I now use an updated version, that also compensates for choosing "All Time" in the time picker, which makes info_max_time set to "+Infinity" which unfortunately is not a number. | inputlookup mylookup.csv | addinfo | where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity") ... View more

Does doing it this way make it more performant over the alternative to filter afterwards? If yes, could you explain where the performance improvement comes from?  I am always interested to learn performance tricks for Splunk.  ... View more

| rex max_match=1000 "(?://=(?[^:,]+))" | table _time, error_code Output: _time error_code 2021-03-17 14:23:41 404.EBS.SYSTEM.101 404.IMS.SERVERIN.103 404.IES.SERVER.105 404.IES.SERVEROUT.105 ... View more

You can probably achieve it with the reltime command and setting it to a token from within a hidden search.  https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchReference/Reltime Here is an example dashboard: <form> <label>Reltime</label> <search> <query> | makeresults | addinfo | eval _time = info_min_time | reltime | rename reltime as reltime1 | eval _time = info_max_time | reltime | rename reltime as reltime2 </query> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> <done> <set token="reltime1">$result.reltime1$</set> <set token="reltime2">$result.reltime2$</set> </done> </search> <fieldset submitButton="false"> <input type="time" token="time_token"> <label></label> <default> <earliest>-7d@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>Events between $reltime1$ and $reltime2$</title> <table> <search> <query> | makeresults | addinfo | eval _time = info_min_time | reltime | rename reltime as reltime1 | eval _time = info_max_time | reltime | rename reltime as reltime2 </query> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>   ... View more

Maybe something like this?  (<YOUR FIRST SEARCH>) OR (<YOUR SECOND SEARCH>) | eventstats values(TYPE) as TYPE by ID | stats count by ID, TYPE, timerName ... View more

Note: This option only works correctly if every row in the input has only 1 of the fields with a value.  ... View more

Here is another solution for the originally requested example: generate sample events: | makeresults count=11 | streamstats count | eval f1 = case(count=1, "foo", count=2, "bar", count=3, "baz") | eval f2 = case(count=4, "x", count=5, "y") | eval f3 = case(count=6, "a", count=7, "b") | eval f4 = case(count=8, "1", count=9, "2", count=10, "3", count=11, "4") | fields - count, - _time output:  f1 f2 f3 f4 ---------------------------- foo bar baz x y a b 1 2 3 4 solution SPL: <yoursearch> | foreach * [| eval field = if(isnotnull(<<FIELD>>), "<<MATCHSTR>>", field )] | streamstats count as index by field | stats values(*) as * by index | fields - field, - index output: f1 f2 f3 f4 ---------------------------- foo x a 1 bar y b 2 baz 3 4   ... View more

The code above solves this example: header, values (mv field) a = { a1, a2, a3 } b = { b1, b2 } c = { c1, c2, c3, c4 } target table (each value in separate row/field) a b c ------------------- a1 b1 c1 a2 b2 c2 a3 c3 c4   ... View more

I tried to solve this for you, but the query might be a bit inefficient: | makeresults | eval a = mvappend("a1", "a2", "a3"), b = mvappend("b1", "b2"), c = mvappend("c1", "c2", "c3", "c4" ) | rename * as *_values | foreach *_values [| eval max = if(max > mvcount(<<FIELD>>), max, mvcount(<<FIELD>>) )] | foreach *_values [| eval <<MATCHSTR>>_filler = mvrange(mvcount(<<FIELD>>), max, 1), <<MATCHSTR>>_filler = mvmap(<<MATCHSTR>>_filler, " "), <<FIELD>> = mvappend(<<FIELD>>, <<MATCHSTR>>_filler)] | foreach *_values [| eval <<FIELD>> = mvmap(<<FIELD>>, "<<MATCHSTR>>=\"" . <<FIELD>> . "\"")] | fields - *_filler | eval raw = mvmap(mvrange(0, max, 1), " ") | foreach *_values [| eval raw = mvzip(raw, <<FIELD>>)] | fields raw | mvexpand raw | rename raw to _raw | extract   ... View more

Yes, now you should have the buttons for Introspection back and there is a button in the popup menu, that says "Reset all Configurations". Hit it and afterwards it should be fine again. ... View more

I also had problems with the Data inventory after an update. I found that the Data in my kv store lookup "data_inventory_products_lookup" was likely outdated from a previous version. The Addon ships with newer data in SSE-default-data-inventory-products.csv but on update was not loaded into the KV store. So my issue was fixed by: | inputlookup SSE-default-data-inventory-products.csv | outputlookup data_inventory_products_lookup ... View more

Based on you own findings I found that the Data in my kv store lookup "data_inventory_products_lookup" was likely outdated from a previous version. So my issue was fixed by: | inputlookup SSE-default-data-inventory-products.csv | outputlookup data_inventory_products_lookup ... View more

Error still in Version 3.0.6 ... View more

When using the add-on builder this code works for me: def process_event(helper, *args, **kwargs): service = client.Service( token=helper.settings.get('session_key'), owner='nobody', app='SplunkEnterpriseSecuritySuite') myitem = service.confs["myconf"]["mystanza"]["myitem"] helper.log_info("myitem={}".format(myitem)) ... View more

Yes please, I need this too. ... View more

I don't know if it is still relevant here, but I had success with: events = helper.get_events() for event in events: event_id = event.get("event_id") helper.log_info("event.get(\"event_id\")={}".format(event_id)) ... View more

Thanks! Has the same problem today and changing the captain did not help. But running this on the problematic host, solved it. ... View more

Yes of course. ... View more

Which limit in limits.conf do I need to change to allow the search to be queued? We have alerts that we definitely do not want to be skipped, but sometimes they take longer to execute and the following search is skipped because the first is not finished yet. ... View more