I am running a search that gets a list of accounts, multiple records that can have multiple accounts in each event. I need to find all accounts that are not valid. what I have so far produces results but I cant figure out how to get the $acctid$ in the output. Right now I just get 2 records in the stats page show a 0 for each one but no way to show the content of the $acctid$. I have manually checked and the number is correct I have 2 bad accounts. Basic search is index=events eventName="testevent" | spath output=acctid path="requestParameters.items{}.acctid" | stats list(acctid) as acctid by eventID | mvexpand acctid| | map search="search index=acctlist Id=$acctid$ | stats count | where count=0" The 1st half of the search produces eventID acctid 15326ca3-d4ce-421f-aa07-457fcc7c5df1 12345678 8b99fa14-fa4f-4cd2-8d5e-4d9244b5e027 04341234568 8b99fa14-fa4f-4cd2-8d5e-4d9244b5e027 34491234568 9d807652-8b16-4a1a-a985-236c8409b73c 12345678 c5e8b181-4440-4af3-8687-805522ab67e8 04341234568 e539d095-8664-4c68-99ba-1ef1329ec78d 34491234568 ebf27592-2741-4093-b035-eaf3d1ecc4ee 04341234568 I know the 1st and 4th entry are bad accounts and the map command produces 2 results but just shows the zero from the count. How do I get the contents of either the acctid or eventId in the results count 0 0 ... View more

I have logs being stored in json that shows accounts being given access to data. I need to validate that the accts are valid. I am trying to run a subsearch that will get the list of accounts(userId) from the logged event and validate against a list of known accts. I was planning on using a search/subsearch structure but I am having issues getting the acct list(userId) out of the json structure json strusture - eventID: 4321-4321-4321-1234 requestParameters: { [-] attributeType: CREATE_VOLUME_PERMISSION createVolumePermission: { [-] add: { [-] items: [ [-] { [-] userId: 1234567889 } { [-] userId: 0987654321 } ] } } Ideally I would like to pass the eventId and userId to the main search for each userId and report those details if the acct is not found in my list of known accts ... View more

I have a splunk cluster with 3 indexers. I have a non replicated index that for some reason has stopped getting new data on one of the indexers. Other indexes on the same node are getting data. What can I look for to figure out why this index on the one node is not getting new data. The data is coming from a pair of Heavy Forwarders which is my 1st target to check but not sure where to look. ... View more

I manage a couple of small Splunk clusters, and for the 1st time, I need to build one form scratch. I am testing in our sandbox environment, but when I bring the cluster up, I end up with index issues that can't seem to be resolved. cannot fix up search factor as bucket is not serviceable Cannot fix search count as the bucket hasn't rolled yet. The above messages show up for every bucket in the _audit and _internal indexes. The build is a fairly simple one: 2 indexer peers, 1 master, and 1 dedicated search head 1- It's RHEL based 2- Install the rpm, 7.0.3 is the version I am playing with 3 - Set the firewall rules to allow the traffic 4 - /opt/splunk/bin/splunk enable boot-start -user root --accept-license 5 - /opt/splunk/bin/splunk start --accept-license For the master I run - /opt/splunk/bin/splunk edit cluster-config -mode master -replication_factor 2 -search_factor 2 -secret xxx -cluster_label test For the indexer peers - /opt/splunk/bin/splunk edit cluster-config -mode slave -master_uri https://xx.xxx.xx.xx:8089 -replication_port 9887 -secret xxx For the Search head - /opt/splunk/bin/splunk edit cluster-config -mode searchhead -master_uri https://xx.x.xxx.xx:8089 -secret xxx Restart Splunk on the master, then configure the other nodes and restart Splunk. Not sure what I am missing or doing wrong. ... View more

We have a couple of splunk envs running is aws. We rehydrated(deployed a new AMI) one of the env last week and this week I have run into a strange issue with the timing of indexed data. Before the rehydrate data was indexed typically within 5-10 mins of the eventtime. Now it appears that exactly one hour has been added to the time it takes to get the data indexed. I am at a loss to explain this??? The events are being forwarded from cloudtrail. No cloudtrail changes have occurred . Here is a sample of events prior the env rehydration (getting a new AMI) e_time i_time 06/20/18 08:27:18 06/20/18 08:31:40 06/20/18 08:27:03 06/20/18 08:31:40 06/20/18 08:26:48 06/20/18 08:31:40 06/20/18 08:26:32 06/20/18 08:31:40 06/20/18 05:00:14 06/20/18 05:11:13 06/20/18 04:37:59 06/20/18 04:49:45 06/20/18 03:01:46 06/20/18 03:09:51 06/20/18 02:58:34 06/20/18 03:09:51 06/20/18 03:25:55 06/20/18 03:31:40 06/20/18 03:25:39 06/20/18 03:31:40 06/20/18 03:25:36 06/20/18 03:31:40 06/20/18 03:25:21 06/20/18 03:31:40 06/20/18 03:25:20 06/20/18 03:31:40 06/20/18 00:47:21 06/20/18 00:59:58 06/19/18 23:43:47 06/19/18 23:51:38 06/19/18 23:43:31 06/19/18 23:51:38 06/19/18 23:43:31 06/19/18 23:51:38 06/19/18 21:00:13 06/19/18 21:07:14 06/19/18 20:59:58 06/19/18 21:07:14 06/19/18 20:59:43 06/19/18 21:07:14 06/19/18 20:59:28 06/19/18 21:07:14 06/19/18 20:59:27 06/19/18 21:07:14 06/19/18 19:42:55 06/19/18 19:47:33 After you can see the one hour delay e_time i_time 06/29/18 06:32:10 06/29/18 07:35:49 06/29/18 06:29:23 06/29/18 07:35:49 06/29/18 06:28:48 06/29/18 07:35:49 06/29/18 06:28:38 06/29/18 07:35:49 06/29/18 06:28:26 06/29/18 07:35:49 06/29/18 05:40:20 06/29/18 06:46:07 06/29/18 05:40:05 06/29/18 06:46:07 06/29/18 05:39:50 06/29/18 06:46:07 06/29/18 05:39:34 06/29/18 06:46:07 ... View more