It's terrible, they're not easily accessible except through the UI.  It's a big ... sore spot for some of us who need to use these in a more programmatic way. But, there is a way using the REST interface from cURL. curl -k -u <username>:<password> https://localhost:8089/servicesNS/nobody/splunk_app_db_connect/storage/collections/data/dbx_db_input Obviously fix the username and password to an admin one, and your hostname if it's not on localhost.  You might want to pipe that through jq to 'pretty print' it if you have jq installed because otherwise it's all smashed together and hard to read: curl -k -u <username>:<password> https://localhost:8089/servicesNS/nobody/splunk_app_db_connect/storage/collections/data/dbx_db_input | jq .  You can also see only an individual one if you append the _key's value for the one you want to the end.  (The _key comes from the output of one of the earlier commands.) curl -k -u <username>:<password> https://localhost:8089/servicesNS/nobody/splunk_app_db_connect/storage/collections/data/dbx_db_input/6452ce6e55102d0ad735ec31 | jq . You can also delete them or edit them, though ... obviously be careful and do this in a test environment at first! curl -k -u <username>:<password> https://localhost:8089/servicesNS/nobody/splunk_app_db_connect/storage/collections/data/dbx_db_input/6452ce6e55102d0ad735ec31 -X DELETE And I've not found a good way to "edit" them, but it's pretty trivial to just edit the JSON you get from an individual entry, and load that back in wholesale. curl -k -u <username>:<password> https://localhost:8089/servicesNS/nobody/splunk_app_db_connect/storage/collections/data/dbx_db_input -d '{ "inputName" : "newEntryforMyDB", "value" : "200", "appVersion" : "3.16.0", "columnType" : 4, "timestamp" : "2024-03-21T13:11:41.633-05:00", "_user" : "nobody", "_key" : "65fc6ce1764e95450b0d98e1" }' -H "Content-Type: application/json" Which would overwrite entry 65fc6... with that new information. Happy Splunking, Rich  

Your *exact* example doesn't make much sense - why would y-d be y1 instead of y2? But at least some of this may be as simple as "makemv" and/or "mvexpand". In your example, it appears as if abcde are all multi-value fields (the "mv" in the two above commands).  If that's so, ... | mvexpand parameter should make the original into 13 rows.  Once they're separated, perhaps there's some other eval/conditionals you can use to get each output row to include the correct value? If that doesn't work, you may need something like ... ... | makemv delim=" " parameter | mvexpand parameter In any case I think you'll be two steps closer and we can iterate from there.   happy Splunking, Rich

@yuanliu apologies my bad - moving inputlookup at the end is returning all results (NOT just search results)   index="demo1" source="demo2" | rex field=_raw "id_num \{ data: (?P<id_num>\d+) \}" | rex field=_raw "test_field_name=(?P<test_field_name>.+)]:" | search test_field_name="test_field_name_1" | table _raw id_num | reverse | filldown id_num [inputlookup sample.csv | fields FailureMsg | rename FailureMsg AS search | format]    Could you please help ?

@yuanliu Thank you for your response again. Apologies for my wording if it created any confusion. I will be more careful going forward. You're right, I meant my search did not return any results in my context.  This query returned my matching search results events . I noticed that id_num field in the search results was blank as I was using filldown to populate id_num fields   index="demo1" source="demo2" [inputlookup sample.csv | fields FailureMsg | rename FailureMsg AS search | format] | rex field=_raw "id_num \{ data: (?P<id_num>\d+) \}" | rex field=_raw "test_field_name=(?P<test_field_name>.+)]:" | search test_field_name="test_field_name_1" | table _raw id_num | reverse | filldown id_num     I moved lookup at the end after filldown and I see id_num field as well in search results table     index="demo1" source="demo2" | rex field=_raw "id_num \{ data: (?P<id_num>\d+) \}" | rex field=_raw "test_field_name=(?P<test_field_name>.+)]:" | search test_field_name="test_field_name_1" | table _raw id_num | reverse | filldown id_num [inputlookup sample.csv | fields FailureMsg | rename FailureMsg AS search | format]      

I'm also having a similar problem. The "user menu" for my Splunk UI is simply not there. With this being the case, I'm not able to change my preferences or simply logout. Any help would be greatly appreciated. 

First, please do not use phrases like "does not work" because it conveys little information in the best scenario.  There are many ways a search "does not work".  There could be an error message.  There could be no error, and no output.  There could be output, but not what you expected. And so on and so on. I assume that what you meant was that the search gave no output.  The problem, then, is that your raw events do NOT have a field named FailureMsg as your OP implied. (I tried to clarify in my previous response.) The fact that index="demo1" source="demo2" ("fail_msg1" OR "fail_msg2") returns results only means that the terms "fail_msg1", "fail_msg2" exist in some events; you need to be explicit about what fields are available at search time. If you do not have a suitable field name in raw events to limit the search, subsearch can still be used to match straight terms by using a pseudo keyword search. index="demo1" source="demo2" [inputlookup sample.csv | fields FailureMsg | rename FailureMsg AS search | format] | rex field=_raw "id_num \{ data: (?P<id_num>\d+) \}" | rex field=_raw "test_field_name=(?P<test_field_name>.+)]:" | search test_field_name=test_field_name_1 | table _raw id_num | reverse | filldown id_num

Thanks! @ITWhisperer  This is really helpful. The only problem is - The shared query I tried and it is not able to fetch the final status as succeed or failed. As per sample event , platform index has message field which is having this text as marked request as succeed or marked request as failed. attaching snap for reference.

@yuanliu Thank you for your reply . The following block works for me when run independently .   index="demo1" source="demo2" | rex field=_raw "id_num \{ data: (?P<id_num>\d+) \}" | rex field=_raw "test_field_name=(?P<test_field_name>.+)]:" | search test_field_name="test_field_name_1" | table _raw id_num | reverse | filldown id_num     and this query works     | inputlookup sample.csv | fields FailureMsg   but this block does not work for me      index="demo1" source="demo2" [inputlookup sample.csv | fields FailureMsg]      Tried this block as well, it did not work for me    index="demo1" source="demo2" [ | inputlookup sample.csv | fields FailureMsg ]   Since above query did not work, entire block you suggested did not work as well    index="demo1" source="demo2" [inputlookup sample.csv | fields FailureMsg] | rex field=_raw "id_num \{ data: (?P<id_num>\d+) \}" | rex field=_raw "test_field_name=(?P<test_field_name>.+)]:" | search test_field_name=test_field_name_1 | table _raw id_num | reverse | filldown id_num   This query works for me when I search for fail_msg1 or fail_msg2   index="demo1" source="demo2" ("fail_msg1" OR "fail_msg2")   any idea how to search this using inputlookup or lookup?  

I assume you have already tried these or similar openssl commands? openssl x509 -in certname.crt -out certname.pem -outform PEM openssl x509 -inform DER -in certname.crt -out certname.pem -text Could you also try renaming the .crt directly to .pem? You might be lucky and it will already be in the PEM format.

Hi @mfonisso, I’m a Community Moderator in the Splunk Community. This question was posted 1 year ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you! 

Try something like this (index=default-va6* sourcetype="myengine-stage" "API call is True for MyEngine" OR "Target language count") OR (index=platform-va6 sourcetype="platform-ue*" "testabc-123" "Marked request as") | rex field=_raw "Marked request as (?<finalStatus>\w+).+ x-request-id: (?<reqID>.+)" | rex field=_raw "request_id=(?<reqID>.+?) - .+(Target language count|API call is True for MyEngine)" | rex field=_raw "Target language count (?<num_target>\d+)" | rex field=_raw "API call is (?<callTrue>True) for MyEngine" | stats first(num_target) as num_target first(callTrue) as callTrue first(finalStatus) as finalStatus by reqID | where callTrue=="True" AND isnotnull(num_target)

Hi @Dean.Marchetti, Thanks for asking your question on the Community. Have you found a solution or a workaround you could share? If you have not yet, you can also try contacting AppDynanics Support: How do I submit a Support ticket? An FAQ 

Hello marnall, First of all, thank you for your reply. I thought the "wildcard" option was only used for fields containing spaces or commas. And that with the symbol * it didn't work. I'll try this quickly and report back here. Regards