We have an issue wherein every time we attempt to create a search macro, create a lookup definition, create a new lookup, update a lookup file name, clone the mentioned knowledge objects,  Splunk responds with " Your entry was not saved. The following error was reported: server abort. splunk " Can you let us know the cause of the issue in our Splunk instance? We are currently unable to create any new search macros in this environment.   They advised that there is a workaround of updating the .conf files in the backend, however our clients don't have access to the backend, and everytime they want to update something, the request goes directly to us. Does anyone know how to resolve this issue? We need the UI to function properly as it is causing delay in delivery. ... View more

Using the extract function, I can arrive with the below columns:          I need to compare the values, and come up with a new field like r1, r2, r3 which says whether it's same or not.  I'm thinking of using eval function and then if statements to compare the two values but I'm not sure how to do it in such a way that will apply to all columns with titles beginning with "q" and "a". I was thinking of using foreach loop but it seems that the foreach loop has very specific usecases that doesn't apply to mine. The dilemma is that I need to do this dynamically, because it's possible that in other rows, there will be data reaching up to q5... q10... etc. Is there a specific command for what I want to do?  ... View more

Hi everyone,  I would like to ask if it's possible to use data from another row, to be set as the value of a different row with the same key... Such as in the table below.  id username status XC2345   completed XC2345   in progress XC2345 killjoy started ZC9999   in progress ZC9999 jett started   In the example above, I would like to set the values for usernames of each row with the same id to the same as the one with values, for them to become like this:  id username status XC2345 killjoy completed XC2345 killjoy in progress XC2345 killjoy started ZC9999 jett in progress ZC9999 jett started   Would above be possible through eval or another function?  ... View more

I have data that used to be in an if condition, the nameFromChannel is taken from slack, and they use the names as a sort of mechanism to filter the members that are allowed to be a part of the channel.  The group credentials are then taken from all the members usernames and are assessed individually whether they're allowed to be a member of the group.  It goes something like this.     | eval clientName=if(like(nameFromChannel,"%B%"),groupCredentials+ " " +"BASSI",groupCredentials) | eval clientName=if(like(nameFromChannel,"%W%"),groupCredentials+ " " +"HI WALDORFI",groupCredentials) | eval clientName=if(like(nameFromChannel,"%V%"),groupCredentials+ " " +"VDWI",groupCredentials) ...     (So a channel that has xxx_BW_xxx in their name, means that employees with BASSI / HI / WALDORFI attached to their display names are allowed to be members). P.S. we cut the nameFromChannel before hand, so that the only data are the letters. After some time, we decided that we wanted to change this to a lookup, that had a csv that looked like this :     nameFromChannel, groupCredentials %B%, BASSI %W%, BASSI WALDORFI %V%, VDWI     I found a few responses in the below page. https://community.splunk.com/t5/Splunk-Search/splunk-lookup-like-match/m-p/219946 It was a lot of help when setting up the lookup, however, I noticed that the % symbols are not being recognized even after I added the WILDCARD(nameFromChannel) in the advanced options section of my lookup definition, so I changed them to *.   | lookup listOfCompaniesDefinition nameFromChannel OUTPUT groupCredentials | eval clientName=if(groupCredentials="",clientName,clientName+groupCredentials)   After testing above, it seems that it isn't evaluating the text properly, my result isn't being displayed the same way it used to. The channels are no longer being retrieved. Fairly new to splunk, so I would like to hear your feedback. Thank you! ... View more