You didn't say what have you tried so far. Maybe you have some small easily fixable mistake in your configs or maybe your approach is completely wrong. Show us what you've got. ... View more

1. Please post your SPL in code block or preformatted paragraph next time - it improves readability 2. We don't know your data - maybe it's that you have duplicates in your events. Or maybe it's some search flaw. Can't tell just by looking at the search itself. 3. What do you mean by "duplicate values"? Multivalued fields with repeated value? Multiple results sharing the same value in one (all?) of the fields? 4. Typically you diagnose such things by either removing steps from the end and checking whether the intermediate results make sense or starting from the beginning and adding steps one by one and checking if the results make sense. 5. Join is usually (but not always) _not_ the way to go. In your case the joined subsearch contains a wildcard at the beginning of the search term which means that if you have a significant amount of data to search the subsearch might be siliently finalized and return incomplete/wrong results. ... View more

please post the solution ... View more

Typical GDI troubleshooting steps include: Verify the input configuration, including the URL and credentials. Verify the Splunk server running the add-on can connect to the MS server.  Use curl or a similar tool. Check splunkd.log for related messages. Check the MS logs for related messages. If you're using Splunk search to see if data is coming in then double-check the SPL.  Verify the index name.  Try specifying latest=+1y to account for timestamp errors. ... View more

Firstly check whether this pre-built app for Commvault meets your specific needs, and if so, then follow the installation and configuration steps mentioned in the doc: https://splunkbase.splunk.com/app/5718  ... View more

Hi bowesmana Thanks for the efforts we have data sets index=acn_lendlease_certificate_tier3_idx tower=Self_Signed_Certificate | stats latest(tower) as Tower, latest(source_host) as source_host , latest(metric_value) as "Days To Expire", latest(alert_value) as alert_value, latest(add_info) as "Additional Info" by instance | eval alert_value=case(alert_value==100,"Active",alert_value==300,"About to Expire", alert_value==500,"Expired") | where alert_value="About to Expire" | search Tower="*" AND alert_value="*" | sort "Days To Expire" | rename instance as "Serial Number / Server ID", Tower as "Certificate Type" , source_host as Certificate , alert_value as "Certificate Status" here i am trying to add one more coulmn called incident  To extract the incident details with respect to certificate values If inc is available , then it should display numbers, orelse null To extract the INC, using the below query   index=acn_ac_snow_ticket_idx code_message=create uid="*Saml : Days to expire*" OR uid="*Self_Signed : Days to expire*" OR uid="*CA : Days to expire*" OR uid="*Entrust : Days to expire*" | rex field=_raw "\"(?<INC>INC\d+)," | rex field=uid "(?i)^(?P<source_host>.+?)__" | table INC uid log_description source_host | dedup INC uid log_description source_host | rename INC as "Ticket_Number"   ... View more

Hi @pavithra , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

Interesting that you didn't do exactly as I suggested, but this should also work. What exactly is not working? ... View more

Hi @pavithra, I’m a Community Moderator in the Splunk Community. This question was posted 5 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you!  ... View more

@pavithra  Kindly refer the below links:  How to display the count in piechart as labels - Splunk Community  Chart configuration reference - Splunk Documentation Chart configuration reference - Splunk Documentation ... View more

Hi   I want to change font size label (to bold) in pie chart please help me with code       ... View more