@yuanliu ,

Hi, The above query combines information from internal logs, notable events, and saved searches to provide an overview of notable events, their associated saved searches, and relevant metadata such as last modified time and last modified by. It aims to assist in monitoring and managing notable events and saved searches within the Splunk environment, especially within the Splunk Enterprise Security Suite.

The data source for the Splunk query you provided can be inferred from the different subqueries and commands used in the query. Here's a breakdown of the data sources involved:

Subquery 1 (multisearch):

The first subquery searches the _internal index and looks for events with the splunkd_ui_access sourcetype. It retrieves logs related to UI access and Splunkd services.
This data source typically includes internal logs generated by Splunk itself, providing information about system activity and user interactions with the Splunk UI.
Subquery 2:

The second subquery searches an index referred to as notable and filters out certain event types related to notable event suppression.
The specific index name and its contents depend on your Splunk configuration and any customizations you may have made. It is likely related to notable events generated by the Splunk Enterprise Security Suite or a similar security-focused application.
Subquery 3:

The third subquery uses the REST API to retrieve saved searches specifically from the /servicesNS/-/SplunkEnterpriseSecuritySuite/saved/searches endpoint.
This data source corresponds to saved searches configured within the Splunk Enterprise Security Suite app. The app typically stores saved searches in the app-specific namespace.
Overall, the data sources for this query include internal logs from Splunk (_internal index), notable events (custom index), and saved searches from the Splunk Enterprise Security Suite app

"Last Modified Time" and "Last Modified By" values  not showing in my result.

Let's focus on "Last Modified Time" and "Last Modified by" that is only produced in the first subsearch and ignore all the rest for now.  If you run that search alone,

index=_internal sourcetype=splunkd_ui_access splunkd servicesNS saved searches method=POST
| regex uri="/[^/]*/splunkd/__raw/servicesNS/[^/]*/[^/]*/saved/searches/[^/ ]*$"
| rex field=uri "/[^/]*/splunkd/__raw/servicesNS/[^/]*/[^/]*/saved/searches/(?<search_encoded>[^/\? ]*)"
| eval Title=urldecode(search_encoded)
| rename user as "Last Modified By"
| eval "Last Modified Time"=strftime(_time,"%b %d, %I:%M %p")
| fields Title "Last Modified By" "Last Modified Time"

Does this return any "Last Modified By" and "Last Modified Time"?  Can you illustrate some sample output (anonymize as necessary).

Similarly, illustrate sample output from other subsearches if they are relevant to the question.  Because the last part of your illustrated code uses stats with groupby Title, illustrate that all subsearches include some of same values of Title.