Hi @hank72., As I said, in this way your are sure to load into the Data Models all the data from al indexes even if they aren't in the default search path. If you want, youculd limit the indexes to read for each Data model, but there's no reason to do this, so my hint is to leave it as it is. let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors

The question has been answered many times before. @isoutamo already pointed you to a trove of resources for writing such search. If you don't understand some specifics about any of those things said in other threads wiith solutions don't hesitate to ask for explanation. But don't expect people to jump in and do your job for you - the issue is well known and has well known method of dealing with, explained many times. So all you need is to dig into those resources, read the solutions provided there and try to construct your own. If you encounter some obstacles along the way, ask away.

I did try to find in documentation that summaryindex is an alias for collect, but it's not documented as far as I can see.  But if you start typing | summaryin , splunk will show info for collect command.  So yes its the same command.

Being somewhat of a journeyman myself, the proper way to use timewrap was a bit of a mystery to me.  So, while the answer may be apparent to many, I was not sure how to wield the information. Thank you for the response.  I will give it a go on Monday.

Yes I tried the .(dot) | eval  cird_address=remoteIP ./32 Error in 'EvalCommand': The expression is malformed. An unexpected character is reached at '/32'. | eval  cird_address=remoteIP ."/32" This one does NOT show  an error, but i get no results.   Maybe there is something farther down in the search that's not correct. I check that and respond again. Thanks for your sugestion    

Note that I used System.Web.HttpUtility.JavaScriptStringEncode as a shortcut for encoding/escaping strings. KV_MODE = auto_escaped only handles a few escape sequences. If you prefer, you can simply replace \ and " with \\ and \", respectively, in strings before writing them.

Hi @Ismail_BSA, We can use the SqlServer PowerShell module to read SQL Server audit files. As an administrator, install the SqlServer PowerShell module under PowerShell 5.1, which should be installed by default on all modern Windows releases: PS> Install-Module SqlServer With the module installed, we can read .sqlaudit files created by SQL Server using Read-SqlXEvent. Column/field information is available at https://learn.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-records. Columns with type bigint or varbinary will be read as byte arrays and must be converted to strings using a .NET object of the appropriate type. We can write a small PowerShell script to act as a stream reader for .sqlaudit files read by Splunk's archive processor (see below). Note that Read-SqlXEvent uses System.IO.Stream internally and calls Stream.Length, which throws "Stream does not support seeking" for forward-only streams. We'll work around this isssue by copying the stream to a temporary file, reading the temporary file, and finally, deleting the temporary file. C:\Temp\Stream-SqlAudit.ps1 $file = New-TemporaryFile $output = $file.Open([System.IO.FileMode]::Append, [System.IO.FileAccess]::Write) $stdin = [System.Console]::OpenStandardInput() $stdout = [System.Console]::Out $buffer = New-Object byte[] 16384 [int]$bytes = 0 while (($bytes = $stdin.Read($buffer, 0, $buffer.Length)) -gt 0) { $output.Write($buffer, 0, $bytes) } $output.Flush() $output.Close() Read-SqlXEvent -FileName "$($file.DirectoryName)\$($file.Name)" | %{ $event = $_.Timestamp.UtcDateTime.ToString("o") $_.Fields | %{ if ($_.Key -eq "permission_bitmask") { $event += " permission_bitmask=`"0x$([System.BitConverter]::ToInt64($_.Value, 0).ToString("x16"))`"" } elseif ($_.Key -like "*_sid") { $sid = $null $event += " $($_.Key)=`"" try { $sid = New-Object System.Security.Principal.SecurityIdentifier($_.Value, 0) $event += "$($sid.ToString())`"" } catch { $event += "`"" } } else { $event += " $($_.Key)=`"$([System.Web.HttpUtility]::JavaScriptStringEncode($_.Value.ToString()))`"" } } $stdout.WriteLine($event) } $file.Delete() We can use the invalid_cause and unarchive_cmd props.conf settings to call the PowerShell script. Note that unarchive_cmd strips or escapes quotes depending on the value unarchive_cmd_start_mode, so we've stored the PowerShell script in a path without spaces to avoid the use of quotes. If PowerShell can't find the path specified in the -File argument, it will exit with code -196608. Sample props.conf on forwarders, receivers (heavy forwarders or indexers), and search heads: [source::....sqlaudit] unarchive_cmd = powershell.exe -ExecutionPolicy RemoteSigned -File C:\Temp\Stream-SqlAudit.ps1 unarchive_cmd_start_mode = direct sourcetype = preprocess-sqlaudit NO_BINARY_CHECK = true [preprocess-sqlaudit] invalid_cause = archive is_valid = False LEARN_MODEL = false [sqlaudit] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+) EVENT_BREAKER_ENABLE = true EVENT_BREAKER = ([\r\n]+) TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%N%Z MAX_TIMESTAMP_LOOKAHEAD = 30 KV_MODE = auto_escaped We can use a batch or monitor stanza to monitor the directory containing .sqlaudit files. Use a batch stanza if the files are moved to the monitored directory atomically to allow Splunk Universal Forwarder to delete the files after they're indexed. Sample inputs.conf: [monitor://C:\Temp\*.sqlaudit] index = main sourcetype = sqlaudit The script can be refactored as a scripted input; however, using the archive processor allows Splunk to perform file and change tracking on our behalf.