection_type_wired","ip_addres_v4_Wired","nuvolo_flag","mac_address_wired","equipment_status_detail","network_connection_type_wireless","ip_Address_v4_wireless","ip_address_type_wireless","ip_ddress_type_wired","mac_address_wireless","host_name","fully_qualified_domain_name","os_version","asset_type","contains_ephi","application_software_name" Is the only solution or did I miss something? TIA, Joe ... View more

I'm working with some syslog data that is being pulled in from a gzip file.  The data looks like this     Apr 28 23:59:01 hostname systemd: Removed slice User Slice of pdw. Apr 28 23:59:01 hostname systemd: Started Session 9904 of user pdw. Apr 28 23:59:01 hostname systemd: Created slice User Slice of pdw. Apr 28 23:58:01 hostname systemd: Removed slice User Slice of pdw. Apr 28 23:58:01 hostname systemd: Started Session 9903 of user pdw. Apr 28 23:58:01 hostname systemd: Created slice User Slice of pdw. Apr 28 23:57:01 hostname systemd: Removed slice User Slice of pdw. Apr 28 23:57:01 hostname systemd: Started Session 9902 of user pdw. Apr 28 23:57:01 hostname systemd: Created slice User Slice of pdw. Apr 28 23:56:01 hostname systemd: Removed slice User Slice of pdw.      The issue is instead of seeing April 28 in _time, what I'm seeing is what appears to be timestamp of the file source="/var/log/messages-20220501.gz".  The 2,974,360 events in the gzip run from Aug 1 to May 3.  Does Splunk not get the date from each event in the gzip or did Splunk run up against a limitation and not process due to the number of events? ... View more

I have this search where the splunk_check_hostnames.csv is a single column of hostnames with hostname as the header.     index=_internal sourcetype=splunkd earliest=-24h [| inputlookup splunk_check_hostnames.csv] | stats count by hostname, version, os     It works nicely.  I'm trying to figure out how to do the below search without having to use a second lookup with the header being host.     index=os_* sourcetype=linux_secure OR source=WinEventLog:Security earliest=-24h [| inputlookup splunk_check_hostnames.csv] | stats count by host, index, sourcetype     Any thoughts? TIA, Joe ... View more