TLDR; does, | search(), operate differently in tstats, especially with wildcards, NOT, OR, AND, parentheses, etc.? I'm dev/testing some queries with tstats and want to see if data modeling would make our current alerts more efficient.  To test, I view the spl of an alert we use, and implement the fields of that alert into the root search of the Endpoint data model that comes with CIM.  However, we have a lot of exclusions/filters in this alert. (e.g. ignoring certain Account_Names, New_Process_Names, Creator_Process_Names, etc.) On the separate tstats query, I mimic most of everything else from the original alert, especially when the formatting of the tstats so that it mirrors the stats command from the original alert.  example: | stats count, values(field1) as field1 by field2, field3 >>>>>>>>>>>>>>> | tstats count, values(Processes.field1) as field1  FROM datamodel=Endpoint.Processes by Processes.field2, Processes.field3 Before I decide to accelerate the data model, I want to make sure the output of both the alert and tstats query are the same.  To control this, I set an arbitrary timeframe: earliest=-4h@h, latest=-2h@h and apply that to both queries.  In the tstats command, I do a pipe search ( | search () ) after the major tstats commands, and paste the exclusions/filters from the alert into that clause. It has a bunch of wildcards in it, for reasons I won't get into, and yes some of it is not great practice with leading wildcards, but the original alert works so its fine for now.  When I compare the output of both queries, the statistics is slightly off. Even though the I apply the timeframe, and I notice if tailor the wildcards a bit, it somewhat closes the gap, but not consistently, especially as I increase the timeframe.  This leads me to believe that | search() treats certain characters differently with tstats, and I don't know why. ... View more

Is there a command or app that will decode base64 and detect the correct charset to output to? Currently, I'm currently unable to decode to UTF-16LE. Splunk wants to decode UTF-8.  In my current role, I cannot edit any .conf files. Those are administrated by a server team.  If there is an app, I can request it be installed, else I'm working solely out of the SPL.  ... View more

I'm currently going over our alerts, cleaning them up and optimizing them.  However, I recall there being a "best practice" when it comes to writing SPL. Obviously, there may be caveats to it, but what is the usual best practice when structuring your SPL commands? Is this correct or no? search, index, source, sourcetype | where, filter, regex | rex, replace, eval | stats, chart, timechart | sort, sortby | table, fields, transpose | dedup, head | eventstats, streamstats | map, lookup ... View more

My org has millions of events coming in through firewalls. I had a 24 hour timeframe search take 12.5 hours to run.  I was curious if I broke it up into 6 hour timeframes (changing the earliest/latest statements accordingly), and having them outputlookup to the same lookup file. I would then inputlookup the file and tailor enrich accordingly, however I want to reset after each day. ie. I do not want the file to keep growing. Would I set append=false on query1, and append=true for query2, query3, and query4?  ... View more

Can someone explain to me why when I run my base search, it has exponentially more Events in the same time frame compared to the summary index search (based on the base search). My main concern is if I am having gaps in log events or not. The summary index report runs every two hours looking back two hours.  ... View more

Our network device data sends data to a Syslog server and then up to our splunk instance.  I have a few TAs that I’ve requested our SysAdmin team install on my behalf so the logs can be parsed out.  However, the TAs aren’t parsing out the data, and furthermore, the network device logs come into the source type of “syslog” rather than the sourcetype in the respective TAs.  Where do I need to look or have the SysAdmins look at? (I’m just a power user).  ... View more

Say I create a query that outputs (as a csv) the last 14 days of hosts and the dest_ports the host has communicated on. Then I would inputlookup that csv to compare the last 7 days of the same type of data. What would be simplest spl to detect anomalies? ... View more

Is the Splunk .conf24 iOS app not properly setup to accept credentials at this time?  ... View more