I have events from a device sent to splunk every day seen in the example below. Here is an example of that I want to happen: If I ran a search on 2022-05-02, my result would show "Event 1" because the "last_fixed" date is older than "last_found" date. But if I run the same search on 2022-05-04 it will show event 5 because the "last_fixed" date is newer than "last_found" date. I am trying to search the last 30 days for all events to see what device still needs attention. I want to show the oldest event that has "last_found" date unless there's a newer event with the "last_fixed" date newer than "last_found" My Search: index=01  | dedup Device IP_Address  sortby +_time | table dest ip_address Event 1:  Time: 2022-04-29 Device: aaa.local IP_Address: 10.10.10.5 last_fixed: 2022-04-04T21:07:01.592Z last_found: 2022-04-29T05:52:57.742Z Event2:  Time: 2022-04-30 Device: aaa.local IP_Address: 10.10.10.5 last_fixed: 2022-04-04T21:07:01.592Z last_found: 2022-04-30T05:52:11.663Z Event3:  Time: 2022-05-01 Device: aaa.local IP_Address: 10.10.10.5 last_fixed: 2022-04-04T21:07:01.592Z last_found: 2022-05-01T05:53:36.270Z Event4:  Time: 2022-05-02 Device: aaa.local IP_Address: 10.10.10.5 last_fixed: 2022-04-04T21:07:01.592Z last_found: 2022-05-02T05:55:02.180Z Event5:  Time: 2022-05-03 Device: aaa.local IP_Address: 10.10.10.5 last_fixed: 2022-05-03T05:54:03.611Z last_found: 2022-05-02T05:55:02.180Z   Would the best way to do this is by using eval?  ... View more

Hello, I am looking to only make a few views only available to a "Role". Lets say everyone will have access to the app named "Internal Views". Lets say we have two user groups: Internal_View_User Internal_View_Power   I only want views in the app to be seen if you're in a certain group.    This is what "Navigation menu XML" looks like. <nav search_view="search" color="#425363"> <view name="Home" /> <view name="dashboards" /> <view name="Internal_Views_Dashboard" /> <view name="datasets" /> <view name="reports" /> <view name="alerts" /> <view name="search" /> </nav>   This is what I was hoping to do. <nav search_view="search" color="#425363"> <view name="Home" /> <view name="dashboards" /> Permissions: [Internal_View_Power] <view name="Internal_Views_Dashboard" /> Permissions: [Internal_View_User, Internal_View_Power] <view name="datasets" />  Permissions: [Internal_View_Power] <view name="reports" />  Permissions: [Internal_View_Power] <view name="alerts" />  Permissions: [Internal_View_Power] <view name="search" />  /> Permissions: [Internal_View_User, Internal_View_Power] </nav>       Whats the best way to complete this? Thank you for any ideas! ... View more

I am looking to have a eval search that looks for a field name of "Name" and adds the value. If the field doesn't exist, I want to add a field of "Name" and add "N/A" for the data.    | eval Name = if((like(Name,"*"))),"&Name&","N/A")   This might be the wrong way of doing it.   Event example #1: Hostname Time Name Action Server02 11:22am jdoe logon Server20 1:30pm jsmith logon   Event example #2: Hostname Time Action   Workstation 10:45am Saved   Workstation 100 12:30pm Saved       After the search is run I want the data to look like this.   Hostname Time Name Action Server02 11:22am jdoe logon Server20 1:30pm jsmith logon Workstation 10:45am N/A Save Workstation 100 12:30pm N/A Save         ... View more

I am working on with two different data types and some of which have a field of CVE and others don't have a field of CVE.  I have a text input on a dashboard that is working for all events that have a CVE field but I also want all of the other events that don't have a field named CVE.   Basically I am wanting to search the field of "CVE" if the field exist and if it doesn't, then the field is overlooked.   Thank you ahead of time!    ... View more

Currently I am running into an issue where if there is a person logs onto a server multiple times, it combines. Any ideas on how to split? Here is sample data. Currently I am using | stats values(*) as * by Host Account_Name From This: Host Account_Name Duration Session_End Session_Start fdk-DC01 jfrank   1612536779 1612558813 1612536778 1612558812 fdk-DC01 ptom 00:00:02 1612563697 1612563695 fdk-Host01 jfrank 00:00:05 1612539322 1612539317 fdk-Host03 bhill   1612540329 1612543822 1612540323 1612543816   To This: Host Account_Name Duration Session_End Session_Start fdk-DC01 jfrank  00:00:03 1612536779 1612536778 fdk-DC01 jfrank 00:00:07 1612558813 1612558812 fdk-DC01 ptom 00:00:02 1612563697 1612563695 fdk-Host01 jfrank 00:00:05 1612539322 1612539317 fdk-Host03 bhill  00:00:09 1612540329 1612540323 fdk-Host03 bhill 00:00:010 1612543822 1612543816     Thank you for any pointers! ... View more

This project is for our badge system. I currently have a dashboard panel that shows how many badges have been used in a day giving us a ballpark figure on how many people are in the office. I am now working on showing how many people are on the different floors, which I have. The one feature that I need is to have the count change as the person moves from floor to floor. For an example: If there are 2 people on the first floor and 5 people on the second floor and on of the 5 people on the second floor badges in on the first floor, I want the dashboard to deduct 1 from 5 and add the person to the latest badged floor which in this case it is the first floor. I can get a count but don’t know how to link. Any thought? Thanks ... View more

When I perform a search, the "events tab" count match actual data. Once I add "| geostats latfield=Latitude longfield=Longitude " to the search box, to be able to display on map, the results in the "statistics tab" go up in count by 11 and is not giving actual results. How can I have the geomap command look at the events and not "statistics tab"? Why does the statistics results add 11 results compared to the events tab? Thanks ... View more

I am needing to have the automatic generated report saved locally on the server. From there, I can create a cron job to move them to a different location. I am having trouble finding a way to get them saved locally. I do see an option that allows me to run a script which might be an option. I have been looking over some of the similar questions and cant seem to find an answer. ... View more

I am looking to create a dashboard panel that is synced with our AV tool. The tool that we use is sending events to splunk when the AV protection is disabled and re-enabled. I dont know how to display only the devices that have not had AV re-enabled. i.e. PC 1000 is disabled PC 1000 is enabled PC 2003 is disabled The dashboard panel would show one device that needs enabled. Until an event related to PC 2003 is sent that show "PC 2003 is enabled" then the dashboard will show one device needing attention. How do set "disabled" as + "1" and enabled as - "1"? Unless there is a better way.. Thanks! ... View more