Hello splunkers! Is there is a way we can calculate moving/rolling averages such that the current data point, ```x(t)```, is somewhere in the middle of the window, rather than at the boundaries?  Ex: If ```window=5```, i want the MA to be calculated like:      MA = avg(x(t-2), x(t-1), x(t), x(t+1), x(t+2))     I am okay with using MLTK or any other method of implementing this.  --------------------------- For reference, in the following query, I show two similar methods of calculating MA - based on previous values of x(t) here       MA = avg(x(t-4), x(t-3), x(t-2), x(t-1), x(t)) | makeresults count=100 | streamstats count as s | eval n=(random() % 100000) + 1 | table s n | streamstats window=5 avg(n) as trend | autoregress n p=1-5 | fillnull value=0 | eval ma = avg(n, n_p1, n_p2, n_p3, n_p4) | fields s n ma trend     --------- PS: I am aware that in both methods, the absence of earlier/later values at the boundaries will cause the MA model to be inaccurate - I am okay to work around that.  Thanks in advance!   ... View more

I am using the Python SDK to add the allow_skew setting to savedsearches.  See the generalised code snippet below:    import splunklib.client as client splunk_svc = client.connect(host="localhost", port=8089, username="admin", password="******") savedsearch = splunk_svc.saved_searches["alert-splnk-test_email_v1"] new_skew = "5m" kwargs = {"allow_skew": new_skew} savedsearch.update(**kwargs).refresh()   This code works and adds 'allow_skew = 5m' to the specific savedsearch stanzas in {app/local OR system/local} / savedsearches.conf / [alert-splnk-test_email_v1] The code can also be extended to more/all savedsearches on the platform. It also replicates the changes in a SH Cluster, as expected. I want to have a reliable way to remove/erase the allow_skew setting from specific savedsearches, preferably using the Python SDK. The setting needs to be removed from the stanza, so that the allow_skew setting from system / local / savedsearches.conf / [default] is picked up. The only other ways I could think about are:  Using the class splunklib.client.Stanza(service, path, **kwargs) somehow.. Any directions on how to use it?  Recreate the savedsearch and not add allow_skew, but that would mean a lot of work for a bunch of savedearches.  Any help is appreciated.  ... View more

Hello splunkers,    How can I use tab-completion & command history in the python that is packaged with Splunk?  The python version [./bin/splunk cmd python] with Splunk Enterprise v9 is 3.7.11 However, there is no tab-completion or command history..  tab is interpreted as 4 whitespace, while up/down arrow key is interpreted as ^[[A or ^[[B.  even simple cursor positioning using right/left arrow keys are interpreted as [[D^ OR [[C^..      (dev2) splunk@host1:~ $ ./bin/python3 Python 3.7.11 (default, Jul 27 2022, 02:48:51) [GCC 9.1.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> ^[[A File "<stdin>", line 1 ^ SyntaxError: invalid syntax >>> ^[[B File "<stdin>", line 1 ^ SyntaxError: invalid syntax >>>     This is a simple requirement to have quick & dirty troubleshooting for python commands. Its a major pain to not have access to history or not being able to use L/R arrow keys to move cursor. Please help.  Thanks in advance! ... View more

Hi all,  I want to know how splunk extracts fields from TA_windows inputs when mode=multikv  The _raw event does not seem to have any sort of field indicator (as compared to events from TA_nix which has headers)  As an example:  Splunk_TA_windows/local/inputs.conf     [perfmon://Network-Bytes] disabled = false counters = Bytes Total/sec; Bytes Received/sec; Bytes Sent/sec; interval = 60 mode = multikv index = perfmon useEnglishOnly = true object = Network Interface sourcetype = PerfmonMk:Network     gives _raw events as seen indexed in Splunk:      vmxnet3_Ethernet_Adapter 19069.926362422757 11044.290764991998 8025.635597430761 vmxnet3_Ethernet_Adapter 26173.569591676503 15701.614528029395 10471.95506364711 vmxnet3_Ethernet_Adapter 28654.246470518276 17482.977608482255 11171.268862036022     From this output, splunk magically extracts fields like:      Bytes_Received/sec Bytes_Sent/sec Bytes_Total/sec instance category collection     I checked the TA_windows configs and ran btool, but could not trace configs other than some standard PerfmonMk:<object> stanzas in Splunk_TA_windows/default/props.conf which contain only FIELDALIAS settings What am I missing? How does splunk know which field is which?  How does it even get values for category & collection when those values are not even present in the _raw?    Further comparison, TA_nix add-on does this in a much more legible manner (which can be easily understood and played around with) like:  Name rxPackets_PS txPackets_PS rxKB_PS txKB_PS eth0 1024.00 1972.50 1415.04 674.94 ​     Additional:  I want to convert the PerfmonMk events to metrics, has anyone attempted that?      ... View more