I am currently working with data from SendGrid Event API that is being ingested into Splunk. The data includes multiple email events (e.g., delivered, processed) wrapped into a single event, and this wrapping seems to happen randomly.   Here is a sample of the data structure:     [ { "email": "[email protected]", "event": "delivered", "ip": "XXX.XXX.XXX.XX", "response": "250 mail saved", "sg_event_id": "XXXX", "sg_message_id": "XXXX", "sg_template_id": "XXXX", "sg_template_name": "en", "smtp-id": "XXXX", "timestamp": "XXXX", "tls": 1, "twilio:verify": "XXXX" }, { "email": "[email protected]", "event": "processed", "send_at": 0, "sg_event_id": "XXXX", "sg_message_id": "XXXX", "sg_template_id": "XXXX", "sg_template_name": "en", "smtp-id": "XXXX", "timestamp": "XXXX", "twilio:verify": "XXXX" } ] I am looking for a query that can help me extract the email, event, and response (reason) fields from this data, even when multiple events are wrapped into a single event entry.   Could anyone please provide guidance on the appropriate Splunk query to achieve this? ... View more

Hi Team,  I have a field "duration". There are lot of APIs for which this field is populated can i use the Detect outliers to find out out high duration instances in the last 7 days based on API name. As i am new to this. i don't know how to start. can someone help? ... View more

Hi, I want to create alert when for 5 consecutive minutes the threshold breaches 70% ? The query I wrote is: sourcetype="os" identity_operation="GetUser" minutesago= 1 | eval EndpointName = "Get User" | stats count by EndpointName | eval message = case(count >= 1 * 1200,"100% alert", count >= 0.9 * 1200,"90% alert", count >= 0.8 * 1200,"80% warning", count >= 0.7 * 1200,"70% warning") ... View more

Hi  I have a lookup having two fields | inputlookup ID-Client-Lookup.csv | fields ClientId ClientName I have a base search sourcetype="oxygen-standard" | regex AllClientIDs="^[a-z0-9A-Z]{2,}$" | stats count by AllClientIDs I want a query which will take each ClientIDs from my base search and the search in the lookup and give me the Client Names Can anyone help? ... View more

Hi, How can i write this statement | eval protocolUsed = case( regex consumerkey="[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}","O1", regex consumerkey="^[a-z0-9A-Z]{2,}$", "O2")) ... View more

I have three queries: Overall Traffic to LogOn page sourcetype="od" operation=LogOn http_method=GET http_url="*LogOn*" |  timechart count span=1m OAuth1 Traffic to LogOn page sourcetype="od" operation=LogOn http_method=GET http_url="*LogOn*" http_url!="*authorization.ping*" identity_consumer_key!="" |  timechart count span=1m OAuth2 Traffic to LogOn page This is what i wrote sourcetype="oxygen-standard" identity_operation=LogOn http_method=GET | eval url= case(http_url=="*LogOn*","Overall", http_url=="*LogOn*" http_url!="*authorization.ping*" identity_consumer_key!="","OAuth1", http_url=="*authorization.ping*","OAuth2") | stats count by url It is not allowing multiple checks in one case sourcetype="od" operation=LogOn http_method=GET http_url="*authorization.ping*"  | timechart count span=1m How can i combine these three to show in one timechart? ... View more

I have two lookups RLQuotas: Endpoint, Endpoint Name, filter, quota, Window RLFilters: Attribute, filter I want to loop through all the endpoints. all endpoints have a specific window, quota and filter and i am searching it based on filter attribute I want output fields Endpoint Name, filter, Quota This is the query i came up with | inputlookup ID-RL-Quotas | lookup ID-RL-Filters Filter | fields Endpoint, "Endpoint Name", Attribute, Window, Quota, Filter | rename "Endpoint Name" as EndpointName | map [| eval Window = tonumber($Window$) | search sourcetype="some" http_url = "$Endpoint$" minutesago=Window | eval ip = mvindex(split(http_remoteip,","),0) | eval EndpointName = "$EndpointName$" | eval WindowI ="$Window$" | eval QuotaI="$Quota$" | eval FilterI="$Filter$" | search $Attribute$ = "*" | stats values(EndpointName) as "Endpoint Name", values(FilterI) as Filter, values(WindowI) as Window, values(QuotaI) as Quota, count by $Attribute$ | where count >= 0.8 * $Quota$ | sort -count] maxsearches=10000 This only gives me one filter output not all ... View more

I have a lookup table with three columns Endpoints, Rate, Window I want to get the window value for a particular endpoint provided by me which i will use in my main query The Query looks like this sourcetype="blabla" http_url = "some endpoint" minutesago= |inputlookup SomeFile.csv | search Endpoint = "Some endpoint" | return Window I get an error running this query Error in 'search' command: Unable to parse the search: Comparator '=' is missing a term on the right hand side. Can anyone help? ... View more

i want update a text box based on section from dropdown list ... View more