Good afternoon. I have been working on this issue for a couple of days, and I just cannot seem to get this SPL correct. I am running a report on SIP traffic for a specific scenario, and the results of that report are written to an outputlookup (CSV) file.  I then am trying to use that CSV file in a new report to try to find any history of the phone numbers found in the first report. I have successfully extracted the user-part of the SIP URI (the phone number), and when I look at the results of just that SPL, everything looks good.  My problem comes from extracting that data as part of a subsearch, so that I can use the user-part as a means of finding all SIP URIs for that phone number for a period of time.  I know that phonenumber will never equal SIPURI, so I am using "| eval SIPURI = user-part."%" in the subsearch to make the subsearch a LIKE rather than an EQUALS comparison.  I am still not getting any matching events, though. Can someone tell me the proper way to, effectively, do a substring search with results of a subsearch, to find events in the index which contain said substring?   Thank you in advance! ... View more

Good day! I am currently working on a search which provides data from two different event types (connection information and disposition information).  Everything is working well, except both event types have timestamps with the same name.  As a result, my returned data has two timestamps (in the same column) for each record.   Is there a way to limit the number of timestamps per record to 1?  Or is there a way to somehow designate which event type the timestamp should be pulled from? Thank you for your help! ... View more

I have a DBConnect query that runs to populate the panel of a dashboard every week.  We upgraded both the database which houses the data AND Splunk a couple of weeks ago.  The new database is Postgres 14 and Spunk is not at 9.2.3.  I have run this query directly on the Postgres box, so it appears that Postgres doesn't suddenly have an issue with it. Other panels/queries in this dashboard use the same DBConnect connection, so the path, structure, and data all appear to be good.  The issue seems to lie with the "math" in the time range, but I cannot put my finger on why.  Basically, we are trying to pull a trend of data going back 8 weeks, starting from last week. query=" SELECT datekey, policydisposition, count(guid) as events FROM event_cdr WHERE datekey >= CURRENT_DATE - CAST(EXTRACT(DOW FROM CURRENT_DATE) as int) - (7*8) AND datekey < CURRENT_DATE - CAST(EXTRACT(DOW FROM CURRENT_DATE) as int) AND direction_flag = 1 AND policydisposition = 1 GROUP BY datekey, policydisposition ORDER BY datekey, policydisposition When I try to execute this query, I consistently get the following error: "Error in 'dbxquery' command: External search command exited unexpectedly. The search job has failed due to an error. You may be able view the job in the Job Inspector" Some of the search.log file is here: "12-30-2024 16:00:27.142 INFO PreviewExecutor [3835565 StatusEnforcerThread] - Preview Enforcing initialization done 12-30-2024 16:00:28.144 INFO ReducePhaseExecutor [3835565 StatusEnforcerThread] - ReducePhaseExecutor=1 action=PREVIEW 12-30-2024 16:02:27.196 ERROR ChunkedExternProcessor [3835572 phase_1] - EOF while attempting to read transport header read_size=0 12-30-2024 16:02:27.197 ERROR ChunkedExternProcessor [3835572 phase_1] - Error in 'dbxquery' command: External search command exited unexpectedly. 12-30-2024 16:02:27.197 WARN ReducePhaseExecutor [3835572 phase_1] - Not downloading remote search.log and telemetry files. Reason: No remote_event_providers.csv file. 12-30-2024 16:02:27.197 INFO ReducePhaseExecutor [3835572 phase_1] - Ending phase_1 12-30-2024 16:02:27.197 INFO UserManager [3835572 phase_1] - Unwound user context: User338 -> NULL 12-30-2024 16:02:27.197 ERROR SearchOrchestrator [3835544 searchOrchestrator] - Phase_1 failed due to : Error in 'dbxquery' command: External search command exited unexpectedly. 12-30-2024 16:02:27.197 INFO ReducePhaseExecutor [3835565 StatusEnforcerThread] - ReducePhaseExecutor=1 action=QUIT 12-30-2024 16:02:27.197 INFO DispatchExecutor [3835565 StatusEnforcerThread] - Search applied action=QUIT while status=GROUND 12-30-2024 16:02:27.197 INFO SearchStatusEnforcer [3835565 StatusEnforcerThread] - sid=1735574426.75524, newState=FAILED, message=Error in 'dbxquery' command: External search command exited unexpectedly. 12-30-2024 16:02:27.197 ERROR SearchStatusEnforcer [3835565 StatusEnforcerThread] - SearchMessage orig_component=SearchStatusEnforcer sid=1735574426.75524 message_key= message=Error in 'dbxquery' command: External search command exited unexpectedly. 12-30-2024 16:02:27.197 INFO SearchStatusEnforcer [3835565 StatusEnforcerThread] - State changed to FAILED: Error in 'dbxquery' command: External search command exited unexpectedly. 12-30-2024 16:02:27.201 INFO UserManager [3835565 StatusEnforcerThread] - Unwound user context: User338 -> NULL 12-30-2024 16:02:27.202 INFO DispatchManager [3835544 searchOrchestrator] - DispatchManager::dispatchHasFinished(id='1735574426.75524', username='User338') 12-30-2024 16:02:27.202 INFO UserManager [3835544 searchOrchestrator] - Unwound user context: User338 -> NULL 12-30-2024 16:02:27.202 INFO SearchOrchestrator [3835541 RunDispatch] - SearchOrchestrator is destructed. sid=1735574426.75524, eval_only=0 12-30-2024 16:02:27.203 INFO SearchStatusEnforcer [3835541 RunDispatch] - SearchStatusEnforcer is already terminated 12-30-2024 16:02:27.203 INFO UserManager [3835541 RunDispatch] - Unwound user context: User338 -> NULL 12-30-2024 16:02:27.203 INFO LookupDataProvider [3835541 RunDispatch] - Clearing out lookup shared provider map 12-30-2024 16:02:27.206 ERROR dispatchRunner [600422 MainThread] - RunDispatch has failed: sid=1735574426.75524, exit=-1, error=Error in 'dbxquery' command: External search command exited unexpectedly. 12-30-2024 16:02:27.213 INFO UserManagerPro [600422 MainThread] - Load authentication: forcing roles="db_connect_admin, db_connect_user, slc_user, user"" ... View more

Hello All, I have a situation in which I need to use local lookup file as input in another search, however, the secondary search will happen on an external database, using DB_connect.  So the question is, how would I read-in the inputlookup file as input (WHERE clause) into a SQL query vs a SPL search?  I have done the opposite, in the past... use a lookup file to compare against the results of a SQL query.   If it has any bearing on the answer, the lookup file will be a CSV with multiple values for a single field.   Thank you. ... View more

Hello I have a regular report that I have to provide to a customer, and we are utilizing Splunk as the mechanism to retrieve the data from the source. The dataset is too large to pull down and process locally, so I have several different look-ups written to pull specific data views for the report. However, since we are connecting to an external database to pull the data, I would like to limit the "hit" that database takes at one time. With that said, is there a way to "control" how Splunk executes panel look ups? For instance, panel 1 executes immediately. After panel one contains data, panel 2 executes. After panel 2 contains data, panel 3 executes. And so on... I have seen one strategy that basically has sub-searches off of one master search's data, but again, that data set would be so big, I don't know that a master search would even complete. Hence, I am looking for other options. Otherwise, I will continue to have to run individual look ups manually, which is not efficient. Thank you. ... View more