Hi, Please check the regex whether it's capturing the data as needed. Please give us a sample event to work it out for you. Your props and transforms are correct The best practice is to put the conf in your app directory $SPLUNK_HOME/etc/apps/myapp/local . ... View more

Could you please try the below. |index="your_index" sourcetype="" Error1 Error2 |rex field=_raw "(?P<err_message>Error.*)" |table host,earFile,err_message ... View more

Mostly, the payload has some additional data which prevents it from JSON auto parsing. Please try to use the regex to break the event in props.conf please give us a sample event type for more analysis ... View more

Hi , Could you try addcoltotals command. source="*WinEventLog:Security" sourcetype="*wineventlog:security" EventCode=4624 OR 4625 |timechart count(EventCode) by EventCode |addcoltotals labelfield="Total" ... View more

Hi, Try using the bin command ns=a* DECISION IN (ELIGIBLE, INELIGIBLE) |bin _time AS "TIME" span=1h | convert ctime(TIME) | stats count by TIME,DECISION,PRODUCT | eval total= ELIGIBLE+INELIGIBLE | eval ELIGIBLE=round(ELIGIBLE/total,4)*100 | eval INELIGIBLE=round(INELIGIBLE/total,4)*100 | fields - total ... View more

Could you please try as below. Choose Trigger alert when number of results equal to zero index=myIndex source=mySource sourcetype=mySourceType earliest=-2h@h latest=@h | timechart span=1h count AS Received | stats sum(Received) as total_received |where total_received=0 ... View more

Hi, Could you give us more details? Check whether the search is producing any results. Also, include the time window in the search as below. index="your_index" sourcetype="your_st" earliest=-1h@h latest=@h I am searching for a window of one hour ... View more

For line-breaking use the regex as (&&&) In props.give Max events as 40000 Truncate as 20000(check the max using len function and adjust). Create a new index named notfoundindex (Settings-->Index) [props.conf] REGEX = (\&\&\&) MAX_EVENTS = 40000 TRUNCATE = 20000 TRANSFORMS-01-notfound = notfound TRANSFORMS-02-setsourcetype= setsourcetype transforms.conf [notfound] REGEX = .*404.* DEST_KEY = _MetaData:Index FORMAT = notfoundindex [setsourcetype] SOURCE_KEY = _raw REGEX = .* DEST_KEY = Metadata:Sourcetype FORMAT = sourcetype::access_combined ... View more

Hi, Based on your requirement could you please try the below. |makeresults |eval _raw= "input_field DATA_ACE_CHE_Team FdTest@Labcatr DATA_ACE_CADD_Team DATA_ACE_CAM_Team DATA_ACE DATA_ACE_CSS_Team FG_sam Check@#$values checkme Data D&*fuse Data*now" |multikv forceheader=1 |table input_field |rex field=input_field "(?P<extracted_field>.*)(?:\_.+\_)" Also, could you please give expected input and output fields if this is not your requirement? ... View more

Hi , Could you please try the below. |makeresults |eval _raw= "input_field DATA_ACE_CHE_Team FdTest@Labcatr DATA_ACE_CADD_Team DATA_ACE_CAM_Team DATA_ACE DATA_ACE_CSS_Team FG_sam Check@#$values checkme Data D&*fuse Data*now" |multikv forceheader=1 |table input_field |rex field=input_field "(?P<extracted_field>.*)\s" Modify the last line if you want to extract anything before the special characters like - |rex field=input_field "(?P<extracted_field>.*)(\_|\@|\s|\*)" ... View more

Hi, Could you please try the below search . index=first_access_logs emp_id=472421 "14616113" "POST" "search/api/values" | rex field=tracking_id ":(?<nodeTrackingId>.+)" | join type="inner" nodeTrackingId max=0 [ search index=node_access_logs "search/api/another?value=&id" | rename src_ip as nodeTrackingId |fields nodeTrackingId,* ] | table field_1,field_2, field_3, field_4 ... View more

Hi, 1)You cannot directly upgrade from 6.x to 8.x.First, upgrade to 7.x and the proceed.6.x -->7.x -->8.x 2)Check for the kernel. Highly recommended to upgrade your ubuntu as its an old release. 3)There are no python dependencies or libraries for an upgrade. The latest python bundle that is 3.x will be within splunk. Also, there is a dependency on the forwarders. Check for forwarder compatibility. https://docs.splunk.com/Documentation/VersionCompatibility/current/Matrix/Compatibilitybetweenforwardersandindexers ... View more

Hi, Please use the below query.The idea is to evaluate your custom time field to _time index="index" sourcetype="sourcetype") | rename message.account as Account | search Account=account name "message.title"="name" | bin span=1m _time | dedup _time, message.title | eval epochTimestamp=strftime('message.timestamp'/1000,"%Y-%m-%dT%H:%M:%S.%N") |eval _time=epochTimestamp | chart span=1m sum(message.concurrent_sessions_minus_new60s) as "Concurrent sessions" by Account ... View more

Hi, The below command will work. |eval fieldLength=len(your_field_name) ... View more

Hi, If you are using the summary index and the data is stored as table.You could directly fetch from the summary index later. index=retention |table earliest,latest ,user ,host,day Read more about summary index - https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Usesummaryindexing https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Configuresummaryindexes OR if you want the raw data to be persisted to the index "retention". Deploy the above index.conf in indexer and direct the Splunk forwarder to inject data to the "retention " index. ... View more

Hi, As the data is very much structured my recommendation would be to go with summary indexes. You could use the same query you created and navigate that to summary index -retention. Modify the query to push data to summary index and schedule it as a report and run it periodically. index=main sourcetype=WinEventLog (EventCode=4624 OR EventCode=4634) user=pratapa.ln earliest=-12mon | eval day=strftime(_time,"%d/%m/%Y") | stats earliest(_time) AS earliest latest(_time) AS latest by user host day | eval earliest=strftime(earliest,"%d/%m/%Y %H.%M.%S"), latest=strftime(latest,"%d/%m/%Y %H.%M.%S") |collect index=retention OR You could also modify the configuration to inject the data to newly created index and use it like a regular index ... View more

Hi, Try the below SPL.Modify based on your need. |tstats count where sourcetype=WinHostMon by host,_time,sourcetype |table host,sourcetype,_time |sort - _time |head 1 ... View more

Hi, Please check with your admin to check for whether the user is locked or not. Go to Settings-->Users(Under Users and authentication)-->Search for the user. It's better to reset the password P.S- I hope you are using native login not LDAP or saml ... View more

|Hi, I assume you have common fields in url lookup and domain look up. Please try out the below and let us know index=firewall | lookup url.csv url OUTPUT url,domain_index | lookup domain.csv domain as domain_index OUTPUT domain |table url,domain ... View more

Thanks for confirming!!!!!!! Could you please upvote so that it may help others. ... View more

Hi, Please try the below search and let us whether it worked. index="" AND http_message="*" |stats count as tot by http_message,_time |stats avg(tot) as Average by _time ... View more

Hi, You probably have the fields as not null. It usually will be a white space.Check whether its whitespace using the following command |eval fieldLength=len(Size) If you have white space, replace the if clause as below or use replace command to replace white space to null | eval Size=if(isnull(Size),"0",if(Size=" ","0",Size)) ... View more

Set the linebreaker in props.conf as LINE_BREAKER = </ErrorMessage> ... View more