Glad to hear you got it resolved. Sounds like this could qualify as a connectivity issue. 🙂 ... View more

There's also a couple of free fundamentals training classes available here, fyi. ... View more

I would probably suggest starting with the Splunk Security Essentials app to discover use cases you can meet in your environment with the data you have ingested in Splunk. It is well documented and should be very helpful, especially since you have limited Splunk experience. You might also find some nuggets here. ... View more

You need to ensure that the inputlookup subsearch returns a field called "Rule", not CVE.  The field/column you want to match in your lookup is named "CVE Number", so you need to rename that to "Rule" for the NOT condition to work against your events.  NOT [|inputlookup ignore_cve.csv | rename "CVE Number" as Rule | fields Rule] ... View more

OK, so rename your field from the lookup to "Rule": <yourSearch> NOT [|inputlookup ignore_cve.csv | rename "CVE Number" as Rule | fields Rule] ... View more

What is the field name of the CVE in your event results? ... View more

What field name from this search do you want to match against which field name in the lookup? In general:    <yourSearchReturning <matchField>> NOT [| inputlookup lookupfile.csv | fields <fieldToMatch> | rename <fieldToMatch> as <matchField>]   Of course you only have to rename if the field name in your event search is different from the one in the lookup file. ... View more

Try adding quotes to that field  "CVE Number" name or remove the space from the csv header? Without seeing the exact layout of your csv file and the current query, it's difficult to provide more advice. Maybe share header row and first couple of lines of your csv? ... View more

You probably want something like  index=xyz NOT [ inputlookup ignore_cve.csv ] | table .... lookup is intended for 'translating' things, like key in, value out. ... View more

Assuming it's the first date/time value in the event you want to use as _time,  and we just name fields according to your column names, this should work:   [mySourcetypeNameDontUseCSV] FIELD_NAMES = A,B,C,D,E INDEXED_EXTRACTIONS = csv LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true SHOULD_LINEMERGE = false   If this file is read by a UF, this props.conf entry must be placed on the UF itself, since you intend to use indexed extractions. If you want a different part of the event for the timestamp, or if you just want to use index time, you'll need a couple more things. ... View more

Couple of questions: - Where is this csv file picked up from, i.e. is it read by a UF? - What field names do you expect to use? - Which part of the first column do you want to be used as the event timestamp (there are multiple TS values)? ... View more

You don't need the table command at the end for the visualization; remove it and it should work.  ... View more

Can you provide an anonymized sample event? Also, what IS the unexpected result you are getting? ... View more

Try something like this:  | eval current_hour=strftime(now(), "%I") | eval dh=current_hour-1 | where date_hour=dh | timechart span=1w count Obviously, you'll need to handle the special case of midnight. Also, this is still pretty inefficient and can definitely be improved not to read all events only to filter out the hour in question, but it should show how to make the date_hour dynamic. I am not a search expert by any means, so there maybe an easier way to do this.  I would consider a summary index that is populated hourly/nightly and base your by-hour reporting on that.  ... View more

Have you taken a look at $SPLUNK_HOME/var/log/splunk/splunkd.log to get any hints as to what may be happening?  ... View more

You can use time modifiers in your search (docs😞   index=text source=text date_hour=14 earliest=-6w | timechart span=1h count   Will give you the last 6 days. If this is something you want to run regularly, you could create a saved search that runs nightly (or weekly), counts what you want to count and store it in a summary index. Your alert search will run much faster that way. It may also be possible to rewrite your search using tstats if you only need to look at metadata fields (like time). date_hour is a search time extraction, so you couldn't use that with tstats. You can also look at using INGEST_EVAL to create an indexed field that contains the hour component of your timestamp at ingest time. Searches that can use just indexed fields are much more efficient and if this is not a one-off use case, the extra work at ingest time will be worth the benefits. ... View more

I suspect this has something to do with the warning you received earlier in the logs: DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. pip 21.0 will drop support for Python 2.7 in January 2021. More details about Python 2 support in pip can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support pip 21.0 will remove support for this functionality.   ... View more

This would have been better asked in a new question instead of as a reply to an 11 year old one... 😉 You can use a REST API call to get that info programmatically, here's a search example: | rest /services/server/settings | fields *Port *port The Java SDK has a class named "Settings" with methods to retrieve host and port values, among other settings. ... View more

Agree with the HEC recommendation. Start with docs here. Note that you will use a different url/port then the one you use to access the Splunk UI. Your admin will have to configure the HEC listener on the indexer side and provide you with a load-balanced VIP address to use on your client. The default port is 8088, but it may be different depending on what your Splunk admin configured. Assuming an existing Splunk indexing environment has been configured at your company already, you can instead go the file monitoring route and send data to indexers using the Splunk-to-Splunk protocol with the universal forwarder configured to talk to your company's indexers (outputs.conf).  Again, you wouldn't use your URL/port for the search head. By default, indexers will listen on port 9997 for data from forwarders (unless your admin set it up differently). BTW, file monitoring by the UF is a continuous process (no periodic polling per-se) and provides you with a certain amount of resiliency against transient failure conditions you would otherwise need to handle in your application script, if going the HEC route. On top of that, the UF can also monitor files and send it over HTTP in latest product releases (httpout), so a combination of both methods is possible.   ... View more