Suppose I have a query like: index=my_index stringA OR stringB OR stringC | table logentry, whatmatched And for the "whatmatched" field, I would like to have the particular string against my raw data has matched, yielding an output like: logentry | whatmatched this is message with stringB | stringB stringC comes here | stringC Is it possible to extract this somehow? ... View more

I have a KV store defined on my search head, which is not replicated. I'm populating it with data with a scheduled search (outputlookup), which is producing approx 750.000 rows. When I'm reading data from the KV store via inputlookup, I'm getting only like 1500 rows. The populating search takes really long time to finish, because of the |outputlookup my_kvstore command at the end of the search. If I remove this and replace it with an outputcsv, it is much faster. What are the limitations of KV stores, and how can I troubleshoot this? I was looking at the mongod.log, but haven't seen any errors. ... View more

I want to use the _time field as one of my discriminator fields in a tstats command. I wasn't able to figure out, how to do this, without the time values being rounded/group in some time stamp. For other fields, when used as discriminators every existing value is displayed as a separate row, but with _time, even if I'm no using any span= with my command, they are grouped somehow. Obviously, in this case, I have really rare events, that's why I want to have the exact time values here. ... View more

So I got multiple custom datasources, scripts mainly, which are sending events to Splunk on some schedule/recurrence. I can distinguish every execution of these sources by either a timestamp, or a custom ID, which gets incremented with every execution which is captured in every event. The events always have a proper host field, which also contributes to the "unique key" of an event with unique ID mentioned beforehand. The hosts are attributed with custom fields, this is the third part of something which could be used as uniqe key. These are always present in the events as long as they apply to a given host, and are no longer present when they don't apply to a host. An example what I mean (every line is a separate event): hostID=host1, attributeID=attribute1, customid=customid1 hostID=host1, attributeID=attribute2, customid=customid1 hostID=host2, attributeID=attribute1, customid=customid2 hostID=host1, attributeID=attribute1, customid=customid2 (Because of the _time field, these would appear in Splunk in reverse order obviously) I want to deduplicate such events to always have the data only from the really last execution of a script. Like, from the above example, I want to have only host2, attribute1, customid2 host1, attribute1, customid2 If I were to use | dedup hostID, attributeID, customid It would yield me - host1, attribute2, customid1 - host2, attribute1, customid2 - host1, attribute1, customid2 The solution my team came up is using <base search> | eventstats max(customid) as max_customid by hostID | search customid=max_customid This pretty much does the thing, but I feel this is really not efficient - what would be the right approach do to this? ===EDIT One given host has multiple events (with multiple attributes) from the same execution of the script. A more detailed example, let's say I got these events: hostID=host1, attributeID=attribute1, customid=customid1 hostID=host1, attributeID=attribute2, customid=customid1 hostID=host2, attributeID=attribute1, customid=customid2 hostID=host1, attributeID=attribute1, customid=customid2 hostID=host1, attributeID=attribute3, customid=customid2 hostID=host1, attributeID=attribute4, customid=customid2 hostID=host2, attributeID=attribute3, customid=customid2 I want to keep the below events: hostID=host2, attributeID=attribute1, customid=customid2 hostID=host1, attributeID=attribute1, customid=customid2 hostID=host1, attributeID=attribute3, customid=customid2 hostID=host1, attributeID=attribute4, customid=customid2 hostID=host2, attributeID=attribute3, customid=customid2 This is the reason I can't use stats first() ... View more

I'm trying to use the above add-on to get Azure Audit logs, and I want to use a proxy. Everything is configured according to the docs, but any time the script tries to download the data, I'm getting 10061. I double checked with wireshark, the script is not even trying to connect to my proxy, instead it tries connecting directly to the Microsoft servers. I'm running on a Windows server. How can I get this working ? ... View more

I'm trying to run search via the REST api, to get the contents of a lookup: | inputlookup my_lookup I got only 100 rows in the results, which is weird, because my lookup is much bigger. I've checked in limits.conf, I'm using the default setting - 50000 rows. Is there something with lookups? Any other search queries I did with REST worked as expected. I wasn't able to find indicator for this limitation in the HTTP requests/responses used for the search. ... View more

I have an accelerated datamodel configured, and if I run a tstats against it, I'm getting the results as expected. However, if I add summariesonly=t to my tstats, some I get less results. I've tried rebuilding the datamodel, at 100% the same issue happens. Can be something misconfigured, resulting in some of the events not getting summarized ? ... View more

I'm running Splunk 6.5.2 on a Windows Server 2012 R2, and I just cannot get the proxy working. I've tried setting it in splunk-launch.conf, and/or as an environmental variable for both http_proxy and httpS_proxy , but none of them helped, I'm getting Winsock 10061 errors all the time. I've tried both formats: : and http(s)://:. Besides that, I want to use a couple apps (downloaded from Splunkbase), some of them has their own configuration where I can specify the proxy settings, and I'm getting '407 Proxy Authentication Required' errors. However, our proxy does not need authentication. I've tried running web requests with the same python modules used in the apps (urllib2, requests), and worked from me. ... View more

I have a command defined in an application provided by a vendor, which I would like to use in another application installed in Splunk, as a workflow action. I've tried invoking the same command from an inline search, but I'm getting an "Unknown search command" error. In the application where the command is defined, I've already set the permissions the command to be globally available for everyone: [] access = read : [ * ], write : [ admin, power, splunk-system-user ] export = system [commands] export = system What else do I need to set to make this available ? ... View more