Hi, I have a particular service which we triggered occasionally and I would like to know the earliest time of every time it gets kick off for e.g  For e.g following is the data: _time service message Host 2022-07-08T05:47:22.029Z abc calling service 123 host123.com 2022-07-08T05:49:17.029Z abc Talking to service 123 host123.com 2022-10-11T01:00:39.029Z abc calling service 123 host123.com 2022-10-11T01:02:46.029Z abc Talking to service 123 host123.com   The expected data outcome would be: Host starting_time host123.com 2022-07-08T05:47:22.029Z host123.com 2022-10-11T01:00:39.029Z   I am aware I have to use streamstats somewhere. But given all the other fields are identical earliest time by host wont work. Also I am backdating the data for 6 months so I need something that is bit efficient. I only care about starting_time of the service of each time the service starts. ... View more

Hi, I have SPL which includes just using bunch of lookups and producting following data: _time turnaround_time diff_time customer product_to product_from 2022-06-30 04:04:43.399 2022-06-30 04:12:53.556 490.156810 nike cat dog 2022-07-07 05:15:14.209 2022-07-07 05:31:22.881  968.671302 adidas bear   cat I have got another lookup jira_data.csv which contains Jira data associated with it: Ticket customer Summary Status Created Resolved Updated COW-245 nike customer complaining open 2022-06-30 03:04:43.399 - 2022-06-30 03:21:43.399 COW-456 nike product change closed 2022-06-30 02:04:43.399  2022-06-30 07:04:43.399 2022-06-30 07:20:43.399   I am attempting to do follow: Use turnaround_time and lookup in the jira_data.csv and find all jiras if turnaround_time is around 2h back or front of Resolved.  In this example I am expecting COW-456 as an output. ... View more

Hi, I have following data which I use search to find from last 30 days and save it into lookup:  Customers Old Acquired Product New Acquired Product Jack Product 1 Product 2 Alan  Product 4 Product 5 Chris Product 3 Product 2 Ceb Product 5 Product 3   Now, I know every day or every few days each customers products are changing as they are acquiring new products. Here is what I want to do: Create saved search  Modifying existing lookup to ensure each customer key value update accordingly: For e.g. next day customer Jack and chris acquired new product. So saved search schedule will pick up the change and update the lookup as follow: Customers Old Acquired Product New Acquired Product Jack Product 2 Product 4 Alan  Product 4 Product 5 Chris Product 3 Product 2 Ceb Product 3 Product 2 i know i have to use outputlookup and lookup command but i have fear it is going to overwrite it.  ... View more

Hi, I have following data: And I am trying to create SPL which gets me following result: I tried eventstate and stats command but not getting where i wanted. ... View more

As title suggest, i want to index internal logs only and forwards all other logs to forwarders or idxs. Here is the setup : I have one cluster and three indexes setup seperately outside cluster. Cluster has CM, SH and three indexers. Those Three indexers i want to use as Heavy forwarder to send all logs out to external indexes Following is default output.conf: [tcpout] maxQueueSize = auto forwardedindex.0.whitelist = .* forwardedindex.1.blacklist = _.* forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry|_metrics|_metrics_rollup) forwardedindex.filter.disable = false indexAndForward = false Here is what I have done outputs.conf   [tcpout] defaultGroup=noforward disabled=false [indexAndForward] index=true selectiveIndexing=true [tcpout:forwarders] server:<forwarders>:9997       Below is my props.conf     [default] TRANSFORMS-forwardit = forwardit [host::*.foo.splunk.com] TRANSFORMS-routing = indexing     Below is transforms.conf     [forwardit] REGEX = . DEST_KEY = _TCP_ROUTING FORMAT = forwarders [indexing] REGEX = . DEST_KEY = _INDEX_AND_FORWARD_ROUTING FORMAT = local       Essentially all internal indexes should stay within cluster indexes but rest of index or logs forwarded to external indexes. ... View more

Hi, I have two entries for this productid, Is it possible to consolidate to one entry maybe with evals? productid field1 field2 field3 abc test     abc   week1 3   ... View more

Hi, We are going to deploy changes which will delete certain package from instance. We want to know whether this package is getting deleted after the changes goes through. We are capturing this data in Splunk.  So Let's say we have package=abc We can find if package exist using following SPL:     index=osstats sourcetype=package "abc" | bin _time span=1d | multikv fields NAME | eval package_exist=if(like(NAME,"abc%"),1,0) | eval package_name=if(like(NAME,"abc%"),NAME,NULL) | stats count by _time host package_exist package_name     Following index is polling data hourly therefore if search for last 24 hours, it will report count=24, host=abc.com,package_exist=1, package_name=abc Now I have created lookup table from this for last 1 year worth of data.  What i want to know is, suppose I have host (doesn't have to be part of above query), I want to check if it had package earlier and now it is getting removed.  I am not sure how I can go above doing that.  ... View more

Hi, So I am trying to build SPL for how long does it take to restart splunk. BIt of context, We do sometimes do rolling restart through Cluster Master. So I am trying to determine, how long does rolling restart take.    So far from research, I can find splunk starting log from splunkd event. But that's just tells me one instance splunk starting. But i can't find logs from when splunk is shutting down.  ... View more

Hi I have following LARGE lookup with over 1000 entries |host | type | |host1 |            | |host2 |            | |host3 |            | I have SPL query which returns in json format:   { type: big tags: { address: host1 } }     I need to append my lookup table if host=tags.address then append type=big.  Result of my lookup: |host | type | |host1 |   big   | |host2 |            | |host3 |            | Note: SPL query is very big and i need to lookback data at least 1 year back. I only care about filling my lookup table.  Some of the hosts latest entry maybe 2 months ago and some 8 months ago. ... View more

Hi, I am following https://github.com/splunk/dashboard-conf19-examples I am expecting Dashboard Examples .conf 2019 appear in Splunk. however I am not seeing any app. i have done following: installed node js 12 version in windows. Copied app from https://github.com/splunk/dashboard-conf19-examples to /etc/apps/ Restarted splunk Still having issues. ... View more