I have a Splunk search outputs result as follows.  Details link Product Details : Product 1:- ABC123 Product 2:- DEF456 abcd_website   Now how do I combine both the fields into 1 as follows  Details link Product Details : Product 1:- ABC123 link:- abcd_website Product 2:- DEF456 abcd_website The below eval condition giving me the result as follows      | eval Details = Details + link     Details link Product Details : Product 1:- ABC123 Product 2:- DEF456 link:- abcd_website abcd_website   I do not want to add that link at the end. but wanted that somewhere in the middle after a specific field. Also, I do not want to touch or edit the Details field although thats an easy way but it comes from a macro and which used by many searches. I am looking for an alternate way, so that I can update the Details for a specific search? ... View more

I have a Splunk search outputs result as follows.  Details link Product Details : Product 1:- ABC123 Product 2:- DEF456 abcd_website   Now how do I combine both the fields into 1 as follows  Details link Product Details : Product 1:- ABC123 link:- abcd_website Product 2:- DEF456 abcd_website   The below eval condition giving me the result as follows    | eval Details = Details + link     Details link Product Details : Product 1:- ABC123 Product 2:- DEF456 link:- abcd_website abcd_website   I do not want to add that link at the end. but wanted that somewhere in the middle after a specific field. Also, I do not want to touch or edit the Details field although thats an easy way but it comes from a macro and which used by many searches. I am looking for an alternate way, so that I can update the Details for a specific search? ... View more

I have a splunk query as below which contains a lot of backslashes index="ABC" os="Win" FileName="*\\Programs\\Startup\\*" | rex field=FileName "Users\\\(?<username>[^\\\]+)." Now, I now that when I tried to add this in savedseacrhes.conf it wont work as expected as in Splunk it breaks the line when it sees backslash.    Any suggestion on how we can add it to saved searches.conf  ?         ... View more

Hello,  I have installed a Eventgen App from Splunk base to our Heavy forwarder. The following are the details SA-EVENTGEN Version :- 7.2.1 Splunk Version :- 8.1.1 After installation. I am seeing the follow error messages related to the eventgen   ERROR ExecProcessor - message from "/cs/splunk/forwarder/bin/python3.7 /cs/splunk/forwarder/etc/apps/SA-Eventgen/bin/eventgen.py" SyntaxError: Missing parentheses in call to 'print'. Did you mean print('\n\nCaught kill, exiting...')? ERROR ExecProcessor - message from "/cs/splunk/forwarder/bin/python3.7 /cs/splunk/forwarder/etc/apps/SA-Eventgen/bin/eventgen.py" ERROR ExecProcessor - message from "/cs/splunk/forwarder/bin/python3.7 /cs/splunk/forwarder/etc/apps/SA-Eventgen/bin/eventgen.py" print '\n\nCaught kill, exiting...' ERROR ExecProcessor - message from "/cs/splunk/forwarder/bin/python3.7 /cs/splunk/forwarder/etc/apps/SA-Eventgen/bin/eventgen.py" File "/cs/splunk/forwarder/etc/apps/SA-Eventgen/bin/eventgen.py", line 113   Does anyone face the similar issue with SA-Eventgen? Looks like the Python version in Eventgen is no compatible or having some issues.  Any idea on how to troubleshoot or resolve these issues? ... View more

I have a field names "code_value" which has the values as follows    code_value ABC-123 JHLIK ABC-456 LKJF ABC-781 klklk ABC-22 olsd   Now how do I extract the code_value field anything that comes before a space? something like below  new_field_derived_from_code_value ABC-123 ABC-456 ABC-781 ABC-22 ... View more

On my replication bundle I have a whole list of unwanted files that exists from a particular App "XYZ" which are as shown below      apps/XYZ/bin/suds/mx/typer.pyc apps/XYZ/bin/suds/mx/encoded.py apps/XYZ/bin/suds/mx/__init__.pyc apps/XYZ/bin/suds/mx/literal.py apps/XYZ/bin/suds/mx/__init__.py apps/XYZ/bin/suds/options.py apps/XYZ/bin/suds/sudsobject.py     Now, how can i apply replicationblacklist to anything that is under the APP "XYZ" ?    distsearch.conf   [replicationBlacklist] ....   ... View more

I have a macro named X that uses the lookup in the search and produces the results as follows  indexes index IN ("ABC","DEF")   where as indexes is column name   Now I want to use the macro X result (index IN ("ABC","DEF")) in a separate search as follows    my_search | where `X` which should execute as below my_search | where index IN ("ABC","DEF")   Now how can I achieve that?   ... View more

I have a Splunk dashboard as follows with some input fields.  Now As you can see above by default the input value for host column is wild card * . Now, If I click the checkbox "show" under Latency validation check it will display a panel below it.  Now, as a good practice how do I disable executing the search when some one used the wild card in host input as the input will be used as a token for the search.  I mean only when a valid hostname is given as an input for Host the search should execute for the Latency Validation check.  Note :- Here I need the wild card as a default entry for host input as there are some other panels which uses that wild card but I only wanted to restrict the use of wild card to only one particular panel.    Code can be found below :-        <input type="text" token="host"> <label>Host</label> <default>*</default> </input> <input type="checkbox" token="overview"> <label>Latency Validation Check</label> <choice value="true">Show</choice> <change> <condition label="Show"> <set token="overview">true</set> </condition> </change> </input>       ... View more

Hi I have the following command in my query    My splunk search | eval message=IF((like(source,"ABC%") OR like(source,"DEF%")) AND avg_latency>120 ,"Host with more than 2 minutes Latency","")     where avg_latency is a field with values but for some reason the above condition is not working for me.    Could someone check if there is any format issue on my eval condition and let me know how I can make it correct? ... View more

I have a lookup sample.csv as follows whereas one of the host value is empty    Name  Host TEST_USER abc, def USER_1 * user_3 ghi   Now I use the lookup in a search. Now for the USER_1 Host I want to use the wild card. Using astrick symbol directly in the lookup doesn't working. Is there any way I can add a wild card for USER_1.  A little research on the Splunk docs gives me some inputs like I need to use props and transforms to do so. I don't have a props or transforms exists for that application. Can I create a condition in props, transforms just for the above purpose. If so what should be the stanzas should be in both the configuration files.    Any Help would be great.    ... View more

I have a csv file query as follows :-  | inputlookup file_1.csv which gives the result as follows in a single line as a single field or column  A B C D E F G H i j k l m n o p q r s t u v w x Now, I want to turn the above result as follows with multiple fields naming A, B,C,D,E,F,G,H basically what I am trying to acheive is convert the single field into multiple fields with each field name or field value is extracted based on a space separation in the single field from above? A B C D E F G H i j k l m n o p q r s t u v w x     ... View more

Can I use Web Terminal for Splunk (CLI) App in splunk to back fill summary indexes?   If so, what could be the sample command to backfill using CLI? ... View more