Hello All,  I'm trying to run query that will allow me to exclude events with part of a file path built in a windows event.  The event looks like this alert: %PlaceStuffIsStored%\ANYTHING\STUFF\And\Things\Blah\Blah\Blah\Blah.EXE was allowed to run but would have been prevented from running if the AppLocker policy were enforced. I was able to Rex out the file path to now I have a new field called path which is Dir Dir=%PlaceStuffIsStored%\ANYTHING\STUFF\And\Things\Blah\Blah\Blah\Blah.EXE I've tried the basics but no luck  Search!="*ANYTHING\STUFF\*" |mysearch  Not (Dir="*ANYTHING\STUFF\*")   Thanks ... View more

Hi,  I have 14 alerts that cover all the infrastructure, my company uses. I get my data from a data bus every 60 minutes, but when that fails and it can for (several hours at a time). I would like to not have to rerun the alerts manually. As a note I don't any elevated access to the Splunk instance or the environment so I can't install apps, add-ins, or update any conf files, but I do have access to the audit and internal indexes.  Ideally I'd like my conditional trigger to be something like this: index=_internal sourcetype=scheduler status=!success savedsearch_name="Stuff to search" | table _time search_type status user app savedsearch_name result_count |where result_count=0  then <search/commands to rerun alert every hour until results are in> ... View more

I have an email alert that is set to go out every morning.  I have a bunch of long field names that get cut off randomly in the inline table that is in the body of the email.  For example I have a field named "Provisioning Status" in the email alerts it is displayed as "Provision ing Status"  I'd like the field to be displayed as "Provisioning Status"  What can I do? ... View more

I have 1600+ storage arrays and they are from multiple vendors, each with different thin provisioning levels. I currently have two columns one called TP at 1.2 and one called TP at 1.5. I'd like to combine them into a single column. I tried an if statement, but I couldn't get it right, I'm thinking I need to use a case statement but I'm not sure.  Here is an example eval "Thin Prov"=Case(((SV='vendorA' AND SM='MODEL1' OR SM='Model2'),(TC*1.5), (SV='vendorb' AND SM='Model3' or SM='Model4',TC*1.2)) ... View more

Hello Everyone, I have a really simple question but I can'f figure it out for the life of me.  I have a query set up that gives me the utilization of an array, and I want to have a text based field for its RAG status.  This is what I'm using  | eval RAG=(Class='DB' AND Utilization >= 62, "Red", Utilization >= 50, "Yellow", Utilization < 40, "Green") I've tried to run it and I keep getting the eval statement is malformed error.  Any help you can give would be appreciated.  ... View more

I have a bunch of storage clusters that we monitor,  60% of the envrioment uses normal GB, the other 40% uses GiB.  I need to show all of the storage arrays in 1 report and normalize the storage to GB, and the only field that is different between the storage besides the array name is "storage vendor" .  I need to create an If statement if vendor is like "X"  run these evals  |eval _GB_TiB = (((Capacity_GB)*1.1)/1024)*0.909495 | eval "Prov(TiB)" = (((prov_GB)*1.1)/1024)*0.909495 | eval "Written(TiB)" = ((((writtedGB)*1.1)/1024)*0.909495)/2     ... View more

I have a search that looks at the output of a few scripts and lets me know if they are not running. These scripts cover our data collection for the instance, from our data lake. For example if the asset script fails I like to see something in status field showing "Asset Collector broke!" in the status field. I want to create a status field to update for each scenario of the 3 different scenarios based on the avg number of results returned. This is what I tried so far in various forms, thanks for the help. basesearch|stats avg(assets_collected) as ac avg(metrics_returned) as metrics avg(no_metrics) as not_returned |eval status=case(ac==0, "Asset Collector broke!", assets==not_returned,"Cron Failure!",metrics==0,"Data Lake Failure!" ... View more

Hello, I'm building a search that tracks the use of memory allocated(mem_alloc), memory in use(mem_used), CPU in use(CPU_used) CPU allocated (CPU_alloc) along with the Cluster type (CT) for our vmware envrioment. My base query works perfect but when I try to build the logic behind it using where, and , or. I keep getting false positives, like the example below. where CT=Tier_1 or CT=Tier_2 and CPU_used>=50 or mem_used>=50 or mem_alloc>=0.9 or CPU_alloc>=0.9 I end up getting results that have different cluster tiers in them |CT | |CPU_used| |mem_used| |mem_alloc| |CPU_alloc| |Tier_2 |50.01| |25.35| |.82 | |.82 | |Tier_1 |62.23| |72.33| |.90 | |.65 | |Tier_2 |45.53| |32.55| |.97 | |.55 | |Tier_4 |23.25| |36.58| |1.01| |3.25| |Tier_5 |40.32| |85.15| |3.25| |1.11| I need to find a way to be able to narrow it down to Tier_1 or Tier_2 clusters only, and alert if any of the values break the thresholds in the where statements. ... View more

I want to create a drill down that will go from a value on a stats table a time chart for the clicked pool name in a new tab, I've been at this for a few hours now and I can't seem to get it to work. Here is the current XML: <panel> <table> <title>Pool Stats</title> <search> <query>index=Stuff| SERVER_NAME="$SERVER_NAME$"|dedup POOL_NAME|stats avg(eval(if(PCT_UTILIZED==0,null(),PCT_UTILIZED))) as Used by POOL_NAME|sort -Used | head 10</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">row</option> </table> Thanks in advance. ... View more

I want to create a drill down that will go from a value on a stats table a time chart for the clicked pool name in a new tab, I've been at this for a few hours now and I can't seem to get it to work. Here is the current XML: <table> <title>Pool Stats</title> <search> <query>index=Stuff| SERVER_NAME="$SERVER_NAME$"|dedup POOL_NAME|stats avg(eval(if(PCT_UTILIZED==0,null(),PCT_UTILIZED))) as Used by POOL_NAME|sort -Used | head 10</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">row</option> </table> </panel> ... View more

Hey so I have a list of of values, that need to be standardized. The values I'm need to transform look like this: Pool1-dp Pool2-dp Pool3_MSDP Pool4_MSDP Pool5-dp I need to trim the values to just have their proper pool names (Pool1). Here is the SPL MySearch|rex mode=sed field="Field1" s/"(-dp)|(_MSDP)" but, when I run it in my instance I keep getting errors like this one. Error in 'rex' command: Failed to initialize sed. Failed to parse the regex to replace. I've spent about 4 hours trying to figure this out and I jut cant seem to do it. I wrote the REX in regex101, and it works there with no problem there. I did a bunch of googling and I tried most of the posts here at splunk answers, any help would be very appreciated. Disclaimer I do not have access to the server where the instance is hosted, just the instance itself. ... View more

I have a list of 51 locations, and I want to create dashboard that displays the results of the query below in a separate panel for each site. index= index cluster=""site=""| bin _time span=1d|eval time=(time)|eventstats sum(dscapacityGB) as capacity sum(dsfreeGB) as free sum(dsgarbageGB) as garbage sum(vmdkallocGB) as vmdkallocated sum(vmdkusedGB) as vmdkused by cluster, _time|eval allocated = round((capacity),2)|eval utilization= round(((vmdkused+garbage)-capacity),2)|chart sum(allocated) as allocated avg(capacity) as capacity by site|eval capacity=round(capacity,2)|eval allocated=round(allocated,2) I could do this manually, but I wanted to know if there was a for loop that can do it for me. ... View more