Hi, I need your help in order to get the difference between two searches. I have a task running once a day on all my servers and if the task is succeed it generates an event log that is sent to Splunk.  I need to know which servers didn’t generate that event. At this moment the result should be 1 server that is offline. But I don't get any results. But each search returns the list of my servers - 1st search is a lookup table (static) with all my servers: | inputlookup ctx_arc_hardware.csv | where HW_State="Active" AND (Group="XenApp APPS" OR Group="XenApp RBT") | table Hostname | rename Hostname as ComputerName - 2nd search (aleatory) is the list of servers that has a specific event generated once a day from the eventvwr index: index=eventviewer sourcetype=ctxevent EventCode=200 earliest=-8h | table ComputerName After google it, I found these 2 ways, but I'm not getting the result I want: | set diff [search index=eventviewer sourcetype=ctxevent EventCode=200 earliest=-8h | table ComputerName] [search inputlookup ctx_arc_hardware.csv | where HW_State="Active" AND (Group="XenApp APPS" OR Group="XenApp RBT") | table Hostname |rename Hostname as ComputerName] And also tried: | inputlookup ctx_arc_hardware.csv | where HW_State="Active" AND (Group="XenApp APPS" OR Group="XenApp RBT") | table Hostname | rename Hostname as ComputerName Where NOT [search index=eventviewer sourcetype=ctxevent EventCode=200 earliest=-26m | table ComputerName,] Can you point me in the right direction? ... View more

Hi, I have a csv that is imported to splunk and one of those fields has a space for the thousands and ends with  ",00",  I need it to be an integer only with numbers.   I can solve this this with 2 lines:        | eval test=replace(field1,",00","")        | eval test=replace(test," ","") But I want to create a new field with Calculated fields. How can I do that in one line of code? ... View more

Hi, I have this log line: May 13 08:01:56 192.168.10.10 system_service: 192.168.10.10 05/13/2020:07:01:56 GMT : GUI CMD_EXECUTED : User test_user - Remote_ip 10.10.10.10 - Command "login login tenant_name=Owner,password=********,Secret=*****,challenge_response=*****,token=80410000cb49a9,client_port=-1,cert_verified=false,sessionid=********,session_timeout=0,permission=superuser" - Status "Done" and I already have the Fields: user: test_user remote_ip: 10.10.10.10 command: "login login tenant_name=Owner,password=********,Secret=*****,challenge_response=*****,token=*****,client_port=-1,cert_verified=false,sessionid=********,session_timeout=0,permission=user" status: "Done" But I need to extract new fields from the existing field "command" For now what I need is to create the field "event" with the fist word (Login and Logout) Is there any way to Extract a field from an existing ? Or do I have to use the REX in Search? I have this search, but the event field has no values index=my_index (command=login* OR command=logout*) | rex field=command "event:^(.*.Command)\s+\"(?P\w+)" | table user,event, command,remote_ip, status, _time | sort -_time I've tested this regex expression and it return the value "login" from the log line above. Any idea of what I'm doing wrong? Regards, ... View more

Hi, I'm new in Splunk (and my knowledge is very basic) and I have to build a complex dashboard with multiple indexes. I've tried googling it and I did not find anything related to my needs. So, I have my index with a log file from a group of servers (farm) and that log is imported every 15min (96 files everyday). My logfile has this name: source=ControlUp_Computers_11_22_2017_16_29_57 where "16_29_57" represents at what time it was imported to splunk. In this case I have to SUM all the servers sessions every 15min Source examples: ControlUp_Computers_11_22_2017_16_29_57.csv ControlUp_Computers_11_22_2017_16_44_59.csv My search is: Windows last 4 days index=pt_app_it_controlup sourcetype="csv-computers" | eval Disconnect = 'Disconnected Sessions' + 'Idle Sessions' + 'Other Sessions' | timechart span=15min sum("User Sessions") as Total, sum(Active Sessions) as Active, sum(Disconnect) as Disconnected | timechart span=1d max(Total), max(Active), max(Disconnected) Output: _time max(Total) max(Active) max(Disconnected) 20/11/2017 4197 3076 2784 21/11/2017 4243 3014 2803 22/11/2017 8601 6089 2849 23/11/2017 2570 2038 1824 Each logfile has the number of all sessions state, so I need to SUM all of them and then get the MAX of each days. But all servers are grouped (by Folder) With this search I have my results index=pt_app_it_controlup sourcetype="csv-computers" | eval Disconnect = 'Disconnected Sessions' + 'Idle Sessions' + 'Other Sessions' | eval Folder =substr(Folder,22,25) | timechart span=15min sum("User Sessions") as Total, sum(Active Sessions) as Active, sum(Disconnect) as Disconnected by Folder Folder names (agentes, callcenters) Output: _time |Active: agentes |Active: callcenters |Disconnected: agentes |Disconnected: callcenters |Total: agentes |Total: callcenters 2017-11-24 00:00:00 |11 |54 |16 |584 |479 |638 2017-11-24 00:15:00 |9 |49 |11 |535 |449 |584 2017-11-24 00:30:00 |9 |45 |6 |439 |410 |484 Now I need to find the MAX of each day by Folder. But applying the 2nd timechart I can't get my results index=pt_app_it_controlup sourcetype="csv-computers" | eval Disconnect = 'Disconnected Sessions' + 'Idle Sessions' + 'Other Sessions' | eval Folder =substr(Folder,22,25) | timechart span=15m sum("User Sessions") as Total, sum(Active Sessions) as Active, sum(Disconnect) as Disconnected | timechart span=1d max("Total"), max("Active"), max("Disconnected") by Folder Can you help pointing me to the right direction? Thanks!!! ... View more