IF you don't need to compare to a lookup with specific indexes, and all you want to return is a list of indexes with no logs in the last 7 days, try run this search over a 30 day window: | tstats latest(_time) as latestTime where index=* by index | where latestTime < relative_time(now(), "-7d@d") | convert timeformat="%Y/%m/%d" ctime(latestTime)   It will only show indexes that have logged in the past 30 days but have stopped more than 7 days ago. ... View more

My mistake, it should be max(_time). I've fixed it in the other reply. ... View more

What are the field names in your lookup. I assumed that your list of indexes was in a field called index.  ... View more

Start with your lookup as the base, then join on the the search data. Also, use tstats for something like this.      | inputlookup index_list | join type=left index [|tstats max(_time) as latestTime where index=* by index | eval latestTime=strftime(latestTime,"%x %X")] | where isnull(latestTime)     ... View more

Splunk should automatically be capturing that time into the _time field.  If you still need to extract it into a field though, try :  | rex field=_raw "^(?<time_field>[^\s]+)\s"   ... View more

Extract the search key (The hex string you have redacted) using either split or rex to a field called keyID substituting search_name for whatever the field is called in your data.    | eval keyID=mvindex(split(search_name, " - "), 1)   OR    | rex field=search_name "Indicator - (?<keyID>[^\s]+) - "     Then you can use the ITSI API endpoints to tie them to the base searches:    | join type=left keyID [| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/kpi_base_search report_as=text | eval value=spath(value,"{}") | mvexpand value | eval title = spath(value, "title"), keyID = spath(value, "_key"), frequency = spath(value, "alert_period") | fields title, keyID, frequency ]   ... View more

In your script, copy the file to SH1.yourdomain.com:/opt/splunk/var/run/splunk/lookup_tmp/ (C:\Program Files\Splunk\var\run\splunk\lookup_tmp\ on Windwos) on one of the SHs.  This puts it into the Splunk lookup staging directory.  Make sure to pick one of the search heads and not a domain alias for your environment. Knowing the exact SH that you copy the file to is important for the next step.  Then you can use the REST API to promote it to the production version of the lookup using the below endpoint:   curl -k -u admin:pass https://SH1.yourdomain.com:8089/servicesNS/<user>/<app>/data/lookup-table-files/lookup_file_name.csv -d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/new_lookup_file_name.csv   If the lookup is to be shared in the app, you can set the user to nobody. This API call checks the staging area for a CSV called new_lookup_file_name.csv and overwrites the lookup_file_name.csv in production.  Since its elevated via the Splunk API, Splunk takes care of the replication to other SHs in the cluster. Documentation on this can be found here: Knowledge endpoint descriptions - Splunk Documentation  ... View more

Try using ip_dst == "some_ip" or match(ip_dest, "some_ip"). ... View more

Is the goal of the search to find out the username and IP of each session ?  If so, you should be able to do it all in one go.  Something like :    index=bigip "Storefront_v243" | rex ".*Common:(?<sid>.*?): New session from client IP (?<ip>.*?) \(ST.*\) at VIP 123.45.78.172" | rex "Common:(?<sid>.*?): Username '(?<un>.*?)'" | stats count latest(un) as user latest(ip) as ip by sid   You can dedup by user and ip after that if needed .   ... View more

You can use match(status, "(?i)fail") and it'll match failed, fail, failure, failing. ... View more

Try something like this:  index=pcf sourcetype="gateway-api" ("Gateway API|Request" OR "Gateway API|Response") | rex field=msg "INF ?(?P<correlationId>[a-zA-Z0-9-_, ]*)]" | rex field=msg "Gateway API\|(?<action_type>(Request|Response))" | stats values(action_type) as action_type by correlationId | search action_type!="Response" ... View more

Everything should be in the savedsearches.conf file.  Try this search via the UI and it'll list all the enabled searches with a notable action. And all the notable action parameters.      | rest splunk_server=local /servicesNS/-/-/saved/searches | search action.notable=1 disabled=0 | table author eai:acl.app eai:acl.owner eai:acl.sharing disabled cron_schedule dispatch.earliest_time dispatch.latest_time title search action.notable* | rename eai:acl.* as *, action.not* as not*     ... View more

If its just a list of users they need access to, you can schedule a report to run as someone that has access to the user info (like an admin).  Then grant the users access to that report's results.  The report would be something like:  | rest splunk_server=local /services/authentication/users | table title realname   ... View more