If you create a lookup definition, you can enable wildcard lookups. I'd also make the proxy logs the primary search and use the lookup as search query parameters, have a second field in your CSV for inScope and mark them all as yes and then do the lookup with the definition wildcard.    url,inScope url1.com,Yes *.url2.com,Yes site.url3.com,Yes   The lookup definition (url_list) will have WILDCARD(url) in the Match Type.  The search would look like :   index=my-proxy [| inputlookup url_list | rename url as query | fields query] | lookup url_list url | where match(inScope, "Yes")   This takes all the values you have in your url CSV and uses them as filters on your proxy logs.  Then you lookup the urls in the logs to make sure they're exact matches to your list and not just other urls that might contain your urls somewhere else in the log.  ... View more

Is the goal to have Col5 appear in the row where its value is an exact match to Col3 ? Or is your last two rows in the output actually correct ?  ... View more

Build it with Dashboard Studio.  You can add Markdown panels that take whatever text you provide, and then enable the Interaction for Link to  Dashboard  ... View more

Your admins likely have the app your dashboard is in locked down. If you don't have write access to the app, then you won't be able to edit permissions to share within the context of the app.  Private objects while tied to the app aren't actually in the app, they're in your private directory on the backend. ... View more

You're pretty much there with the first method using the eval.  Its a calculated field you need, not a field extraction or field transformation.  Settings > Fields > Calculated Fields > Create New.  Then set your scope for index/sourcetype Name: MacAddr Eval Expression : replace(CL_MacAddr,“-”,“:”) ... View more

Try something like this:  <your search> ... | eval exam_result=mvzip(ExamID, Status, "~") | fields - ExamID Status | mvexpand exam_result | eval ExamID=mvindex(split(exam_result, "~"), 0), Status=mvindex(split(exam_result, "~"), 1) | eval extra_status = if(ExamID>=120 AND ExamID<=125 AND match(Status, "Pass"), "GOOD", null()) ... View more

IF you don't need to compare to a lookup with specific indexes, and all you want to return is a list of indexes with no logs in the last 7 days, try run this search over a 30 day window: | tstats latest(_time) as latestTime where index=* by index | where latestTime < relative_time(now(), "-7d@d") | convert timeformat="%Y/%m/%d" ctime(latestTime)   It will only show indexes that have logged in the past 30 days but have stopped more than 7 days ago. ... View more

My mistake, it should be max(_time). I've fixed it in the other reply. ... View more

What are the field names in your lookup. I assumed that your list of indexes was in a field called index.  ... View more

Start with your lookup as the base, then join on the the search data. Also, use tstats for something like this.      | inputlookup index_list | join type=left index [|tstats max(_time) as latestTime where index=* by index | eval latestTime=strftime(latestTime,"%x %X")] | where isnull(latestTime)     ... View more

Splunk should automatically be capturing that time into the _time field.  If you still need to extract it into a field though, try :  | rex field=_raw "^(?<time_field>[^\s]+)\s"   ... View more

Extract the search key (The hex string you have redacted) using either split or rex to a field called keyID substituting search_name for whatever the field is called in your data.    | eval keyID=mvindex(split(search_name, " - "), 1)   OR    | rex field=search_name "Indicator - (?<keyID>[^\s]+) - "     Then you can use the ITSI API endpoints to tie them to the base searches:    | join type=left keyID [| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/kpi_base_search report_as=text | eval value=spath(value,"{}") | mvexpand value | eval title = spath(value, "title"), keyID = spath(value, "_key"), frequency = spath(value, "alert_period") | fields title, keyID, frequency ]   ... View more

In your script, copy the file to SH1.yourdomain.com:/opt/splunk/var/run/splunk/lookup_tmp/ (C:\Program Files\Splunk\var\run\splunk\lookup_tmp\ on Windwos) on one of the SHs.  This puts it into the Splunk lookup staging directory.  Make sure to pick one of the search heads and not a domain alias for your environment. Knowing the exact SH that you copy the file to is important for the next step.  Then you can use the REST API to promote it to the production version of the lookup using the below endpoint:   curl -k -u admin:pass https://SH1.yourdomain.com:8089/servicesNS/<user>/<app>/data/lookup-table-files/lookup_file_name.csv -d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/new_lookup_file_name.csv   If the lookup is to be shared in the app, you can set the user to nobody. This API call checks the staging area for a CSV called new_lookup_file_name.csv and overwrites the lookup_file_name.csv in production.  Since its elevated via the Splunk API, Splunk takes care of the replication to other SHs in the cluster. Documentation on this can be found here: Knowledge endpoint descriptions - Splunk Documentation  ... View more

Try using ip_dst == "some_ip" or match(ip_dest, "some_ip"). ... View more

Is the goal of the search to find out the username and IP of each session ?  If so, you should be able to do it all in one go.  Something like :    index=bigip "Storefront_v243" | rex ".*Common:(?<sid>.*?): New session from client IP (?<ip>.*?) \(ST.*\) at VIP 123.45.78.172" | rex "Common:(?<sid>.*?): Username '(?<un>.*?)'" | stats count latest(un) as user latest(ip) as ip by sid   You can dedup by user and ip after that if needed .   ... View more

You can use match(status, "(?i)fail") and it'll match failed, fail, failure, failing. ... View more

Try something like this:  index=pcf sourcetype="gateway-api" ("Gateway API|Request" OR "Gateway API|Response") | rex field=msg "INF ?(?P<correlationId>[a-zA-Z0-9-_, ]*)]" | rex field=msg "Gateway API\|(?<action_type>(Request|Response))" | stats values(action_type) as action_type by correlationId | search action_type!="Response" ... View more

Everything should be in the savedsearches.conf file.  Try this search via the UI and it'll list all the enabled searches with a notable action. And all the notable action parameters.      | rest splunk_server=local /servicesNS/-/-/saved/searches | search action.notable=1 disabled=0 | table author eai:acl.app eai:acl.owner eai:acl.sharing disabled cron_schedule dispatch.earliest_time dispatch.latest_time title search action.notable* | rename eai:acl.* as *, action.not* as not*     ... View more

If its just a list of users they need access to, you can schedule a report to run as someone that has access to the user info (like an admin).  Then grant the users access to that report's results.  The report would be something like:  | rest splunk_server=local /services/authentication/users | table title realname   ... View more

As ITWhisperer mentioned, the use of $ is used in dashboards for tokens.  It looks like you're trying to exclude system accounts in your search so removing the $ isn't really an option.  You can also escape the $ with a double $$. See Token usage in dashboards - Escaping the $ token delimiter character ... View more

Yeah, if you create a saved search and schedule it, you can reference the previous jobs results using the loadjob function in the below format.  | loadjob savedsearch="user_name:app_name:Saved Search Name" ... View more

Made tweaks to the search above to fix the lookup error.  For CIDR lookup, you'll need to create a lookup definition and configure advanced settings for match type CIDR(ips) ... View more