This is basically the same problem you asked about last month (which you said you had solved), however, pursuing the other solutions offered at the time might prove more helpful in this instance? ... View more

This is easier said than done. Dashboards are designed to be flexible and allow for multiple ways to do things, so even if you found a way to do this for one dashboard, it may not work for the next dashboard. My question is why are you attempting to do this? What is your usecase? Given the complexity of the task (cost), what would you do with the information (benefit) assuming you could even get a working solution for your environment? ... View more

You could try contacting the developers? ... View more

I think you probably would want to sort by count not runTime and you can do the head in the sort index=abc source=xxx earliest=-60m EventRecType=xyz | stats count values(otherField) as otherField values(anotherField) as anotherField by runTime | sort 5 count ... View more

Perhaps the simplest way to do this is with a subsearch, however, there are limits to the number of events so this may not work for your usecase Index=abc source=xxx earliest=-60m EventRecType=xyz [search Index=abc source=xxx earliest=-60m EventRecType=xyz | rare runTime limit=5 | fields runTime | format] ... View more

openssl version shows which version is found by your shell. Try bin/splunk cmd openssl version to find which version splunk is using. ... View more

Obviously, I don't have access to your data but I ran a similar search over my _internal logs and I get a line for each day in the time period. index=_internal | bucket _time span=1d | stats sum(bytes) as daily_bytes by _time | streamstats avg(daily_bytes) as week_avg list(daily_bytes) as seven_days window=7 | eval w_o_w_change=((daily_bytes - week_avg)/week_avg)*100 | eval state=case( w_o_w_change > 50, "CRITICAL - 50%+ increase", w_o_w_change > 30, "HIGH - 30%+ increase", w_o_w_change > 20, "MED - 20%+ increase", 1=1, "LOW") | table _time, daily_bytes, week_avg, w_o_w_change state | sort -w_o_w_change ... View more

Your SPL looks fine - are you sure the results aren't correct? You could try adding a list to see if the values make sense | streamstats avg(daily_bytes) as week_avg list(daily_bytes) as seven_days window=7 ... View more

As I said, you need to mvexpand stems before doing the replace. ... View more

Try something like this | eval stems = mvappend("91", "92", "MS", "CS") | mvexpand stems | eval expandedvalues = replace(JOB, "\*", stems) ... View more

It depends - do you mean "duplicate" events being returned in your search? What is the level of duplication? Is it the whole event i.e. if a single character is different then it is not a duplicate? Or is it that a particular field or set of fields have unique values? Or some other criteria that you would use to determine if an event is a duplicate? ... View more

Assuming you have fields event_type (all events), request_id (just request events) and response_code (just response events), and your events are in reverse chronological order, then you could do this | filldown response_code | where event_type="request" To be honest, all this is theoretical - if you want more salient advice, I suggest you post some representative sanitised sample events so we can see what you are dealing with. ... View more

If you mean some sort of pre-indexing lookup, then the indexing / ingestion process in Splunk is not really designed for that. Any pre-indexing lookup / search would slow up the indexing process far too much and more likely to cause other issues. You would be better off doing your deduplication as part of the search process, which you could then use to populate a summary index with just the deduplicated events (or better yet, the aggregated results, depending on your usecase). ... View more

Assuming the event type has been extracted to a field called "type", and your events have been sorted into chronological order, you could do something along these lines | streamstats count as event_number by type | stats list(_raw) as raw_events by event_number   ... View more

You could try using Classic SimpleXML dashboards as you have options using CSS to modify how things are displayed. ... View more

It is working for me in version 9.3.5, 9.4.3, 10.0.x by editing web-features.conf - the settings server settings doesn't always appear in the gui though ... View more

On prem works too although you may need at least 10.0 ... View more

This isn't really a Splunk question, it is a scripting question. Which scripting language do you want to use (there are many to choose from)? ... View more

Firstly, you should consider renaming the fields in the csv file before onboarding, this will make your life easier going forward. Assuming you can't/won't do this, do you have a name conversion scheme or a few schemes that can be applied automatically e.g. last word, or last two words? Here is a method for taking the last word | appendpipe [ ``` Transpose to get names of fields ``` | transpose 1 column_name=fields ``` remove row 1 ``` | fields - "row 1" ``` Extract the new name from the current name ``` | rex field=fields ".*?_(?<new_name>[a-zA-Z]+$)" ``` Rename all the fields so they are easy to identify ``` | eval fields="R_".fields ``` Transpose to get renaming fields with their new names ``` | transpose 0 header_field=fields ``` Remove column names ``` | fields - column ] ``` Copy rename fields to all events ``` | reverse | filldown R_* | reverse ``` Remove appended event - this relies on knowing an original field which is non-null in all events ``` | where isnotnull(XYZ_Surname) ``` For each renaming field ``` | foreach R_* [ ``` Use contents of renaming field to create renamed field with contents of original field ``` | eval {<<FIELD>>}=<<MATCHSEG1>> ``` Remove original field and renaming field ``` | fields - <<MATCHSEG1>> <<FIELD>> ] You can modify this to use your own renaming schemes. You may also need to take into account any special, non-alphanumeric characters which appear in your field names by using single and double quotes in appropriate places. ... View more

You are correct, this is about border cases - to quote from OP " it occasionally finds *multiple* events rather than a single one". That is the essence of the problem.  The other thing to bear in mind is the nature of the events being worked with, i.e. "process creation Windows logs" i.e. we don't have other events such as process termination events to know when a process completes (freeing up its PID), so we have to assume that if a new process creation event occurs with the same PID as previously seen, the previous instance of the PID has (at some point) terminated. So, to explain my sample data: 1,2,0,C,A,X At time point 1, PID-2 is created by PID-0 (PPID) with image name "C" and parent image name "A" on computer "X" 2,2,1,C,B,X At time point 2, which could be at an indeterminate point in time after time point 1 (although I have set this to be 1 second later), PID-2 is created by PID-1 (PPID) again with image name "C", but this time with parent image name "B" (although it could be the same image name, I just used a different one to ensure the correct instance of the process was being found), again on computer "X". (Point to note is that my solution doesn't take different computers into account but that is simple to add to the by clauses where PID and Image are used.) 3,3,2,D,C,X Still on computer "X", at time point 3, which could be at an indeterminate point in time after time point 2 (although I have set this to be 1 second later), PID-3 is created by PID-2 (PPID) with image name "D", and with parent image name "C". The issue for the OP is that the lookup file process originally used matches to both the first of my events, so they wanted a way to programmatically determine what the grandparent process id (GPID) was. Your streamstats methods does work in this situation, but only if you switch a couple of the lines around! ... View more