Hello All,  I'm trying to run query that will allow me to exclude events with part of a file path built in a windows event.  The event looks like this alert: %PlaceStuffIsStored%\ANYTHING\STUFF\And\Things\Blah\Blah\Blah\Blah.EXE was allowed to run but would have been prevented from running if the AppLocker policy were enforced. I was able to Rex out the file path to now I have a new field called path which is Dir Dir=%PlaceStuffIsStored%\ANYTHING\STUFF\And\Things\Blah\Blah\Blah\Blah.EXE I've tried the basics but no luck  Search!="*ANYTHING\STUFF\*" |mysearch  Not (Dir="*ANYTHING\STUFF\*")   Thanks ... View more

Hi,  I have 14 alerts that cover all the infrastructure, my company uses. I get my data from a data bus every 60 minutes, but when that fails and it can for (several hours at a time). I would like to not have to rerun the alerts manually. As a note I don't any elevated access to the Splunk instance or the environment so I can't install apps, add-ins, or update any conf files, but I do have access to the audit and internal indexes.  Ideally I'd like my conditional trigger to be something like this: index=_internal sourcetype=scheduler status=!success savedsearch_name="Stuff to search" | table _time search_type status user app savedsearch_name result_count |where result_count=0  then <search/commands to rerun alert every hour until results are in> ... View more

I have an email alert that is set to go out every morning.  I have a bunch of long field names that get cut off randomly in the inline table that is in the body of the email.  For example I have a field named "Provisioning Status" in the email alerts it is displayed as "Provision ing Status"  I'd like the field to be displayed as "Provisioning Status"  What can I do? ... View more

I have 1600+ storage arrays and they are from multiple vendors, each with different thin provisioning levels. I currently have two columns one called TP at 1.2 and one called TP at 1.5. I'd like to combine them into a single column. I tried an if statement, but I couldn't get it right, I'm thinking I need to use a case statement but I'm not sure.  Here is an example eval "Thin Prov"=Case(((SV='vendorA' AND SM='MODEL1' OR SM='Model2'),(TC*1.5), (SV='vendorb' AND SM='Model3' or SM='Model4',TC*1.2)) ... View more

Hello Everyone, I have a really simple question but I can'f figure it out for the life of me.  I have a query set up that gives me the utilization of an array, and I want to have a text based field for its RAG status.  This is what I'm using  | eval RAG=(Class='DB' AND Utilization >= 62, "Red", Utilization >= 50, "Yellow", Utilization < 40, "Green") I've tried to run it and I keep getting the eval statement is malformed error.  Any help you can give would be appreciated.  ... View more

I have a bunch of storage clusters that we monitor,  60% of the envrioment uses normal GB, the other 40% uses GiB.  I need to show all of the storage arrays in 1 report and normalize the storage to GB, and the only field that is different between the storage besides the array name is "storage vendor" .  I need to create an If statement if vendor is like "X"  run these evals  |eval _GB_TiB = (((Capacity_GB)*1.1)/1024)*0.909495 | eval "Prov(TiB)" = (((prov_GB)*1.1)/1024)*0.909495 | eval "Written(TiB)" = ((((writtedGB)*1.1)/1024)*0.909495)/2     ... View more

I have a search that looks at the output of a few scripts and lets me know if they are not running. These scripts cover our data collection for the instance, from our data lake. For example if the asset script fails I like to see something in status field showing "Asset Collector broke!" in the status field. I want to create a status field to update for each scenario of the 3 different scenarios based on the avg number of results returned. This is what I tried so far in various forms, thanks for the help. basesearch|stats avg(assets_collected) as ac avg(metrics_returned) as metrics avg(no_metrics) as not_returned |eval status=case(ac==0, "Asset Collector broke!", assets==not_returned,"Cron Failure!",metrics==0,"Data Lake Failure!" ... View more

Hello, I'm building a search that tracks the use of memory allocated(mem_alloc), memory in use(mem_used), CPU in use(CPU_used) CPU allocated (CPU_alloc) along with the Cluster type (CT) for our vmware envrioment. My base query works perfect but when I try to build the logic behind it using where, and , or. I keep getting false positives, like the example below. where CT=Tier_1 or CT=Tier_2 and CPU_used>=50 or mem_used>=50 or mem_alloc>=0.9 or CPU_alloc>=0.9 I end up getting results that have different cluster tiers in them |CT | |CPU_used| |mem_used| |mem_alloc| |CPU_alloc| |Tier_2 |50.01| |25.35| |.82 | |.82 | |Tier_1 |62.23| |72.33| |.90 | |.65 | |Tier_2 |45.53| |32.55| |.97 | |.55 | |Tier_4 |23.25| |36.58| |1.01| |3.25| |Tier_5 |40.32| |85.15| |3.25| |1.11| I need to find a way to be able to narrow it down to Tier_1 or Tier_2 clusters only, and alert if any of the values break the thresholds in the where statements. ... View more

I want to create a drill down that will go from a value on a stats table a time chart for the clicked pool name in a new tab, I've been at this for a few hours now and I can't seem to get it to work. Here is the current XML: <panel> <table> <title>Pool Stats</title> <search> <query>index=Stuff| SERVER_NAME="$SERVER_NAME$"|dedup POOL_NAME|stats avg(eval(if(PCT_UTILIZED==0,null(),PCT_UTILIZED))) as Used by POOL_NAME|sort -Used | head 10</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">row</option> </table> Thanks in advance. ... View more