Hi @aasserhifni , sorry but I don't understand: have you a Search Head Cluster or not? if you have a SHC you cannot directly install an app on a SH, and removing passes throgh the Deployer, if you don't have a SHC, you can remove an app, only removing the foder and restarting Splunk. Ciao. Giuseppe

Hi, @PickleRick. The threatq app was only installed on a single search head neither the deployer nor the search heads captain. I tried removing everything related to threatq multiple times from this search head but these file keep appearing again and also there is no disable option when I try to disable the threatq app or anything related to it from the search head gui

Hi, @gcusello . Sorry for my late reply. I already tried your solution but still have the same issue. Also mentioning that the threatq app was installed on a single search head not the deployer or the search head captain

We're getting somewhere As you can see some non-zero values, it means that some data is indeed being received by the udp input. Now we need to find where it goes to. By the fact that it's a windows installation and because it's called "DESKTOP-something" I assume that it's your private test box and you're not having a lot of data on it. So you can run a index=* search over "All time (real-time)" - this is one of the very very rare cases where real-time search makes sanes. Very important - don't try this on any production or heavily loaded test box. With this you can see the events as they come into your Splunk box (so if your events are rare you might to wait a while). Check the index, source, sourcetype and timestamp of the incoming events. Another way to find where those events are could be to run | tstats count where index=* by source sourcetype index  

Hi @anandhalagaras1 , you could try something like this: index="abc" ("Restart transaction item" OR "Error restart workflow item:" OR "Restart Pending event from command,") | rex field=_raw "Restart transaction item: (?<Step>.*?) \(WorkId:" | rex field=_raw "Error restart workflow item: (?<Success>.*?) \(WorkId:" | rex field=_raw "Restart Pending event from command, (?<Failure>.*?) \Workid" | stats count(eval(searchmatch("Restart transaction item"))) AS "Step" count(eval(searchmatch("Error restart workflow item:"))) AS "Success" count(eval(searchmatch("Restart Pending event from command,"))) AS "Failure" Ciao. Giuseppe

Hi @Abhishek627 , as @PickleRick said, UBA is a premium App, so you can download only if you did an order or if you are a certified partenr and you have an NFR license. Anyway, I experienced that the installazion of UBA is a very much difficoult job, even if is very well decribed in documentation, with many constraints (e.g. the OS version or the presence of al the data it requests): usually the installation and configuration is a job for PS. Ciao. Giuseppe

Well, there are no miracles. I understand that the packets show up on the interface but apparently are not picked up by Splunk. Question is whether it listens on the port at all (even though the input is defined, something might be preventing Splunk from binding to the port). Did you verify with netstat that the Splunk process is actually listening on this port? (BTW, I don't remember if you don't need to restart splunkd after adding the input using WebUI or REST. You must do so if you change inputs by config files).

I tried to query " index=_internal source=*metrics.log group=udpin_connections 192.168.3.5 It did not come back with anything. I believe i have configured the data input correctly and pointing to right index

That dump looks pretty much OK. Are you 100% sure your udp:514 input sends to the right index? You can also try to find reports about that particular source of syslog data with index=_internal source=*metrics.log group=udpin_connections 192.168.3.5 If Splunk is receiving data from this host on that udp input, you should get some results with metrics field like _udp_bps,  _udp_eps and so on.

Hi @inventsekar, I can't reproduce the issue with an ASCII newline:     | makeresults | eval _raw="நாணாமை நாடாமை நாரின்மை யாதொன்றும் பேணாமை பேதை தொழில்".urldecode("%0A") | rex max_match=0 "(?<char>(?=\\S)\\X)" | eval len=mvcount(char) ``` len == 23 ```     What characters are present in char? If you have whitespace characters not included in the class [^\r\n\t\f\v ] (the final character is a space), you may need to replace \S with the class form and include e.g. Unicode newlines:     | rex max_match=0 "(?<char>(?=[^\\r\\n\\t\\f\\v \\x0b\\x85])\\X)"     I don't know if it's perfect, but it works with this:     | makeresults | eval _raw="நாணாமை நாடாமை நாரின்மை யாதொன்றும் பேணாமை பேதை தொழில்".urldecode("%E2%80%A8") | rex max_match=0 "(?<char>(?=[^\\r\\n\\t\\f\\v \\x0b\\x85])\\X)" | eval len=mvcount(char) ``` len == 23 ```     Edit: This is simpler and lets PCRE decide what a Unicode newline is:   | rex max_match=0 "\\R|(?<char>(?=\\S)\\X)" | eval len=mvcount(char) But given that optimization, we can just remove the positive lookahead completely for a faster regex: | rex max_match=0 "\\R|\\s|(?<char>\\X)" | eval len=mvcount(char)