Good Morning! I rarely get to dabble in SPL, and as such, some (probably simple) things stump me.  That is what brought me here today. I have a scenario in which I need to pull SYSLOG events from a series of machines that all report the field names.  One of those machines is the authoritative source of values, which all of the other systems should have.  As an example, I have 3 machines... M1, M2, M3, and each machine reports three field/value pairs... sync-timestamp, version-number, machine-name. I need to compare the sync-timestamp of M1 with the sync-timestamp of the other two machines.  My idea is to assign the "sync-timestamp value WHERE computer-name=M1" to a variable by which to compare the other two machines' values.  I intend to use this report to ultimately create an alert, so we know if machines are not syncing properly. I just cannot figure out the syntax to make this happen.  Can anyone provide some guidance on this? Thank you in advance! ... View more

Good Evening, I have, what appears to be, a unique situation.  I have tried every means that I could find even vaguely related to my problem. The Scenario Data, which each record having it's own epoch-based timestamp, is being imported into Splunk weekly.  As a result, indexed timestamps are nowhere near the actual record timestamp. My dashboard has two text boxes in which the user can input a date range (with formatting guidance) for the records' timestamps which fall between those dates. The Problem  No matter how I try to format string inputs, I cannot retrieve the records within those dates.  What's worse is, when I include my WHERE statement, I don't get ANY records returned.  I have been working on this for hours, but I am no closer now than when I began. The Code  My input tokens for the text boxes are "date_start" and "date_stop".  The field "eventTime" is the record's timestamp in epoch time. <query>index=customer sourcetype=json_no_timestamp custApiKey=d8lwmc9qjd778ksmfy | eval _start=strptime($date_start$, "%Y-%m-%d") | eval _start=strftime(_start, "%s") | eval _stop=strptime($date_stop$, "%Y-%m-%d") | eval _stop=strftime(_stop, "%s") | where (_start &gt;= eventTime) AND (_stop &lt; eventTime) </query>   Any help would be GREATLY appreciated! ... View more

Hello Everyone, This may be an odd question, but I am wondering how (if possible) to add a useful timerangepicker to a dashboard in which all panels are from existing reports.  In the past, the dashboard has just been run for "Last 7 Days", which all of the reports are set up for.  Recently, a feature has been desired to allow the user to select the time range for which the data will be presented.  Obviously I can add the timerangepicker and submit button pretty easily, but how do I tie the chosen time range to the reports in the panels without recreating everything? Thank you for your time and assistance! ... View more

I have a dashboard in which the customer can enter a start date/time, end date/time, and a string. I then use the information entered to query two different (not Splunk) databases to find/present records which contain the string entered which occur between the data/time entries. The issue I am having is that the two databases store the timestamps in different formats. So, regardless of what format I have the user enter the date/time, it does not agree with one of the two systems. So, how can I a date/timestamp that is valid for one system (2017-11-15 16:22:30), and convert it to a new token that is valid for the second system (11-15-17 16:22:30)? I attempted to use the following, but it appears I have no idea where "eval" can be used. 🙂 <eval token='$conv_startTime_token$'>strptime($startTime_token$,%m-%d-%y %h:%M:%S)"</eval> Thank you! ... View more

Hello, I am VERY new to Splunk. I have built some basic dashboards using DB queries, because the data is not (yet) being put directly into the Splunk database. With that said, I would like to enhance my current dashboard with some additional data defined in a CSV file. To be more specific my dashboard contains phone numbers. My CSV file contains the location data of North American Numbering Plan area codes and prefixes (NPA-NXX). I would like to lookup the location of the caller, based on the NPA-NXX, and include that in my dashboard. Given my limited knowledge/skill set with Splunk, I have a few questions: 1) Is this even possible in Splunk? 2) Does Splunk support data/format manipulation within the search string, such as using RegEx, or can you define a substring to look for? 3) Are there any existing tutorials around these areas that could help guide me to a solution? Any help would be greatly appreciated!! EXAMPLE (dots added for spacing purposes) [Query Results] Phone Number .......... Call Count +12345678901........... 12 [CSV Entry] NPA-NXX .................. Location 234-567 .................... Anytown, USA Desired Output Phone Number .............. Location .................................. Call Count +12345678901............... Anytown, USA ......................... 12 ... View more