Hi @SN1 , don't attach a new request to an old one, even if on the same topic, because probably you'll never receive an answer. Open a new case describing your issue. Ciao. Giuseppe ... View more

I believe that's covered by the schedule_search capability. ... View more

Hi @bosseres, my hint is to create a scheduled search that aggregates logs asaving results in a summary index. Then you can use this aggregated summary index for your searches. Ciao. Giuseppe ... View more

What if I want to replace all the values in a specific field (number 3) during ingestion with a fixed value for all rows? ... View more

Yes, as I said, remove the duplicates before the outputlookup. It does depend on how you generate the events you want to add to the lookup. ... View more

One way to look top blocking queues index=_internal splunk_server= <your indexer nodes> sourcetype=splunkd TERM(group=queue) (TERM(name=parsingQueue) OR TERM(name=indexqueue) OR TERM(name=tcpin_queue) OR TERM(name=aggqueue)) | eval is_blocked=if(blocked=="true",1,0), host_queue=host." - ".name | stats sparkline sum(is_blocked) as blocked,count by host_queue | eval blocked_ratio=round(blocked/count*100,2) | where blocked_ratio > 0 | sort 50 -blocked_ratio | eval requires_attention=case(blocked_ratio>50.0,"fix highly recommended!",blocked_ratio>40.0,"you better check..",blocked_ratio>20.0,"usually no need to worry but keep an eye on it",1=1,"not unusual") and look if UF's limit has reached index=_internal sourcetype=splunkd component=ThruputProcessor "current data throughput" | rex "Current data throughput \((?<kb>\S+)" | eval rate=case(kb < 500, "256", kb > 499 AND kb < 520, "512", kb > 520 AND kb < 770 ,"768", kb>771 AND kb<1210, "1024", 1=1, ">1024") | stats count as Count sparkline as Trend by host, rate | where Count > 4 | rename host as "Host" rate as "Throughput rate(kb)" count as "Hit Count" | sort -"Throughput rate(kb)",-Count  But as I earlier said, it's much easier to look these from MC. ... View more

up ... View more

There is no way to do it with just a SEDCMD. The y command would match character class anywhere in the event and with s command you can't either restrict matching to a specific field (there is no notion of fields at this point at all) or match (for substitution) a string with holes in it. ... View more

To address @ITWhisperer's efficiency considerations, here is a literal implementation of your requirements.   ``` uses side effect of SPL's liberal equality operator ``` | eval lacking = mvmap(standard, if(standard == list, null(), standard)) | eval redundant = mvmap(list, if(list == standard, null(), list)) | eval passing = mvmap(list, if(list == standard, list, null())) | eval result = json_object("lacking", lacking, "redundant", redundant, "passing", passing)   Note: Your description of a field named result requires an associative array, or hash representation, that doesn't come native in SPL.  So, you can either use three separate fields as implemented in the first three lines or use a JSON representation which SPL added in 8.0, as created in line 4. Using your sample data in this emulation,   | makeresults | fields - _time | eval list = mvappend("5", "1", "2", "3"), standard = mvappend("1", "2", "3", "4"), host = "hostA" ``` data emulation above ```   the result is host lacking list passing redundant result standard hostA 4 5 1 2 3 1 2 3 5 {"lacking":4,"redundant":5,"passing":["1","2","3"]} 1 2 3 4 Again, the use of "result" field is optional in my opinion. ... View more

Hi @bosseres , if you have many fields in the same event, you have to search using the lookup for each field. Ot there could be a workaround: <your_search> [ | inputlookup your_lookup.csv | rename user AS query | fields query ] | ... Ciao. Giuseppe ... View more

@bosseres  Check out the Telegram APIs and write your own modular input to pull the data. Splunkbase just offers Alert Actions for Telegram so far. ... View more

thank you, sir! ... View more

Hi @bosseres, usually _raw isn't a field stored with collect command. But if you have, in the collect fields, information do exactly define the _raw event (or events), you could create (in dashboard) a drilldows feature to display (from the index) only the _raw events interested to a selected raw in stats. this is the approach used in ES where you have Correlation Searches that contain only the data relevant for the alert, then for each of them you can define a drilldown search that takes raw data from the index related to an alert using the information in the Correlation Search. Ciao. Giuseppe ... View more

my raw event in splunk looks like field1="223" field2="333" event="some text text2 text3 something something2" can you add to this regular formula part, which whill parse field event?  I mean event="..."   ... View more

chmod 777 /usr/java/jdk1.8.0_311-amd64 solved problem close topic, please ... View more

thank you, very much ... View more

There are plenty of materials about index-time extractions For example - https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/Configureindex-timefieldextraction And about the example I told you, if you do splunk btool props list syslog | grep TRANSFORMS You'll see TRANSFORMS = syslog-host TRANSFORMS-syslog_auditing = linux_audit_enriched Of those two transforms, the one that is of interest to us at this time is the "syslog-host one". So let's see how it's defined $ /opt/splunk/bin/splunk btool transforms list syslog-host [syslog-host] CAN_OPTIMIZE = True CLEAN_KEYS = True DEFAULT_VALUE = DEPTH_LIMIT = 1000 DEST_KEY = MetaData:Host FORMAT = host::$1 KEEP_EMPTY_VALS = False LOOKAHEAD = 4096 MATCH_LIMIT = 100000 MV_ADD = False REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s SOURCE_KEY = _raw WRITE_META = False  As you can see, it uses a REGEX to find a host part in the line ( the \[?(\w[\w\.\-]{2,})\]? sequence) to overwrite the host field (the DEST_KEY and FORMAT settings) ... View more

The messages are saying Splunk can't accept 1GB messages - the maximum is 64MB.  Verify the data coming in is indeed syslog and, if so, have the senders dial back the amount they send at a time.  If the data is not syslog then it should not be coming to a syslog input. FTR, it's a Best Practice to receive syslog events via a dedicated syslog server (syslog-ng, rsyslog, SC4S) rather than directly to a Splunk instance. ... View more

index=main | stats list(src.port), list(dst.port) as list_dst values(dst.port) as values_dst count(src.ip) as COUNT by id | eval list_dst=if(mvcount(values_dst)=1,values_dst,list_dst) ... View more

You could also use rex with sed mode like   .... | rex mode=sed field=<your field> "s/([^\.]+)(\..*)/$1/g"   ... View more

"Cleaning" old events from indexes have done by setting size of index (maxTotalDataSizeMB) and/or max lifetime for events (frozenTimePeriodInSecs). There are some other attributes which can fine tune the time and indexes sizes. See those from https://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf#PER_INDEX_OPTIONS Here is old conf presentation about Data Lifecycle https://conf.splunk.com/files/2017/slides/splunk-data-life-cycle-determining-when-and-where-to-roll-data.pdf. It's still valid, but it don't cover Splunk SmartStore usage which have some other parameters to restrict lifecycle. r. Ismo ... View more

hi @bosseres, I should see your system, anyway, if you promote your user to su, does your command run? And anyway, as I said, if you use the above command, it writes the file in $SPLUNK_HOME/etc/system/local and then you cannot manage it by Deployment Server, so I do not recommend to use it: the TA_Forwarder Add-On is the best approach. Ciao. Giuseppe ... View more

Hi @bosseres, please try something like this: | inputlookup 1.csv | lookup 2.csv host | table host user result action the lookup command is something near to a left join. Ciao. Giuseppe ... View more

Depends on what you mean by "I have time in such format". Is this how the time is formatted in the raw event? In this case you should fix your parsing configuration so that the source timezone is taken into account. When you have your timestamp properly parsed, it's displayed in your user's configured timezone. So properly it should work like that (for example): 1. Your source is in UTC+3 and sends the timestamp as 13:07 2. Splunk parses it and stores it as an absolute timestamp which is 10:07 UTC 3. Your user has his time zone configured as UTC+5 and splunk renders the time for him as 15:07 because that's his local zone. ... View more

You need a single report to create the alert from Here is a runanywhere example of what I mean ``` Create 20 events ``` | makeresults count=20 ``` Each with a random letter A-G ``` | eval field=mvindex(split("ABCDEFG",""),random()%7) ``` This represents your data set for your outer search ``` | search ``` Filter the search using your inner search to return the field value you are looking for ``` [| makeresults | fields - _time ``` In this case, the field value found is a random letter A-H ``` | eval field=mvindex(split("ABCDEFGH",""),random()%8) ``` This will return zero rows if H is found by the inner search ``` | where match("ABCDEFG",field) | appendpipe [stats count | where count = 0 ``` If there are zero rows from the inner search, set the field value to * ``` | eval field="*"] | fields field] Run this a few times to see different results due to randomness of the dataset You should see that sometimes you get only events with the same letter - this represents finding the value from the inner search in the outer search Sometimes you will get events with all the letters - this represents finding no rows in the inner search Sometimes you will get zero rows - this represents finding a value in the inner search which is not in the outer search. If you set an alert based on the report returning zero rows, this is the third condition, which I think is the one you are interested in. If this is not what you are after, please explain what the difference is ... View more