In fact, I have asked that very question in 2017, did not get an answer and created this solution. Here is the link to my post: Solved: Re: Custom search command called multiple times - Splunk Community There, you can find a more detailed description of my solution. ... View more

Reviving the thread a year later: I have the same problem, had it back in Splunk 6.6.2 and still seeing it in Splunk 8.2.6 years later. No idea why - but I really needed to work around it. Here is what I came up with: I open a file, with a name derived from search id, with exclusive access for creation in a special `lock` folder. If it succeeds, I proceed with the rest of the code. If it fails, I realize that it was already "caught" by the previous run of the same command and bail out. Of course, I need some way of tidying up that `lock` folder, which is something that can be done with a scripted input, and not too frequently - once a day or even once a week should be plenty. In theory, I should be able to remove (unlink) that lock file right from the second instance, but it bit me in the back, so I abandoned the idea. Might want to revisit now, after so many years... ... View more

Sorry, haven't visited Splunk community for a long time - way too much work in other projects. I tried to run it as an admin, so can definitely access all indexes. I can see results from the local _internal index, just not from the search peers. ... View more

When more than one regex matches, values from which are you getting? The last one (alphabetically)? Or multivalue? If it's just a single value, I'd suggest naming and ordering the stanzas in such a way that the preferred one goes last. And listing them in the same (reverse in terms of priority) order in props.conf . If it becomes a multivalue, try adding MV_ADD=false (though I doubt it will help). ... View more

It seems like they want to react to something quickly. The question is: how quickly? They must have some "reaction time" allowed. Another question: what are they using to launch the searches? Some kind of Splunk SDK? If yes, any searches, either one shot or regular, have "earliest_time" and "latest_time" keyword attributes that can be added. I did it in Python but I'd assume it's true in any SDK. If they need it on a dashboard, many elements can have a refresh value. On the top level ( form or dashboard tag), there is a refresh attribute which has a numerical value in seconds. A similar attribute can be in many other elements, such as table or chart . ... View more

At this point, I would go over to the universal forwarders and check how the timestamp is generated (is it in the . format?) and any timezone settings there, including timezone setting of the OS. ... View more

Looking at Jenkins documentation, it seems like you can configure any sourcetype there. I believe an HEC input will accept any source, sourcetype, host, time etc. if they are specified in the incoming message. The only restriction is that the index (if it is set in the incoming message) should be in the list of allowed indexes (configure the token correspondingly). Read the section named "Event Metadata" in "Format Events for HTTP event collector" within "Getting Data In" manual. There is no restriction on sourcetype there. ... View more

It's not clear - do you want to have both start and stop calculated within the same event, or do you group your events somehow and then one of the events in the group should provide a 'start' while another yields 'stop'? Can you show at least a small extract of the relevant fields of your data and explain what you are trying to achieve? ... View more

Count of all instances of each value? If yes, try | stats count by Item_Number instead of table . stats generates values in such a way that you can use this search to power a table on a form/dashboard. ... View more

I upvoted yours quite some time ago. Also, it's not a competition - there is more than one way to do something, and it's great. I actually learned something from your answer - never used foreach command, nor {{session_length}} syntax, and just being aware of it is great. ... View more

No, please don't. It shows the weakness anyway: how do I make it more generic and calculate the starting offset instead of hard-coding it? I actually hate seeing those constants in the code. I'd say something like | rex field=test "(?<prefix>.{3})(?<session_length>\d)" | eval session=substr(test,1+len(prefix)+len(session_length),session_length) is more to my liking. How's that for a solution? ... View more

I downvoted this post because the answer is plain wrong - please test your suggestions before posting. here is a search i ran to check your answer: | makeresults | eval test="abc5defghijk" | rex field=test "\d{1}+(?<sub>.\s{3})" you can change that digit 5 inside test to any other digit you want and sub will always be "defg". ... View more

No, I did not hard-code the length - 5 was the length of the prefix (.{3}\d)+1 (substr is 1-based), the other 5 gets taken from session_length - look closer :). My solution will take 'defg' from 'abc4defgHijk' - please check. Here is a search I've just run: | makeresults | eval test="abc4defgHijk" | rex field=test "^.{3}(?<session_length>\d)" | eval session=substr(test,5,session_length) ... View more

Unless there are other fields in the original event, starting with a digit, correct? I like the elegance of your answer, but what are the downsides of mine? ... View more

Strange - I've just tried index=_internal | timechart count on my 7.2.1 (_internal because I'm just evaluating it and there is no data on it yet) and it came out normal, _time first, count second. Just out of curiosity, I then tried this: index=_internal | bucket _time span=10m | stats count by _time and it also worked - you then choose Timechart as your Visualization and it displays just fine. ... View more

The REST endpoints under "/services" are not app-specific even though you put them you $SPLUNK_HOME/etc/apps/yourapp/bin , and they go via Splunk management port (8089 by default). This is somewhat of a problem - while your browser normally connects to http://yoursplunkhost:8000/en-US/app/yourapp , REST API calls go to https://yoursplunkhost:8089/services/yourcustomendpoint . This creates CORS problems unless you properly set HTTP headers in your custom endpoint. And it normally needs authentication, unless you set requireAuthentication = false in the endpoint's stanza in restmap.conf . There is another way of creating custom endpoints - putting the scripts not in $SPLUNK_HOME/etc/apps/yourapp/bin , but in $SPLUNK_HOME/etc/apps/yourapp/appserver/controllers and defining it in $SPLUNK_HOME/etc/apps/yourapp/default/web.conf . This one goes through http://yoursplunkhost:8080/en-US/custom/yourapp/yourcustomendpoint and picks up the authentication of your browser page IIRC, but you'd better check the exact ways in the documentation. ... View more

OK, we figured out the exact syntax: our datamodel has an object named "Package", which has such extracted fields as "length", "width", "height" and a calculated "tot_dim" which is a sum of the three dimensions. It also has a "token" field, which for some reason is not extracted properly, so I tested the GROUPBY syntax on some other field. All in all, it looks like this: | tstats count first(Package.tot_dim) AS tot_dim1 last(Package.tot_dim) AS tot_dim2 from datamodel=Our_Datamodel where index=our_index by Package.token | search count=2 Shall we agree that some of Splunks intricacies are somewhat underdocumented? 🙂 Oh, and we are still in 6.6.2 - though I doubt it changes much in the latest version. ... View more

Could you please clarify: if our datamodel is named "Our Datamodel" with internal name Our_Datamodel , it has an event named Event and in it are a couple of fields named length and token , what would be our search string? ... View more

Not sure - never tried it, as we need that by/groupby anyway. I think our mistake was a wrong field notation - we did not realize that datamodel fields are referenced as datamodelname.fieldname . Thanks to @woodcock 's answer below, we realized our mistake. ... View more

Thanks for the link back to your previous answer - voted that up. For some reason, strptime(strftime($job.earliestTime$,...),...) failed to work for me, so I went with the | addinfo option. That did work - especially nice because addinfo is producing times in time and not string format, so there is no guessing what to tell strptime . ... View more