無事に解決しました. source. Splunk, Splunk>, Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or. The coalesce command is essentially a simplified case or if-then-else statement. To alert when a synthetic check takes too long, you can use the SPL in this procedure to configure an alert. App for AWS Security Dashboards. Reply. Hello, I want to create a new field that will take the value of other fields depending of which one is filled. conf. Before switching to the new browser tab, highlight and copy the search from the tab you are in and paste it into the search bar in the new. The streamstats command calculates a cumulative count for each event, at the time the event is processed. You can't use trim without use eval (e. filename=statement. If you haven't manage to extract the JSON field just yet and your events look like the one you posted above, then try the following:Splunk search defines and adds calculated fields to events at search-time, and it processes calculated fields after it processes search-time field extractions. Hi @sundareshr, thank you very much for this explanation, it's really very useful. This example defines a new field called ip, that takes the value of. Using basic synthetic checks to ensure that URLs are returning the appropriate status (typically 200) and are within the appropriate response time to meet your SLAs can help detect problems before they are reported to the help desk. Download Sysmon from Sysinternals, unzip the folder, and copy the configuration file into the folder. You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands. Hello, I am working with some apache logs that can go through one or more proxies, when a request go through a proxy a X-forwarded-for header is added. GovSummit Is Returning to the Nation’s Capital This December: Here Are 5 Reasons to Attend. javiergn. The specified. How can I write a Splunk query to take a search from one index and add a field's value from another index? I've been reading explanations that involve joins, subsearches, and coalesce, and none seem to do what I want -- even though the example is extremely simple. Thanks for contributing an answer to Stack Overflow! Please be sure to answer the question. All DSP releases prior to DSP 1. Has tooltips and many configuration options such as optional breadcrumbs, label customisations and numerous color schemes. nullはSplunkにおいて非常にわかりづらい。 where isnull()が期待通りの動きをしなかったりする場合| fillnullで確認してみるとただの値がないだけかもしれません。 fillnullの話で終わって. 10-01-2021 06:30 AM. sourcetype contains two sourcetypes: EDR:Security EDS:Assets. qid. I used this because appendcols is very computation costly and I. SAN FRANCISCO – June 22, 2021 – Splunk Inc. Hi -. I think coalesce in SQL and in Splunk is totally different. We are getting: Dispatch Runner: Configuration initialization for splunkvar unsearchpeers really long string of letters and numbers took longer than expected. splunk中合并字段-coalesce函数 日志分析过程中,经常遇到同样的内容在不同的表或日志来源中有不同的命名,需要把这些数据梳理后才能统一使用。 下面是某OA厂商的数据库日志 process=sudo COMMAND=* host=*. 10-01-2021 06:30 AM. If you have already extracted your fields then simply pass the relevant JSON field to spath like this: | spath input=YOURFIELDNAME. Is there any way around this? So, if a subject u. When you create a lookup configuration in transforms. The data is joined on the product_id field, which is common to both. Splunk, Splunk>, Turn Data Into Doing, Data-to-Everything, and D2E. I have a dashboard that can be access two way. append - to append the search result of one search with another (new search with/without same number/name of fields) search. 上記のデータをfirewall. coalesce:. Or you can try to use ‘FIELD. The simples way to do this would be if DNS resolution was available as an eval command and I could do something like eval src_host=coalesce(src_host, lookup(src_ip)). Calculates the correlation between different fields. For more information on Splunk commands and functions, see the product documentation: Comparison and Conditional functions. I'm trying to 'join' two queries using the 'stats values' for efficiency purposes. If you know all of the variations that the items can take, you can write a lookup table for it. Description: Specify the field name from which to match the values against the regular expression. If the first character of a signed conversion is not a sign or if a signed conversion results in no characters, a <space> is added as a prefixed to the result. Path Finder. Solved: Looking for some assistance extracting all of the nested json values like the "results", "tags" and "iocs" in. Give your automatic lookup a unique Name. 1. Datasets Add-on. logという名前のファイルにコピーし、以下のワンショットコマンドを使用. Here's the query I have that is getting results from two sourcetypes: index=bro (sourcetype=bro_files OR sourcetype=bro_FBAT7S1VCAkUPRDte2 | eval fuid=coalesce (resp_fuids, orig_fuids, fuid) | table fuid,. This is called the "Splunk soup" method. com in order to post comments. Sometimes this field is in english, sometimes in French, sometimes in Spanish and sometimes in German. Syntax. For information about using string and numeric fields in functions, and nesting functions, see Evaluation functions . A macro with the following definition would be the best option. 質問62 このコマンドを使用して、検索でルックアップフィールドを使用し 質問63 少なくとも1つのREJECTイベントを含むトランザクション内のすべ. For example, when Snowflake released Dynamic Tables (in private preview as of November 2022), our team had already developed support for them. bochmann. eval var=ifnull (x,"true","false"). 0 Karma. The streamstats command is a centralized streaming command. Please try to keep this discussion focused on the content covered in this documentation topic. I've been reading the Splunk documentation on the 'coalesce' function and understand the principals of this. Match/Coalesce Mac addresses between Conn log and DHCP. I have a string field that I split into a variable-length multi-value, removed the last value and need to combine it back to a string. We're currently using Splunk ES, and would like to grab the link to a notable event's drilldown link on the ES Incident Review page without having to manually copy it. Tags:In your case it can probably be done like this: source="foo" | eval multifield = fieldA + ";" + fieldB | eval multifield = coalesce (multifield, fieldA, fieldB) | makemv multifield delim=";" | mvexpand multifield | table source fieldA fieldB multifield | join left=L right=R where L. 前置き. Coalesce is one of the eval function. Splunk Cloud. Usually to append final result of two searches using different method to arrive to the result (which can't be merged into one search)Since the Coalesce team is hyper-focused on optimizing for Snowflake alone, our product matches Snowflake’s rate of innovation, which stays well ahead of industry standards. As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Enterprise Security Content Update (ESCU) - New Releases In the last month, the Splunk Threat Research Team (STRT) has had three. Splunk Life | Celebrate Freedom this Juneteenth!. mvdedup (<mv>) Removes all of the duplicate values from a multivalue field. 07-12-2019 06:07 AM. You can replace the null values in one or more fields. The other is when it has a value, but the value is "" or empty and is unprintable and zero-length, but not null. Splexicon:Field - Splunk Documentation. This will fill a null value for any of name_1, name_2 or name_3, but since you don't want to actually fill the null value with an actual value, just use double quotes. If you are just trying to get a distinct list of all IPs in your data, then you could do something simple like: YOUR BASE SEARCH | | eval allips = coalesce (src_ip,dest_ip) | stats count by allips | fields - count. 2104. Sourcetype A contains the field "cve_str_list" that I want, as well as the fields "criticality_description" and "advisory_identifier". g. The cluster command is used to find common and/or rare events within your data. conf, you invoke it by running searches that reference it. I have a few dashboards that use expressions like. A Splunk app typically contains one or more dashboards with data visualizations, along with saved configurations and knowledge objects such as reports, saved searches, lookups, data inputs, a KV store, alerts, and more. Hi, I'm currently looking at partially complete logs, where some contain an article_id, but some don't. Sample data: Thu Mar 6 11:33:49 EST 2014 src_ip=1. 사실 저도 실무에서 쓴 적이 거의 없습니다. Hi I have a problem in Splunk's regex and I can't figure it out for the life of me. Splunk, Splunk>, Turn Data Into Doing, Data-to-Everything, and D2E. This function receives an arbitrary number of arguments and then returns the initial value, and the initial value should not be a NULL. Can you please confirm if you are using query like the one below? It should either hit the first block or second block. g. Splunk Phantom is a Security Orchestration, Automation, and Response (SOAR) system. 3Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. subelement1 subelement1. Hi, You can add the columns using "addcoltotals" and "addtotals" commands. Doesn't "coalesce" evaluate the value of a field? Yes, coalesce can alias other field name. <your search that returns events with NICKNAME field> | lookup TEST_MXTIMING_NICKNAME. martin_mueller. Evaluates whether a value can be parsed as JSON. Prior to the. sourcetype=linux_secure. eval. index=security sourcetype=EDR:* | eval dest=coalesce (ip,ipaddress) | stats values (sourcetype) values (cvs) values (warning) values (operating_system) values (ID) by dest. | eval 'Gen_OpCode'=coalesce ('Boot_Degradation','Détérioration du démarrage','Información del arranque','Startbeeinträchtigung') |table Gen_OpCode. tonakano. 1. Return all sudo command processes on any host. If the event has ein, the value of ein is entered, otherwise the value of the next EIN is entered. " This means that it runs in the background at search time and automatically adds output fields to events that. You can use the asterisk ( * ) as a wildcard to specify a list of fields with similar names. to better understand the coalesce command - from splunk blogs. I am corrolating fields from 2 or 3 indexes where the IP is the same. Coalesce and multivalued fields - Splunk Community I'm seeing some weird issues with using coalesce in an eval statement with multivalued fields. Hello, I'd like to obtain a difference between two dates. Synonyms for COALESCE: combine, unite, fuse, connect, unify, join, couple, conjoin; Antonyms of COALESCE: split, separate, section, sever, divide, part, break up, resolveSplunk Enterprise Security: Re: Coalesce two fields with null values; Options. You can specify a string to fill the null field values or use. . Description. fieldC [ search source="bar" ] | table L. I have an input for the reference number as a text box. If you are looking for the Splunk certification course, you. I want to be able to present a statistics table that only shows the rows with values. Syntax: <string>. martin_mueller. Under Actions for Automatic Lookups, click Add new. Coalesce is an eval function that returns the first value that is not NULL. It is referenced in a few spots: SPL data types and clauses; Eval; Where; But I can't find a definition/explanation anywhere on what it actually does. Field1: Field2: Field3: Field4: Ok Field5: How can I write the eval to check if a f. I tried making a new search using the "entitymerge" command, but this also truncates the mv-fields, so I've gone back to looking at the "asset_lookup_by_str", and looking for fields that are on the limit, indicating that before. Tried: rearranging fields order in the coalesce function (nope) making all permissions to global (nope). So in this case: |a|b| my regex should pick out 'a. These two rex commands. The Resource Usage: Instance dashboard contains a table that shows the machine, number of cores, physical memory capacity, operating system, and CPU architecture. I want to write an efficient search/subsearch that will correlate the two. REQUEST. . NAME. Comparison and Conditional functions. See the solution and explanation from the Splunk community forum. Now your lookup command in your search changes to:How to coalesce events with different values for status field? x213217. The results of the search look like. The eval command calculates an expression and puts the resulting value into a search results field. It is referenced in a few spots: SPL data types and clauses; Eval; Where; But I can't find a definition/explanation anywhere on what it actually does. Explorer 04. COVID-19 Response. My query isn't failing but I don't think I'm quite doing this correctly. 6. Use either query wrapping. It is a versatile TA that acts as a wrapper of MISP API to either collect MISP information into Splunk (custom commands) or push information from Splunk to MISP (alert actions). If no list of fields is given, the filldown command will be applied to all fields. For information about Boolean operators, such as AND and OR, see Boolean. 0 Karma. By your method you should try. Conditional. Still, many are trapped in a reactive stance. I have 3 different source CSV (file1, file2, file3) files. @anjneesharma, I beg to differ as this does not seem to be your requirement, this seems to be your code. Our sourcetype has both primary and secondary events, and we use a common logID between them if they are related. Apparently it's null only if there is no location info whatsoever, but the empty string if there is some location info but no city. coalesce (field, 0) returns the value of the field, or the number zero if the field is not set. IN this case, the problem seems to be when processes run for longer than 24 hours. Splunk software performs these operations in a specific sequence. The fields are "age" and "city". But I don't know how to process your command with other filters. More than 1,200 security leaders. Product Splunk® Cloud Services Version Hide Contents Documentation Splunk ® Cloud Services SPL2 Search Reference Multivalue eval functions Download topic as PDF. I've been reading the Splunk documentation on the 'coalesce' function and understand the principals of this. Kind Regards Chriscorrelate Description. Solution. 08-28-2014 04:38 AM. Hi @neerajs_81, yes, the solution is the one of my previous answer: you have to use eval coalesce command : your_search | rename "Non-empID" AS Non_empID | eval identity=coalesce (empID,Non_empID) | stats values (First) AS First last (Last) As Last BY identity. The <condition> arguments are Boolean expressions that are evaluated from first to last. Also I tried with below and it is working fine for me. Submit Comment We use our own and third-party cookies to provide you with a great online experience. On April 3, 2023, Splunk Data Stream Processor will reach its end of sale, and will reach its end of life on February 28, 2025. Perhaps you are looking for mvappend, which will put all of the values passed to it into the result: | eval allvalues=mvappend (value1, value2) View solution in original post. This field has many values and I want to display one of them. Notice how the table command does not use this convention. second problem: different variables for different joins. sourcetype: source1 fieldname=src_ip. See the Supported functions and syntax section for a quick reference list of the evaluation functions. index=index1 TextToFind returns 94 results (appear in field Message) index=index2 TextToFind returns 8 results (appear in field. UPDATE: I got this but I need to have 1 row for each WF_Label(New,InProgress,Completed) that includes the WF_Step_Status_Date within. Yes, you can do this in the CLI by piping to a series of regex commands back-to-back with the same capture name. It seems like coalesce doesn't work in if or case statements. Strange result. In file 2, I have a field (city) with value NJ. I'm seeing some weird issues with using coalesce in an eval statement with multivalued fields. I have one index, and am searching across two sourcetypes (conn and DHCP). The interface system takes the TransactionID and adds a SubID for the subsystems. I **can get the host+message+ticket number to show up in the timechart with the following query - howev. Field names with spaces must be enclosed in quotation marks. For information on drilling down on field-value pairs, see Drill down on event details . I've had the most success combining two fields the following way. Unless you’re joining two explicit Boolean expressions, omit the AND operator because Splunk assumes the space between any two search. 1) Since you are anyways checking for NOT isnull(dns_client_ip) later in your Search, it implies that you are only expecting events with dns_request_client_ip. To learn more about the rex command, see How the rex command works . Ciao. 02-08-2016 11:23 AM. 概要. Multivalue eval functions. Remove duplicate search results with the same host value. Tags: splunk-enterprise. index= network sourcetype= firewall The source IP field is "src" sourcetype= logins The source IP field is "src_ip". which I assume splunk is looking for a '+' instead of a '-' for the day count. . While the Splunk Common Information Model (CIM) exists to address this type of situation,. Anything other than the above means my aircode is bad. your JSON can't be extracted using spath and mvexpand. I would get the values doing something like index=[index] message IN ("Item1*", "Item2*", "Item3") | table message |dedup message and then manually coalesce the values in a lookup table (depending on the structure of the data, you may be able to use a. For information about Boolean operators, such as AND and OR, see Boolean. I have a few dashboards that use expressions like. These two rex commands are an unlikely usage, but you would. However, this logID field can be named in two different ways: primary. Perhaps you are looking for mvappend, which will put all of the values passed to it into the result: | eval allvalues=mvappend (value1, value2) View solution in original post. x. EvalFunctions splunkgeek - December 6, 2019 1. If it does not exist, use the risk message. COMMAND as "COMMAND". Use a <sed-expression> to match the regex to a series of numbers and replace the numbers with an anonymized string to preserve privacy. I have a dashboard with ~38 panels with 2 joins per panel. Splunk won't show a field in statistics if there is no raw event for it. Null is the absence of a value, 0 is the number zero. However, I edited the query a little, and getting the targeted output. . Outer Search A, Contact Column x Subsearch B, Contact Column y Join condition c. I am trying to write a search that if the field= Email then perform a coalese, but if the field isn't Email- just put in the field- below is what I have written. The CASE () and TERM () directives are similar to the PREFIX () directive used with the tstats command because they match. |rex "COMMAND= (?<raw_command>. I am not sure which commands should be used to achieve this and would appreciate any help. 2) index=os_windows Workstation_Name="*"| dedup Workstation_Name | table Workstation_Name | sort Workstation_Name. Hi, I wonder if someone could help me please. Sometimes this field is in english, sometimes in French, sometimes in Spanish and sometimes in German. The following are examples for using the SPL2 rex command. x. eval fieldA=coalesce(fieldA,"") Tags (3) Tags: coalesce. I've had the most success combining two fields the following way. . Then try this: index=xx ( (sourcetype=s1 email=*) OR (sourcetype=s2 user_email=*)) | eval user_id=coalesce (email,user_email) In addition, put speciat attention if the email field cound have null values, becuase in this case the coalesce doesn't work. In your. Try to use this form if you can, because it's usually most efficient. e. Comp-1 100 2. 1 Karma. mvappend (<values>) Returns a single multivalue result from a list of values. I want to join events within the same sourcetype into a single event based on a logID field. Sourcetype A contains the field "cve_str_list" that I want, as well as the fields "criticality_description" and "advisory_identifier". field token should be available in preview and finalized event for Splunk 6. Follow. Locate a field within your search that you would like to alias. Comparison and Conditional functions: commands(<value>) Returns a multivalued field that contains a list of the commands used in <value>. multifield = R. 01-04-2018 07:19 AM. This example uses the pi and pow functions to calculate the area of two circles. What's the problem values in column1 and column2? if this is the problem you could use an eval with coalesce function. The streamstats command is similar to the eventstats command except that it uses events before the current event to compute the aggregate statistics that are applied to each event. Solution. The simples way to do this would be if DNS resolution was available as an eval command and I could do something like eval src_host=coalesce(src_host, lookup(src_ip)). Typically, you can join transactions with common fields like: But when the username identifier is called different names (login, name, user, owner, and so on) in different data sources, you need to normalize the field names. Click Search & Reporting. Both of those will have the full original host in hostDF. This is the name of the lookup definition that you defined on the Lookup Definition page. The code I put in the eval field setting is like below: case (RootTransaction1. Path Finder. Here is our current set-up: props. It will show as below: Subsystem ServiceName count A booking 300 A checkin 20 A seatassignment 3 B booking 10 B AAA 12 B BBB 34 B CCC 54. If the standard Splunk platform configurations and knowledge objects don't address your specific needs, you can develop custom. Try the following run anywhere dashboard:The dataset literal specifies fields and values for four events. SAN FRANCISCO – April 12, 2022 – Splunk Inc. この例では、ソースIPを表す、ばらばらなキーをすべて「coalesce (合体)」して、src_ipという共通の名前にまとめ、統計計算を行いやすいようにします。. When the first <condition> expression is encountered that evaluates to TRUE, the corresponding <value> argument is returned. Null values are field values that are missing in a particular result but present in another result. where. The left-side dataset is the set of results from a search that is piped into the join. I would like to be able to combine the results of both in a stats table to have a line item contain info from both sourcetypes:There are duplicated messages that I'd like to dedup by |dedup Message. (Thanks to Splunk user cmerriman for this example. Coalesce function not working with extracted fields. Anything other than the above means my aircode is bad. I've been reading the Splunk documentation on the 'coalesce' function and understand the principals of this. Hi Splunk experts, I have below usecase and using below query index=Index1 app_name IN ("customer","contact") | rex Table1 from Sourcetype=A. xml -accepteula. Using a Splunk multivalue field is one way, but perhaps the answer given by another poster where you. The following list contains the functions that you can use to perform mathematical calculations. 01-09-2018 07:54 AM. 1. There are easier ways to do this (using regex), this is just for teaching purposes. You can also combine a search result set to itself using the selfjoin command. And this is faster. Any ideas? Tags:. VM Usage Select a Time Range for the X-axis: last 7 daysHi Splunk community, I need to display data shown as table below Component Total units Violated units Matched [%] Type A 1 1 99 Type B 10 10 75 Type C 100 85 85 Total 111 96 86 In the total row, the matched value is the average of the column, while others are the sum value. If this is not please explain your requirement as in either case it will be different than your question/original post for which community. Community; Community; Splunk Answers. csv | stats count by MSIDN |where count > 1. As you will see in the second use case, the coalesce command normalizes field names with the same value. However, you can optionally create an additional props. Currently the forwarder is configured to send all standard Windows log data to splunk. 0 use Gravity, a Kubernetes orchestrator, which has been announced end-of. If. Security is still hard, but there's a bright spot: This year, fewer orgs (53%, down from 66%) say it's harder to keep up with security requirements. SAN FRANCISCO – June 22, 2021 – Splunk Inc. sourcetype="app" eventtype in (event_a,event_b,event_c) | stats avg (time_a) as "Avg Response Time" BY MAS_A | eval Avg Response Time=round ('Avg Response Time',2) Output I am getting from above search is two fields MAS_A and Avg Response Time. View solution in original post. Regular expressions allow groupings indicated by the type of bracket used to enclose the regular expression characters. Null is the absence of a value, 0 is the number zero. 필요한 경우가 많지 않은데다 다른 대체 방법들을 활용할 수도 있으니 그렇겠죠. For information about using string and numeric fields in functions, and nesting functions, see Overview of SPL2 eval functions. 87% of orgs say they’ve been a target of ransomware. It flags to splunk that it is supposed to calculate whatever is to the right of the equals sign and assign that value to the variable on the left side of the equals sign. 1. Kindly try to modify the above SPL and try to run. ~~ but I think it's just a vestigial thing you can delete. 0 Karma. Challenges include: Just 31% say they have a formal approach to cyber resilience that has been instituted organization-wide. That's why your fillnull fails, and short-hand functions such as coalesce() would fail as well. 02-27-2020 07:49 AM. COMMAND ,host,SVC_ID,check |rename DELPHI_REQUEST. . You can add text between the elements if you like:COALESCE () 함수. Splunk では対象のフィールドに値が入っていない場合、 NULL として扱われます。 この NULL は、空文字列や 0 とは明確に別のものです。 今回は判定処理においてこの NULL を処理した場合の挙動について紹介して. Still, many are trapped in a reactive stance. Hi, I have the below stats result. 4. Normalizing non-null but empty fields. Hi gibba, no you cannot use an OR condition in a join. 1 subelement2. conf and setting a default match there. fieldC [ search source="bar" ] | table L. especially when the join. Kind Regards Chris05-20-2015 12:55 AM. You can cancel this override with the coalesce function for eval in conjunction with the eval expression. Both of those will have the full original host in hostDF. 概要. See the solution and explanation from. coalesce(<values>) This function takes one or more values and returns the first value that is not NULL. Merge Related Data From Two Different Sourcetypes Into One Row of A Table. SplunkTrust. The verb coalesce indicates that the first non-null v. So, please follow the next steps. Description. The example in the Splunk documentation highlights this scenario: Let's say you have a set of events where the IP address is extracted to either clientip or ipaddress. pdf ===> Billing. Security is still hard, but there's a bright spot: This year, fewer orgs (53%, down from 66%) say it's harder to keep up with security requirements. You could try by aliasing the output field to a new field using AS For e. Path Finder. Solved: Hi I use the function coalesce but she has very bad performances because I have to query a huge number of host (50000) I would like to find COVID-19 Response SplunkBase Developers DocumentationNew research, sponsored by Splunk and released today in The State of Security 2021, provides the first look into the post-SolarWinds landscape. Common Information Model Add-on. Splunk Coalesce Command Data fields that have similar information can have different field names. 2. Following is run anywhere example with Table Summary Row added. Splunk offers more than a dozen certification options so you can deepen your knowledge. App for Lookup File Editing. Coalesce: Sample data: What is the Splunk Coalesce Function? The definition of coalesce is “To come together as a recognizable whole or entity”. 02-08-2016 11:23 AM. See why organizations trust Splunk to help keep their digital systems secure and reliable. Plus, field names can't have spaces in the search command. At index time we want to use 4 regex TRANSFORMS to store values in two fields. Use CASE, COALESCE, or CONCAT to compare and combine two fields. Reply. COALESCE is the ANSI standard SQL function equivalent to Oracle NVL. You can also know about : Difference between STREAMSTATS and EVENTSTATS command in SplunkHi! Anyone know why i'm still getting NULL in my timechart? The lookup "existing" has two columns "ticket|host_message". . Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. | inputlookup inventory. If you are an existing DSP customer, please reach out to your account team for more information. Cases WHERE Number='6913' AND Stage1 = 'NULL'. In this example the. TRANSFORMS-test= test1,test2,test3,test4. Learn how to use it with the eval command and eval expressions in Splunk with examples and explanations. How to generate a search to find license usage for a particular index for past 7 days sorted by host and source? Particular indexer is pumping lot of data recently, we want to have a report for the index by host and source for the past 7 days. All containing hostinfo, all of course in their own, beautiful way. GovSummit is returning to the nation’s capital to bring together innovative public sector leaders and demonstrate how you can deliver. One of these dates falls within a field in my logs called, "Opened". In the context of Splunk fields, we can. 12-19-2016 12:32 PM. 01-20-2021 07:03 AM. Usage. Object name: 'this'. sourcetype=MSG. firstIndex -- OrderId, forumId. This function receives an arbitrary number of arguments and then returns the initial value, and the initial value should not be a NULL. sm.