Has anyone successfully configured access from Microsoft Power Automate to the Splunk REST API? I’ve managed to query the API using a Python script by adding the IP to the allow list, but I’m struggling to find the IP addresses Power Automate uses so I can do the same for it. I’m not an expert in Power Automate, and unfortunately I’m not getting any error messages - the flow just hangs, which makes me suspect it’s a connectivity issue due to IP restrictions. If anyone has done this before, I’d really appreciate the guidance! ... View more

Hi Everyone, I`m running a query via the Splunk REST API (using  Python), and need to filter events based on the following requirements: - Always include events where TITLE is one of: A, B, C, D, E - Only include events where TITLE=F and FROM=1 OR TITLE=G and FROM=2 This works fine in Splunk Web, but when sent via the REST API the conditional clause for TITLEs F and G don`t get applied correctly Works via Splunk WEB and REST (without filtering based on FROM) index=my_index System="MySystem*" Title=A OR Title=B OR Title=C OR Title=D OR Title=E OR Title=F OR Title=G   Works on WEB, not via REST (filtering based on FROM) index=my_index System="MySystem*" Title=A OR Title=B OR Title=C OR Title=D OR Title=E OR (Title=F and FROM=1) OR (Title=G AND FROM=2)   I`ve tried to apply the filtering downstream, but the issue persists. I’m unable to query a saved search because some fields are extracted at search time and aren’t available when accessed via the REST API. As a result, I need to extract those fields directly within the query itself when using the REST API. (Note: the TITLE field is being extracted correctly.)   Many thanks.   ... View more

I'm working with a CSV lookup  that contains multiple fields which may include wildcard (*) values. The lookup is structured such that some rows are very specific and others are generic (e.g. *, *, *, HOST, *). I want to enrich events from my base search with the best matching Offset (name of the field) from the lookup. Challenges: Using lookup definition with match_type=WILDCARD(...) only works well if there’s a unique match — but in my case, I need to evaluate multiple potential matches and choose the most specific one. Using | map works correctly, but it's too slow.     ... View more

I’m working on a Splunk search that needs to perform a lookup against a CSV file. The challenge is that some of the fields in the lookup table contain empty values, meaning an exact match doesn’t work. Here’s a simplified version of my search:   index="main" eventType="departure" | table _time commonField fieldA fieldB fieldC fieldD fieldE | lookup reference_data.csv commonField fieldA fieldB fieldC fieldD fieldE OUTPUTNEW offset   The lookup file reference_data.csv contains the fields: commonField , fieldA, fieldB, fieldC, fieldD, fieldE, lookupValue. Sometimes, fieldB, fieldC, or other fields in the lookup table are empty. fieldA always has a value, sometimes the same, but the value of the offset field changes based on the values of the other fields. If a lookup row has an empty value for fieldB, I still want it to match based on the available fields. What I've Tried: Using lookup normally, but it requires all fields to match exactly, which fails when lookup fields are empty. Creating multiple lookup commands for different field combinations, but this isn’t scalable. Desired Outcome: If commonField  matches, but fieldB is empty in the lookup file, I still want the lookup to return lookupValue. The lookup should prioritize rows with the most matching fields but still work even if some fields are missing.   Is there a way to perform a lookup in Splunk that allows matches even when some lookup fields are empty? ... View more