Exactly what did you try - please share your SPL search ... View more

Reduce your data set - you could try splitting the search into chunks which are appended, but it depends on your data and what you are trying to do. You could also try storing the chunks in a summary index (for example) to offload some of the processing. ... View more

Splunk essentially processes each event one at a time. Some commands work on the multiple events from the pipeline before producing an output event, but still each command processes the pipeline once. The foreach command operates on each event one at a time for each field mentioned in the field list. In order to do what you want, you would have to process the event pipeline multiple times. How many times you depend on your data. There is no way to tell ahead of time how many iterations would be required. One way of solving this might be to write a custom command that essentially takes all the events and processes them as a set. Good luck with that. 😀 ... View more

Perhaps it would be useful if you shared what SPL you do have rather than making us guess? Also, some sample events would be useful too. ... View more

SLO's often are defined as percentage success within a period of time. If you have a SLO defined just as a success rate without a time period, you are probably on a hiding to nothing! If you are trying to determine success rate for small periods of time, you would have to sample your data at that level or smaller. For example, if your SLO has a success rate of 97% in a five minute period, then you need to sample no larger than every 5 minutes. If you sample more frequently than this, these samples should be aggregated up to 5 minutes so that you can compare the success rate to your SLO. If you try to compare the success rate for the smaller time slices, e.g. every minute, they might give you an indication that your SLO might be breached, but since the SLO isn't defined at this level, it isn't technically a breach (until you compare the success rate for the full 5 minutes). You need to decide how important monitoring your success rate is, and at what frequency you want to measure it. This will factor into the cost of monitoring. SLOs are just part of a wider SRE approach and should be carefully considered and agreed. To answer your question another way, if you want to measure downtime or success rate to the second, you need the data (in Splunk) to support this level of detail. One thing to consider, even if you scheduled a report to execute every second, to try and pick up issues "as soon as possible", do you have the manpower to be sitting around waiting every second of every day in case a potential breach happens? What is an acceptable (and reasonable) delay between an issue arising and you being able to detect it? The smaller the delay, the most costly the solution is likely to be! ... View more

| stats avg(completion_time) as avg_completion_time by API ... View more

Assuming host is not null, this is one way of doing it although possibly not the most efficient | stats values(list) as list values(standard) as standard by host | mvexpand list | mvexpand standard | eval list_in_standard = if(list==standard,list,null()) | stats values(list_in_standard) as list_in_standard values(standard) as standard by host list | eval list_not_in_standard=if(isnull(list_in_standard),list,null()) | mvexpand standard | eval standard_in_list = if(list==standard,standard,null()) | stats values(list_in_standard) as list_in_standard values(standard_in_list) as standard_in_list values(list) as list values(list_not_in_standard) as list_not_in_standard by host standard | eval standard_not_in_list=if(isnull(standard_in_list),standard,null()) | stats values(list) as list values(standard) as standard values(list_in_standard) as list_iin_standard values(standard_not_in_list) as standard_not_in_list values(list_not_in_standard) as list_not_in_standard by host ... View more

Try this | lookup AppName.csv CAPNSplunk AS app | eval app=coalesce(RANSplunk,app) ... View more

| rex mode=sed "s/(?<x>Users\\\)(?<random>[^\\\]+)/\\1---/g" ... View more

| inputlookup Meta.csv | rex field=Application "^(?<name>.*)= \[" ... View more

Sorry, I had the output fields the wrong way around, try it this way | lookup AppName.csv CAPNSplunk AS app OUTPUT RANSplunk AS app ... View more

OK So, from what you have been shown with rex already, how do you think this could be applied to your current request. Note that regex.com is a good site for creating and testing regex extractions (although they can need a bit of tweaking to use in Splunk, especially if back-slashes are involved). ... View more

You could try this | lookup lookupfile CAPNSplunk AS index OUTPUT index AS RANSplunk Although, using field names such as index might cause issues as this is a system supplied field. https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Lookup  ... View more

Based on other answers you have been given to similar questions, what have you tried so far? ... View more

| rex field=<field name> "(?<dem_field>\w+)_(?<digits>\d+)\.csv" ... View more

You can use rex to extract digits from a field - do you already have this value in a field? | rex field=<field name> "(?<digits>\d+)\.csv" ... View more

index=proxy sourcetype="XXX" filter_category="File_Storage/Sharing" [ search index=proxy sourcetype="XXX" filter_category="File_Storage/Sharing" | eval bytes_in=bytes_in/1024/1024/1024 | eval bytes_in=round(bytes_in, 2) | table user,bytes_in | sort - bytes_in | head 10 | fields user url] | eval end_time=strftime(_time, "%Y-%m-%d %H:%M:%S") | eval bytes_in=bytes_in/1024/1024/1024 | rename user as username, url as FQDN | where bytes_in>0 | eventstats count sum(bytes_in) as Number_File_Uploads by username FQDN | table end_time,username,src,src_remarks01,FQDN,bytes_in,Number_File_Uploads | rename "end_time" as "Access date and time", "src" as "IP address", "src_remarks01" as "Asset information", "bytes_in" as "BytesIn(GB)" ... View more

| makeresults | eval _raw="customerservice it2-customer.com completed in 56 ms." | rex "(?<API>\S+) completed in (?<completion_time>\d+) ms" ... View more

I am not checking for "\\Specific_DL_Testing\" - this is part of the eval command to create the sample _raw field in line with what you say is your event As you can see from the _raw field in the screenshot, the event matches what you said you event was.   ... View more