@gcuselloYou don't have to do it separately for each sourcetype. If you use output_format=hec with collect you can either retain the original sourcetype or modify it dynamically. @Ash1giving shared access to those 4 indexes would probably the way to go. If you don't wajt your users to have to type in all four indexes names, just define a macro or eventtype. ... View more

Hi @Ash1 , if you need to exclude many hosts (like 509 from your search the best solution is the one from @burwell : a lookup containing the host list. If instead they are three or four, you can also insert them in each search or create a macro to excude them. Ciao. Giuseppe ... View more

I am not sure how you managed to create that because that XML is completely broken and is not a valid dashboard. Your <choice> values are not valid XML, e.g. you can't have value=multiple quoted strings. <choice value="appdev1host","logdev1host","cordev1host">DEV1</choice> Why don't you just make your choice value something like <choice value="*dev1host">DEV1</choice> and so on. Also, not sure what you are trying to achieve with your SPL - are "Total count" and "Incoming count" fields in your data? Using appendcols is not a good technique as you are repeating almost the identical search, which is not necessary. If you want to share an example of your data I can help suggest a correct search. ... View more

Remember that after each step in your processing pipeline you get only those restults from the immediately preceeding command. So if you do all those | where commands in a row, first one will filter out all those results for which the getperct wasnt more than 50, the second one will filter out (of those remaining after first where) those that do not fit the next condition and so on. So your three wheres in a row are equivalent to | where getperct>50 AND putperct>10 AND deleteperct>80 but you want at least one of those condiitons fulfilled so you want | where (getperct>50) OR (putperct>10> OR (deleteperct>80)     ... View more

If your problem is resolved, then please click the "Accept as Solution" button to help future readers. ... View more

If you just want the application codes, why are you doing the mstats? | inputlookup app.csv | where Type="error1" | table application_codes ... View more

It’s not about security. We have option to create alerts in  splunk. So we have action items as alert trigger, email alert, auto cut etc auto cut means creating service now incidents from Splunk to service now  so for email alert we have schedule_search capability likewise what capability we need to give to create auto to create service now incident from Splunk to service now.     ... View more

Thank you @ITWhisperer  ... View more

Hi @PickleRick , Thank you so much i got the query what i was expecting. But i have some changes here can you help me on that Standby Column i don't have any individual searches  like url and cleared_log i just need standby count as Toatal _Messages  - Errro_count  should be displyed on the table. Rest all will be the same. |tstats count as Total_Messages where index=app-logs TERM(Request) TERM(received) TERM(from) TERM(all) TERM(applications)   ... View more

Does your data in Splunk contain CPU and memory information, if so, what does the data look and what fields do you currently have extracted and visible as fields? You need to provide more information for someone to be able to help. I am guessing that you want to find CPU and memory information from the data relating to that query, but the question could also be read as what CPU and memory are consumed when you are running the query.   ... View more

Yes correct And i saw the send email logs  for other alerts which I can see in internal logs. Looks good But i don't see send email logs for this alert in internal logs  ... View more

Hi If you have used those IP:s on alert's SPL then those are searchable by REST. But if you are looking a way to find  those IP which are a result set for some alert then that could be quite hard. With REST you could found all alerts and search commands what those are using. Then you can try to extract IPs from those search or lookups which those are used. Here is one SPL which I have used to get a list of all alerts and reports by SPL | rest /servicesNS/-/-/saved/searches splunk_server=local | search disabled=0 AND is_scheduled=1 ```| search NOT eai:acl.app IN (splunk_instrumentation splunk_rapid_diag splunk_archiver splunk_monitoring_console splunk_app_db_connect splunk_app_aws Splunk_TA_aws Splunk_ML_Toolkit )``` | rename "alert.track" as alert_track | eval type=case(alert_track=1, "alert", (isnotnull(actions) AND actions!="") AND (isnotnull(alert_threshold) AND alert_threshold!=""), "alert", (isnotnull(alert_comparator) AND alert_comparator!="") AND (isnotnull(alert_type) AND alert_type!="always"), "alert", true(), "report") | fields title type eai:acl.app is_scheduled description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule disabled ```| where type = "alert" ``` | dedup title eai:acl.app | sort eai:acl.app title Just add ' | where type = "alert" ' to the end and you will get only alerts. Then continue with field search to look alert's SPL command etc.. r. Ismo ... View more

Hi have you looked what are log processors which are configured into jboss server? There could be several different processors some write file and some could write directly to tcp socket. r. Ismo ... View more

| rex "(?<success_logins>appl has successfully completed all authentication flows.)" | rex "(?<complete_logins>Login complete)" ... View more

Are you trying to connect to a SQL Server database using a Windows Active Directory credential? You'll probably need to talk to your SQL Server DBA and/or Windows AD admin to help troubleshoot the issue. Here are two Internet resources that you can point them to: Troubleshooting "Login from Untrusted Domain" How to Fix "Login from Untrusted Domain"   ... View more

When you are updating to 9.0.4+ or at least 9.0.5 this adding version string to dashboards/forms should be happening automatic. Some older version 9.0.4 etc. have some issues with some special tags etc. You could get more information from slack https://splunk-usergroups.slack.com/archives/C03M9ENE6AD ... View more

Hi As @ITWhisperer said check what your first tstats return. It could be something else what you are expecting. I suppose that you have already read (at least) these two presentations https://conf.splunk.com/files/2020/slides/PLA1089C.pdf https://conf.splunk.com/files/2022/slides/PLA1466B.pdf Which covers tstats with TERM and PREFIX and what you must consider when you are using those. r. Ismo  ... View more

https://regex101.com/r/2G9G0h/1 appDesc\"\s:\s\"(?<appDesc>[^\"]+) | rex max_match=0 "appDesc\"\s:\s\"(?<appDesc>[^\"]+)" ... View more

Could you check the modification date on the file? If it was recent you could possibly check the audit log for someone using SPL to overwrite it? ... View more

You are already there, just set it as an alert with "Number of Results is greater than 0": index="_internal" AND sourcetype="splunkd_access" AND Http | rex "HTTP\/\S+\"\s+(?<responseHttp>\d\d\d)\s+" | eval result=if(like(responseHttp, "200"), "Success", "error") | stats count(eval(result="Success")) AS Total_Success, count(responseHttp) AS Total | eval Success_Count=(Total_Success/Total)*100.0 | stats avg(Success_Count) AS SuccessRate | where SuccessRate<40 | eval message="SuccessRate is low, please take action." ... View more

Hi @Ash1  Try running this search... | rest splunk_server=local /servicesNS/-/-/data/ui/views | eval dashboard_version=if(version=2, "studio", "classic") | table eai:acl.app label title version dashboard_version | sort eai:acl.app Hope it helps  ... View more