Hi. Running 9.0.6 and a user (who is the owner)  can schedule REPORTS, but not DASHBOARDS. It's a CLASSIC dashboard (not the new fancy one Stooooodio one). Dashboards --> Find Dashboard --> Edit button --> NO 'Edit Schedule' Open dashboard, top right export, NO 'Schedule PDF' My local admin says 'maybe they changed something in 9.0.6), but I'm unconvinced until this legendary community agrees. "feels" like a permission missing is all.     ... View more

I have a dbxquery command that queries an Oracle server that has a DATE format value stored in GMT. My SQL converts it to SQL so I can later use strptime into the _time value for timecharting:       SELECT TO_CHAR(INTERVAL_START_TIME, 'YYYY-MM-DD-hh24-mi-ss') as Time FROM ...       Then at the end of my SPL:       ... | eval _time=strptime(TIME,"%Y-%m-%d-%H-%M-%S") | timechart span=1h sum(VALUE) by CATEGORY       On the chart that renders, we see values in GMT (which we want). My USER TIMEZONE is Central Standard, however, and not GMT. When I click (drilldown) a value $click.value$, it passes the epoch time CONVERTED TO CST. As an example, if I click the bar chart that is for 2PM today, my click-action parm is 1715972400.000 which is Friday, May 17, 2024 7:00:00 PM GMT - 5 hours ahead. I validated this by changing my user tz to GMT and it passes in the epoch time in GMT. I googled 'splunk timezone' and haven't found anything, yet, that addresses this specifically (did find this thread that is related, but no solution https://community.splunk.com/t5/Dashboards-Visualizations/Drill-down-changes-timezones/m-p/95599) So wanted to ask here! It's an issue because the drilldown also relies on dbxquery data, and so my current attack plan is to deal with the incorrect time on the drilldown (in SQL), but I can only support that if all users are in the same timezone. In conclusion, what would be nice is if I could tell Splunk to 'not change the epoch time' when clicked. I think!         ... View more

Hi. I have a lookup file with phone numbers broken down into their parts, so: cc,npa,nxx,list 1,210,5551234,good 1,512,7779876,bad My event stream has e164 phone numbers, so: +12105551234 +15127779876 i'd like to use the lookup command, but can't find a way to natively join this data and looking for ideas. currently i am able to use join, like this:       ... | join number [ | inputlookup lookupfile.csv | eval number="+".cc.npa.nxx       but I've learned through this group mostly to try and avoid 'join' because of limitations and 'it basically applying SQL and this ain't SQL'. I thought about 'breaking apart' the number field into (3) fields and then passing several looks like in the example page linked above, but this feels backwards when what i'd prefer to do is join the data in the csv. So another idea was to create a report that does that and creates a new CSV (|output lookup), but that feels unnecessary, too. Any thoughts? THANK YOU!         ... View more

So...I have a HEC receiving JSON for phone calls using a custom sourcetype which parses calls from a field called timestampStr which looks like this: 2024-01-19 19:17:04.60313329 And uses TIME_FORMAT in the sourcetype with %Y-%m-%d %H:%M:%S.%9N And this sets _time to 2024-01-19 19:17:04.603 in the event. Which SEEMS RIGHT. However, if I then, as a user in Central time zone, ask for the calls 'in the last 15 minutes' (assuming I just made the call) it does not show up.  And, in fact, to find it, I have to use ALL_TIME (because the call seems to be 'in the future' based on my user, which feels dumb/weird to write because I know it's not technically true, but the best I can explain it). Here is what I mean (example): 1. i placed a call into the network at 1:17PM CENTRAL TIME (which is 19:17 UTC) 2. the application sent a json message of that call 3. it came in as above 4. i then ran a search in Splunk looking for that call in the LAST 15 MINUTES and it did not find it 5. however, i immediately asked for ALL_TIME and it did. I think my assumption is that if my USER SETTINGS are set to Central, it would 'correlate the calls' ok, but this appears not true or, rather, more likely, my understanding of what is going on is very poor. So I, once again, return to the community looking for answers.     ... View more

Ok, been learning alot about reducing event size from a recent conversation (here) and got linked a great article on search performance (this one) and an obvious key is reducing the events that come back (the first line is the most important). For a lot of the reports I'll need to write, the way to do this would be the match DIRECTORY INFORMATION but that DOES NOT EXIST IN THE UNDERLYING DATA and this gets complicated with what I wrote in that other post about (2) streams of data. Here is what I mean (specifics). 1. DS 1 (call data, JSON) 2. DS 2 (policy data, JSON) 3. directory.csv (inputlookup file with data, or I could query a DB using dbxquery) So if I want to match 'mylist' in that csv then I have to do it AFTER the first line, like this:   index="my_data" resourceId="enum*" ("disposition.disposition"="TERMINATED" OR "connections{}.left.facets{}.number"=*) | stats values(sourcenumber) as sourcenumber values(disposition) as disposition by guid | lookup directory_listings.csv number AS sourcenumber OUTPUT lists | search lists="mylist"   This brings back the (2) Datasources (the first line), but then I have to read through 100% of it, then match the directory, then filter so this is huge 'false positive' (event to scan count ratio) I've read before about using subsearch and this works great, but then leaves out one of the data sources. In other words this: index="policyguru_data" resourceId="enum*" ("disposition.disposition"="TERMINATED" OR sourcenumber=*) [ | inputlookup pg_directory_listings.csv | search lists="*mylist*" | fields number | rename number as sourcenumber | format ] | table * runs fast and is 1:1 event-to-scan, BUT OMITS disposition entirely, because it's not 'joining' data, but sending the sourcenumber up to the first line, which then EXCLUDES disposition because it doesn't match. Does that make sense? I suppose I could use this entire search AS a subsearch to get back 'guid' values and then pass that UP into another search but feels very...INCEPTION at that point!  Anyway, looking for ideas. Thank you! ... View more

I have an index that is receiving JSON data from a HEC, but with 2 different data sets and about 2M per day: DS1 {guid:"a1b2",resourceId="enum",sourcenumber:"55512345678"} DS2 {guid:"a1b2",resourceId="enum",disposition:"TERMINATED"} Now, counting terminated is easy and fast, this runs in 1s for all calls yesterday.   index="my_data" resourceId="enum*" disposition="TERMINATED" | stats count   But counting TOP 10 TERMINATED is not so much, this takes almost 10m on the same interval (yesterday):   index="my_data" resourceId="enum*" | stats values(*) as * by guid | search disposition="TERMINATED" | stats count by sourcenumber   I found some help before using subsearches and found this | format thing to pass in more than 10k values, but this still takes ~8m to run:   index="my_data" resourceId="enum*" NOT disposition=* [ search index="my_data" resourceId="enum*" disposition="TERMINATED" | fields guid | format ] | stats count by sourcenumber | sort -count   The issue is I need 'data' from DS1 when it 'matches guid' from DS2, but I've learned that 'join' isn't very good for Splunk (it's not SQL!) Thoughts on the 'most optimized' way to get Top 10 of data in DS1 where certain conditions of DS2? NOTE - I asked a similar question here, but can't figure out how to get the same method to work since it's not excluding, it's more 'joining' the data: https://community.splunk.com/t5/Splunk-Search/What-s-best-way-to-count-calls-from-main-search-excluding-sub/m-p/658884 As always, thank you!!!     ... View more

Greetings. I'm trying to count all calls in this: index="my_data" resourceId="sip*" "CONNECTED" Where not in this: index="my_data" resourceId="sip*" "ENDED" This works when the latter is <10k (subsearch)   index="my_data" resourceId="sip*" "CONNECTED" NOT [ search index="my_data" resourceId="sip*" "ENDED" | table guid ]   And I can use a join for more than >10k because the TOTAL is not 10k (join limits)   index="my_data" resourceId="sip*" "CONNECTED" | table guid meta | join type=left guid [ search index="my_data" resourceId="sip*" "ENDED" | table guid timestamp ] | search NOT timestamp="*"    But neither 'feel' great. I'm making my way through the PDF found here but not figured out 'the best' way to do this (if such a thing exists). https://community.splunk.com/t5/Splunk-Search/how-to-exclude-the-subsearch-result-from-main-search/m-p/572567 So while there are several questions related to 'excluding subsearch' results, I have not found many that help with this 10k issue (subsearch results more than 10k and a join works, as long as my total values is less than 10k). PLUS - joins are kinda sucky, amirite?  I mean, that's like what the first things that Nick Mealy says in that pdf. So just looking for more options to try and learn! Thank you!   ... View more

I have json data coming in that contains a 13 digit epoch value in eventTime, but %s appears to only support 10 digits (https://docs.splunk.com/Documentation/Splunk/8.2.8/Data/Configuretimestamprecognition?ref=hk) What i'm trying to do is create a source type that will set _time to the value in eventTime when consumed, but struggling to solve it. I did try setting TIMESTAMP_FIELDS to eventTime and then TIME_FORMAT to %s, but that did not work. But, I also manually added a 10 digit epoch and it still did not work, so maybe i'm just chasing the wrong idea. I also tried 'AUTO' but it did not find it. Looking to learn!  Thank you!     ... View more

Hi. Got some great help using subsearches to match against a directory (CSV or SQL) using a sub search (https://community.splunk.com/t5/Splunk-Search/What-is-the-fastest-way-to-use-a-lookup-or-match-records-against/m-p/644173#M223131), however, in some cases, it could be hundreds of thousands of records so I'm hitting this 10k limit (sub search limit). So the question is What is a good way to match records against a secondary source, say a lookup file? I'm able to use lookup, of course, but feels like there might be a better way. To use a specific example, I have an index that has a phone number. I have a CSV file that puts those phone numbers in lists (like a directory). If want 'all numbers in TEST directory' and I know I'll have more than 10k rows, then I do this:     index=myindex more-criteria-to-try-and-reduce | lookup directory.csv number output list | search list="TEST"     While this works, it obviously runs pretty long and so just asking if a better way! Thank you!     ... View more