I am working on configuring the TAXXI Feeds. My Post argument is as below: collection="curated-ragw" earliest="-7d" key=$user:redacted,realm:redacted$ However, it is not working. The below error shows up: TaxiiHandlerException: Exception when polling TAXII feed: Message Type: Status_Message Message ID: 8492898524872483651; In Response To: 0 Status Type: BAD_MESSAGE Message: The access to CTIX has been blocked because incorrect credentials were provided. Please contact Support team. I have checked the username and password added in the credential management is correct.  Can someone help me with how to configure this? I can only access UI to configure these feeds. ... View more

I have two query that is exact same except the use of the lookup for each search. The one query includes data from a lookup and the other one excludes data from the same lookup. Is there a way I can combine two queries into one. The first one is   index=abc dest="xyz.com" uri_path="access.html" http_method=POST NOT [| inputlookup filter_ips | fields src] | stats count by _time src   The second one is   index=abc dest="xyz.com" uri_path="access.html" http_method=POST [| inputlookup filter_ips | fields src] | stats count by _time src   The only difference is the Not in the first one. Can someone help me combine it? I tried using braces around the searches and combining it but didnt work. Example   (index=abc dest="xyz.com" uri_path="access.html" http_method=POST NOT [| inputlookup filter_ips | fields src] | eval test= a1) OR (index=abc dest="xyz.com" uri_path="access.html" http_method=POST [| inputlookup filter_ips | fields src] | eval test=a2) | stats count by _time src test   But it gives error as eval expression malfunction. ... View more

<drilldown> <set token="tok_port57">$click.name$</set> </drilldown> <row depends="$tok_port57$"> <panel> <title>Port 57 Details</title> <table> <search> <query>index=email | transaction keepevicted=true ic | eval port = if(match(sender_group,"Secure_*"),"Port_57","Port_5") |search port= "$tok_port57$" | stats count by src src_host</query> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="refresh.display">progressbar</option> </table> </panel> </row> This is the drilldown setting for the single value. However instead of getting the field name as the token value, the keyword "result" is getting passed as token. Can someone tell me what I am doing wrong? ... View more

Hi Splunkers, Happy Holidays!!!. I am trying to create a dashboard on Log Volume Monitoring. I am using ML Toolkit and need help with my search. | tstats count WHERE index=index_name BY index _time span=1h | eval date=strftime(_time,"%m/%d/%Y") | lookup Paid_Holidays.csv holiday_date as date OUTPUT is_holiday | eval day_of_week = strftime(_time,"%A") | where NOT (day_of_week="Saturday" OR day_of_week="Sunday") | where NOT is_holiday=1 | `forecastviz(245, 240, "count", 93)` | eval isOutlier = if(prediction!="" AND 'count' != "" AND ('count' < 'lower95(prediction)' OR 'count' > 'upper95(prediction)'), 1, 0) | where isOutlier=1 | eval today = relative_time(now(),"-1h@h") | where isOutlier=1 AND _time >= today | where count < 'lower95(prediction)' | fields - isOutlier   The highlighted and underlined part is where I am having issue. I need to alert only when the count is less than the predicted in the next hour as well. The current scenario alerts frequently and I need to constrict it so it alerts only when the count is less continuously for the next hour as well. Can someone help me with my query? ... View more

I have a lookup table which consists of src_ip. This source Ip has mix of Ips in the format: Src_ip 163.74.7.212 163.74.13.57 67.75.175.32/27  68.143.151.125/26    I need to match this lookup table to my search which consists of the field src_ip in my data. But how do i do that since it is a mix of cidr and normal ips? My actual data for src_ip doesnt consits of cidr ips. Can someone let me know ? ... View more

I have a huge proxy logs for which need to create a monthly report since Jan 2019. Is there a way I can create the search that runs quick and I am able to create the table. My current search  index=xyz | timechart span=1mon count by action  runs very slow for this huge data. I have also tried the datamodel route and yet the table is not getting created. Is there a way to create for each month and consolidate together in a optimized way? ... View more

Hi, I am implementing dropdown through dynamic options and the search for the dropdown has two fields; index and index_label. I was hoping to use index to pass in the search and index_label as the label for title. However, somehow when I have field for label as index_label. It doesnt work. I also tried adding <condition> <set token="panellabel">$label$</set> </condition> it doesnt work. Can someone let me know if I am doing something wrong? <row> <panel> <title>Historical Overview By Day</title> <input type="dropdown" token="weekday" searchWhenChanged="true"> <label>Select a Weekday:</label> <choice value="Monday">Monday</choice> <choice value="Tuesday">Tuesday</choice> <choice value="Wednesday">Wednesday</choice> <choice value="Thursday">Thursday</choice> <choice value="Friday">Friday</choice> <fieldForLabel>Weekday</fieldForLabel> <fieldForValue>Weekday</fieldForValue> <default>Monday</default> </input> <input type="dropdown" token="index" searchWhenChanged="true"> <label>Select a Index-</label> <fieldForLabel>index_label</fieldForLabel> <fieldForValue>index</fieldForValue> <search> <query>| tstats count WHERE index=* BY index | eval index_label = upper(split(index,"_")) | rex mode=sed field=index_label "s/_/ /g"</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <change> <condition> <set token="panellabel">$label$</set> </condition> </change> </input> <chart> <title>Log Volume for $weekday$ - $panellabel$</title> <search> <query>| tstats count WHERE index=$index$ BY index _time span=1d  | trendline sma2(count) AS trend</query> <earliest>-90d@d</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> ... View more

I have sourcetype X in Splunk prod and dev. When trying to copy data from prod and ingesting it manually in dev, and selecting sourcetype X, the data is disappearing and there is this error in the set sourcetype option: "No results found. Please change source type, adjust source type settings, or check your source file." Can someone help me figure out why it is happening? ... View more

I am trying to use tstats to develop a query, however i need _time to be included in the query for the logic to work. but _time doesnt show seconds and it is limiting to minutes only. the Web datamodel that i am using is accelerated. 2020-03-31 08:45:00, this is the timeformat for _time when using tstats. ... View more