Hi @bowesmana , It is a classic dashboard, and time range is one of  panel in the dashboard. I just used the below query for panel.  Customer has access to the dashboard but only timerange panel is showing error. <panel ref="TimeRangePanel"></panel> Below is the error  

Using streamstats is the more powerful solution and as @PickleRick says it can handle the case where you have multiple started and connected events for the same user. (Think reset_before=). The issue you need to consider is your data volume. transaction is not good with large data volumes and long spans and will not easily handle the multiple connected events and streamstats needs to move all the data to the search head. There is a 3rd solution using stats but it would need some good knowledge of playing around with multivalued fields.

Hello you have to upgrade either REHL 8 or  to support latest version of controller ,  Upgrading from RHEL 7 to RHEL 8 Red Hat Enterprise Linux 8 | Red Hat Customer Portal I recommend upgrading up to REHL 8.8 only then upgrade your controller and Event Service as ver:21.4  does not support REHL 9.x Regards

Hi @dtccsundar, if you want only one regex, you can use | rex "Interface\s+(?<interface>[^,]+), changed state to (?<state>\w+)" if you prefer two regexes, you can use: | rex "Interface\s+(?<interface>[^,]+)" | rex ""changed state to (?<state>\w+)" you can test the regx at https://regex101.com/r/WpmBG3/1 Ciao. Giuseppe

Hi @Nawab, ES isn't multitenant and you are asking how to use ES in multitenancy! you have to create a custom dashbord that accesses the Notable index, The real problem is how to profilate the users, you could use e.g. sourcetype or another field in the Notable index. You should customize all the Correlation searches to write a field in the Notable index to identify notables for each users. Ciao. Giuseppe

As a side note - instead of index=my_index | stats max(_time) as latest_event_time You can use | tstats max(_time) as latest_event_time where index=my_index You will notice a _huge_ performance difference.

While transaction can be indeed a more intuitive solution, similar solution can be probably achieved with streamstats. First "split" your times to have it as | eval starttime=if(status=="started",_time,null()) | eval endtime=if(status=="connected",_time,null()) Then you can "collect" your times with | streamstats min(starttime) as timestarted min(endtime) as timeended by userId If you now want to remove the "extra" events with "connected" status, you can do | where NOT (status=="connected" AND _time!=timeended) Bonus - you can use the same approach if there is a possibility of multiple "started" events (we'll leave it as an exercise for the reaer ;-)) Now you're left with just one "started" event and one "connected" event. So we're down to your last requirement - ther must be both "start" event and "connected" event. This can be done in various ways but we can do it along our duration calculation | stats range(_time) as duration values(state) as states by userId And we only want to keep those results which have both states | where states="started" AND states="connected" Now you're all set to group, summarize, bin, and do whatever you want with your results. To be quite honest, I'm not sure what you mean by your C) requirement. Because if it does what I think may mean, the above search is completely not what you want

Luckily, with auditd logs the order of the fields should not change so you can match the events to acct=appuser.*exe=/usr/(sbin/crond|bin/crontab) and just filter out (send to nullQueue) events matching this regex.

As @bowesmana pointed out - _time is a field which holds the current timestamp expressed as a number (number of seconds since epoch). it only gets formatted on display by default in the WebUI - the _time field is treated specially - you can check it for yourself | makeresults | eval _time=0 If you render your _time to a string...  Honestly, I have no idea what will happen. Splunk will not use the value because it's not a number but whether it sets it to zero or treats the field as non-existant, I cannot tell. Anyway, the results will definitely not be what you expect.

@kate Can you check the inputs.conf in your add-on.  https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/About#File_Monitoring_Inputs  https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/About#Scripted_Inputs 

@pingli Hello, You can forward the data from your Commvault Metallic Saas Solution to Splunk using the API's or HEC tokens etc. Please find the below details for your reference.  https://www.splunk.com/en_us/blog/tips-and-tricks/getting-data-from-your-rest-apis-into-splunk.html?locale=en_us  https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/UsetheHTTPEventCollector  https://dev.splunk.com/enterprise/docs/devtools/httpeventcollector/