If you get Limit of '100', you must be picking mind-reading #1 as you didn't pick #2.  That is just the problem with list.  You can increase this limit somewhat (see [stats|sistats]).  But be very careful. As to BATCH_ID, I still don't know what 134 and 26 mean.  One correlationId?  All events?  Is it because of the 100 limit on list_maxsize?  You should probably post a new question with proper set up and detailed explanation.

I am facing the same issue while using a scripted input. Did you find any ways to identify the root cause and fix it ? We are receiving data from a scripted input. we also tried putting that data in a csv file which has all the data. but still we are observing issues with data missing 

Ah, so I missed your point somewhat in that the list contains all the values you want and you should alert if one is missing from the data. You can do this | stats count by Time Value | append [ | inputlookup lookup.csv ``` Filter the entries you expect here, e.g. using addinfo ``` ``` | where Time is in the range you want ``` ] | stats count by Time Value | where count=1 which is adding the rows from the lookup to the end of your found data and then doing the stats count again. If count=1 then it has only come from the lookup. The filtering (where...) will need to work out what time range your search covers. Use the addinfo command to get info_min_time and info_max_time fields which you can then use to filter those values from the lookup you want.

Thanks!  I did not know about indexed field, that would be something interesting. Is there a way to add on another field that is always present for all models? For example in addition to. source, sourcetype, host, _raw, _time, is it possible to add like source_zone or something that works for all models? I saw that the source, sourcetype, host, etc are inherited but unsure from where is the inheritance from.

Apologies, my Value field is a combination of two separate field values from my index. It's to uniquely classify an event. Like you mentioned the count will not give a non numeric value. The command would be | stats count by Time Value| fields - count For using the lookup, should I sort the lookup or the live data from the index before compare ? Reason for asking is even though I can manually confirm that there is a mismatch, the script is unable to locate that. E.g if the live data has 18 entries and the lookup as 20, the 2 missing entries are not showing up in the script.

Courtesy of this post, I renamed "Microsoft-Windows-DNS-Server" to "Microsoft-Windows-DNSServer" and now I am seeing DNS events in my Splunk server. "Microsoft-Windows-DNS-Server" is part of log name, while "Microsoft-Windows-DNSServer" (no space) is the provider name in XML event. Go figure.

Consequences... Poor performance of your dashboard Poor performance for other users Excessive usage of an SVC licence if using SVC in Splunk Cloud - potentially causing additional licence costs to the organisation Skipped searches Your application will not be liked by others in your organisation Alerts may not fire and as such you may miss critical security detections the could indicate hackers are attacking your system, or that critical infrastructure is having performance issues, resulting in an outage of your primary web site. These are some, but not all of the consequences. All will depend on what you are using Splunk for, but I hope you get the picture. I've seen one such dashboard such as yours with 60 panels all on auto refresh, all searching the same data independently and that one dashboard, out of 1000 others, was using a significant proportion of the compute cost across the search head cluster.  

Honestly, I have no idea what they mean by importing the logs here. Anyway, you checked the btool output which shows the config. Check the inputstatus as well (this shows - as the name says - status of the inputs).

I thought "[WinEventLog://DNS Server]" is the same as "[WinEventLog://Microsoft-Windows-DNS-Server/Audit]". But yes I am using explicit log name (path). I also stayed away from [WinEventLog://DNS Server] because of this doc . It says importing log is needed, which is confusing.  Below is the trimmed inputsstatus list output PS C:\Program Files\SplunkUniversalForwarder> bin\splunk.exe btool inputs list --debug | Select-String "dns" C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name = C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf [WinEventLog://Microsoft-Windows-DNS-Server/Audit] C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name = <snip> C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf connection_host = dns C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name = <snip>

Something like | rex "<<<\s*(?<LogType>[^\s]*)\s*:[^:]*:[^:]*:[^:]*:(?<Class>[^:]*).*REQS REQUID\s*::\s*(?<ReqsRequid>[^:]*).*SUB REQUID::\s*(?<SubRequid>[^:]*).*Application\s*:(?<Application>[^:]*::\s*Org\s*:\s*(?<Org>[^:]*)"

Your examples are round seconds, but if you have epoch times to search between use the epoch with decimal places where required, so your example (which actually has no millisecond time) could be index=my_app earliest=1710525600.000 latest=1710532800.000 env=production service=my-service