Hi can you paste your inputs.conf on indexer side and outputs.conf from UF side? Please anonymise (read: replace with xxx etc.) all data which can identified your environment and secrets! And remove put those inside </> element on your reply! r. Ismo

Hi  As @richgalloway said, have you look command spath? There are quite many old answers where are asked quite similar questions. Just use google/bing or what ever to find those. https://community.splunk.com/t5/Getting-Data-In/How-to-handle-simple-JSON-array-with-spath/m-p/103174 https://community.splunk.com/t5/Splunk-Search/How-to-parse-my-JSON-data-with-spath-and-table-the-data/m-p/250462 r. Ismo

Hi when Apps+TAs have planned and designed to use best practices there are no default index assumptions on those. Usually there is e.g. macro or event type definitions used for those. Then in installation and configuration time that should defined as every deployment want/needs to do it based on their standards. If/when TAs and Apps didn't follow that practice then you must change those on your installation by your self. Also I suggest that you send feature requirements to the original creator/maintainer to modify these to follow up best practices. One best practice is: Never ever use main as any purpose! You should always define your own indexes for events based on your local naming etc. standards. r. Ismo

Hi have you read these? https://community.splunk.com/t5/Installation/How-to-resolve-error-when-starting-UF-for-the-first-time/m-p/612748 https://community.splunk.com/t5/Installation/Upgrading-Universal-Forwarder-8-x-x-to-9-x-x-does-not-work/m-p/665668 r. Ismo

Hi @parthiban, if the message string is fixed, you could try: <your_search> | rex "\"Getting a response of (?<response>\d+)" | table ... you can test this regex at https://regex101.com/r/mz4c1L/1 Ciao. Giuseppe

Hello Ryan, Thanks for the update.  I have gone thought your suggestion but in our case the SIM is already enabled. system_props="$system_props -Dappdynamics.sim.enabled=true" Regards, Amit Singh Bisht

@ITWhisperer  i created like this, in the Event Types     index=foo_win*  (host="PC*" EventID=1068) OR (host="PR**" EventID="1") OR (host="PR*" EventID="1") OR (host="PR*" EventID="1") | eval Severity=case(EventID="1068", "Warning", EventID="1", "Information", EventID="1021", "Warning") | stats count by Severity writing above spl under all three pannels(critical, warning,information)

Hi @Fo , as hinted by @ITWhisperer it was a mistyping for this reason I hinted to avoid the minus char! (index="first-app" sourcetype="first-app_application_log" "eventType=IMPORTANT_CREATE_EVENT") OR (index="second-app" sourcetype="second-app_application_log" "eventType=IMPORTANT_CANCEL_EVENT") | stats count(eval(index="first-app")) AS "first_app" count(eval(index="second-app")) AS "second_app" | eval diff=first_app-second_app | table diff Ciao. Giuseppe

Correction to @gcusello 's suggestion - when you quote field names on the righthand side of an evaluation, you need to use single quotes not double quotes (otherwise, Splunk treats them as strings and you can't subtract on string from another as they are not numeric data types) (index="first-app" sourcetype="first-app_application_log" "eventType=IMPORTANT_CREATE_EVENT") OR (index="second-app" sourcetype="second-app_application_log" "eventType=IMPORTANT_CANCEL_EVENT") | stats count(eval(index="first-app")) AS "first_app" count(eval(index="second-app")) AS "second_app" | eval diff='first_app'-'second_app' | table diff  

I am not sure what that ask is here What is your concern regarding plagarism? If I rewrite this SPL and you use it, are you then not plagarising my SPL? It is not clear what NTLM (type 3) is - could you just change the Logon_Type or LogonType part of the search to look for 3 instead of 10? Please share some anonymised events so we can see what you are dealing with, and an indication of the expected output?