Hi Team, Is there any way we can calculate time duration between 2 different events like start and end. For example: we have start event at 10/10/23 23:50:00.031 PM, and End evet at 11/10/23 00:50:00.031 AM  how can we calculate this. please help. Thank you ... View more

Hi Team, I am looking for the help to created search query for my daily run report which is running 3 time in a day. we are putting the files in directory which we are monitoring in splunk. is there any way we can grab events from only latest sourcefile? For example:  Index=abc sourcetype=xyz source=/opt/app/file1_09092023.csv source=/opt/app/file2_09102023.csv source=/opt/app/file3_09112023.csv..... new file can be placed time to time. I wanted report can be show only events from latest file, is it possible? Thank you   ... View more

Hi Team, I am looking for the help to monitor the directory on heavy forwarder which contains CSV file. can you please advise me which configuration files i need to update  and what configuration for example- server1 is the HF. /opt/abc/file.csv is the directory and file name present on HF Please advise. Thank you, ... View more

Hi Team, is there any way we can store CSV file back to source path directory or any other directory ? I am trying create a alert with having "Output results to lookup". is there any way we can store the created .CSV at shared  directory ? Please advise Thank you. ... View more

Hi Team, Is there any way we can setup a single Splunk alert having 4 host servers with different error threshold - for example. I have 4 host server1, server2, server3, server4  if there 10 error count occurs for  server1 it will raise alert stating server1 having 10 error if there 20 error count occurs for  server2 it will raise alert stating server2 having 20 error if there 5 error count occurs for  server3 it will raise alert stating server3 having 5 error if there 10 error count occurs for  server4 it will raise alert stating server4 having 10 error I know this can be possible by  setting up 4 separate alerts for each server. just wanted to know if we can setup single alert involving all condition together in one alert.   Please help with sample search query. Thank you, ... View more

Hi Team, We are looking for the help to understand the issue we are facing. we have multiple index in our splunk cloud env, but when ever there is the load test is happening in our QA env one of the index logs ingestion is going very high. and same time we are noticing the all other indexes log (Prod and all) ingestion facing latency issue. logs ingestion is almost zero for all other index whenever there is a loadtest. we were thinking this may be we have only one cloud HF, so have deploy new HF and move all the QA logs to new HF. but, still its not solved. and showing that during the load test QA logs capturing all the resources and creating the delay for other index. please advice,          ... View more

Hi Team, I am looking for the help to send Report.  I have a scheduled report which is running every hour. can you please advise with search query. if I create new alert and  if alert trigger, scheduled report should be sent to recipients. I am aware about the CSV/ PDF attached. looking for something like to send scheduled report as result for notification if alert triggered . ... View more

Hi Team, I am looking for the help for the Event logs report if threshold match. I tried both way with creating a report and alert. but it either send me logs using |table _time, _raw  method or sending count using |stats count | where count >0 I need to schedule last 24hrs data  report like, only if there is a event  at 00:00 AM. Please guide me  Thank you ... View more

Hi Team, Is it possible to disable ticket integration and Mail notifcation integration temporary for all alerts ? during maintenance window. I found the below path in my splunk account  Settings---> Alert Action--> serviceNow integartion --> Status(Enable/Disable) Will this help to diable temporary integration ? Please advise, Thank you   ... View more

Hi Team, Is there any way to add TimeToken with timewrap on the dashboard. I have a dashboard ready to display this week data to compare with last week data having timewrap with 7d. But, I would like to add token to replace the 7d value as per choice. Search query:    index=ABC sourcetype="xyz" data earliest= -14d@d latest= @s | timechart span=15m partial=false count by data | timewrap 7d series=short |table _time, s0, s1 | rename s0 as this_week, s1 as last_week,   ... View more