hi , my index stopped running 3 months ago. on checking i came to know that the data was not ingested because of API token issue which got expired. . i fixed it now. i want the data to be loaded again. how do i run the Index ... View more

Hi, I dont understand the issue . the drop down filter is showing duplicate issues. can anyone pls help me how to resolve?   ... View more

Hi, i recently changes a SQL query in Splunk db connect to one of the dashboard. the query ran but i don't see the dashboard getting reflected to new data. as i was checking i see the index did not refresh after the new query is implemented. The last event of the index remians the day i changed the query. the new query had two new columns but i dont see it getting reflected. can anyone please help me with this. Its bit urgent !!!!!!!!! ... View more

hi, i created a job runner. its not fetching any results but when ran separately in search gives me data. screenshot for reference.  any help here please     ... View more

Hi,  can anyone tell me how to replace new client secret value which i received. i am new to splunk and badly need the help here! ... View more

hi, below query is used for the drill down used for my line graph. | savedsearch XYZ | eval Deactivated = strftime(strptime(TO_DATE, "%Y-%m-%d %H:%M:%S.%N"), "%B-%y") | eval Created = strftime(strptime(FROM_DATE, "%Y-%m-%d %H:%M:%S.%N"), "%B-%y") | where $apps$ and $bscode$ and $function$ and $dept$ and $country$ and $emp_type$ | search $usertype|s$ = $monthname|s$ | table Function, BS_ID, APP_NAME, MUID, FIRST_NAME, LAST_NAME, FROM_DATE, TO_DATE, LASTLOGON, COUNTRY, CITY, DEPARTMENT_LONG_NAME, "Business Owner", SDM, "System Owner", "Validation Owner" the above query looks like this in the search panel: | savedsearch hourradata2 | eval Deactivated = strftime(strptime(TO_DATE, "%Y-%m-%d %H:%M:%S.%N"), "%B-%y") | eval Created = strftime(strptime(FROM_DATE, "%Y-%m-%d %H:%M:%S.%N"), "%B-%y") | where like (APP_NAME ,"Managed iMAP Application") and like (BS_ID,"%") and like (Function,"%") and like (DEPARTMENT_LONG_NAME,"%") and like (COUNTRY,"%") and like(EMPLOYEE_TYPE,"%") | search "Active" = "June-23" | table Function, BS_ID, APP_NAME, MUID, FIRST_NAME, LAST_NAME, FROM_DATE, TO_DATE, LASTLOGON, COUNTRY, CITY, DEPARTMENT_LONG_NAME, "Business Owner", SDM, "System Owner", "Validation Owner" if the highlighted one's removed then the query gives result.  ... View more

hi, have a qn  in the below query | makeresults count=730 | streamstats count | eval _time=_time-(count*86400) | timechart Count as Timestamp span=1mon | join type=left _time [| savedsearch XYZ | eval today = strftime(relative_time(now(), "@d"), "%Y-%m-%d %H:%M:%S.%N") | where like (APP_NAME ,"Managed iMAP Application") and like (BS_ID,"%") and like (Function,"%") and like (DEPARTMENT_LONG_NAME,"%") and like (COUNTRY,"%") and like(EMPLOYEE_TYPE,"%") and STATUS="active" | eval _time = strptime(FROM_DATE, "%Y-%m-%d %H:%M:%S.%N") | eval _time!= "2023-07" | timechart Count as Created span=1mon | streamstats sum(Created) as Createdcumulative] | join type=left _time [| savedsearch XYZ | where like (APP_NAME ,"Managed iMAP Application") and like (BS_ID,"%") and like (Function,"%") and like (DEPARTMENT_LONG_NAME,"%") and like (COUNTRY,"%") and like(EMPLOYEE_TYPE,"%") and STATUS="inactive" | eval _time = strptime(TO_DATE, "%Y-%m-%d %H:%M:%S.%N") | timechart Count as Deactivated span=1mon | streamstats sum(Deactivated) as Deactivatedcumulative] | eval Active = Createdcumulative | eval Deactivated = Deactivatedcumulative | where _time>=relative_time(now(),"-1y@d") | fields - Createdcumulative, Deactivatedcumulative, Timestamp the below query fetches me the results below:  i need to restrict the data till the previous month and not show current month. can anyone help me with modifying the query pls ... View more

| makeresults count=730 | streamstats count | eval _time=_time-(count*86400) | timechart Count as Timestamp span=1mon | join type=left _time [| savedsearch XYZ | eval today = strftime(relative_time(now(), "@d"), "%Y-%m-%d %H:%M:%S.%N") | where like (APP_NAME ,"%") and like (BS_ID,"%") and like (Function,"%") and like (DEPARTMENT_LONG_NAME,"%") and like (COUNTRY,"%") and like(EMPLOYEE_TYPE,"%") | eval _time = strptime(FROM_DATE, "%Y-%m-%d %H:%M:%S.%N") | timechart Count as Created span=1mon | streamstats sum(Created) as Createdcumulative] | join type=left _time [| savedsearch XYZ | where like (APP_NAME ,"%") and like (BS_ID,"%") and like (Function,"%") and like (DEPARTMENT_LONG_NAME,"%") and like (COUNTRY,"%") and like(EMPLOYEE_TYPE,"%") | eval _time = strptime(TO_DATE, "%Y-%m-%d %H:%M:%S.%N") | timechart Count as Deactivated span=1mon | streamstats sum(Deactivated) as Deactivatedcumulative] can anyone explain me the code please. am new and need this brief please. ... View more

Hi , needed a help. i need to add a column that is added newly to the sql data.below is the query | savedsearch ABC | join type=left BS_ID [| search index="PQR" source=XYZ | rename BS_CODE as BS_ID SERVICE_OWNER as "System Owner" BUSINESS_OWNER as "Business Owner" SERVICE_SUBCATEGORY as Function SDM_FULLNAME as SDM | sort LOGICAL_NAME | eval Application = DESCRIPTION | rex mode=sed field=Application "s/^Managed//g" | rex mode=sed field=Application "s/Application$//g" | rex mode=sed field=Application "s/application$//g" | eval Application = trim(Application) | streamstats count as NO by BS_ID | eventstats max(NO) as MaxTotal by BS_ID | where NO=MaxTotal |eval Function=case(Function="Service Excellence COE" and Application="Medical Insights Reporting","Service Excellence CoE",1=1,Function) | table BS_ID Application Function SDM "System Owner" "Business Owner"] | lookup countries.csv name as COUNTRY outputnew latitude, longitude, name | eval COUNTRY = if(isnull(COUNTRY),"NA",COUNTRY) | eval DEPARTMENT_LONG_NAME = if(isnull(DEPARTMENT_LONG_NAME),"NA",DEPARTMENT_LONG_NAME) | eval DEPARTMENT_SHORT_NAME = if(isnull(DEPARTMENT_SHORT_NAME),"NA",DEPARTMENT_SHORT_NAME) my ABC savedsearch has a column newly added as Category. i need to get into this saved search   ... View more