1. You posted it in "Geting data in" section which deals with... well, getting data into Splunk. But you're talking about alerts. Do you want to ingest alerts into Splunk or are you talking about something else? 2. If by any chance you're talking about triggering alerts withing Splunk by means of saved search and alert actions - are you talking about custom alert action or just a standard action (which one?) just triggered on different environments?

Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side: "index-name">source. The search job has failed due to an error. You may be able view the job in the 

Thanks for the help!  Do you have an example of what it looks like to share a search globally? I've read lots of forum posts and Splunk Docs but haven't gotten a clear answer on how to configure this in the .conf file.

I'm trying to make it so any search on my KV store will be filterable by the timepicker. So if I were to search |inputlookup {collection_name} I would get back all the entries from my collection based on the selected time range.  Are you saying that since it's a KV store I'll need to include time constraints in each query to make this work? 

I really appreciate the suggestion. You do seem to get what I'm after, though the mvcount(indexes) returned no results. It seems so simple to me conceptually, but finding it very frustrating to try and wrap my head around "how splunk does it". I'm trying to include just the InstanceIds seen in both indexes while keeping the rest of the values from ResourceId in index=main. Index=main contains many different values in ResourceId (some of which are instance IDs). Index=other has a field called InstanceId.  This works, but I am not sure how to filter the MV index results (where mvcount(index)=2 did not work)     (index=main ResourceId=i-*) OR (index=other type=instance earliest=-2h) | eval InstanceId=coalesce(ResourceId, InstanceId) | stats values(index) as index by InstanceId       I've tried to use if/match, which sounds like it is exactly what I need, but it looks like you can't specify dynamic values for the match.      (index=main ResourceId=i-*) OR (index=other type=instance earliest=-2h) | eval InstanceId=if(match(ResourceId, InstanceId, ResourceId, "null")) | stats values(index) as index by InstanceId      

@xathviar - FYI, There is an idea already someone submitted - https://ideas.splunk.com/ideas/EID-I-1704 And its under development, which means you may see it as core feature to Splunk in near future.   I hope this helps!!!

Sender_ID is present in log line: 2024-02-16 09:55:41:829 EST| INFO |InterfaceName=USCUSTOMERPO POCanonical_JSONHttpDataProcess=END JSON data successfully processed to Order Processor application for TxID=20240216095535623-0EEu Sender_ID=hC Bioscience Inc Receiver_ID=ThermoFisher Scientific TxnType=USCustomer_PO Format=cXML Direction=Inbound PO_Num=2550 Status=Success       I have updated the query bit still space is truncated  InterfaceName=USCUSTOMERPO Status=Success OR Status=Failure | eval timestamp=strftime(_time, "%F")|chart limit=30 dc(TxID) over Sender_ID by timestamp|rex "Sender_ID=(?<Sender_ID>.+)\s"    

@Iris  - I have also never done it myself but I have thought of it a couple of times. I think a more widely known option is Selenium for web application testing. You can try that.   I hope this helps!!!

One more option is also to connect other Splunk machines to connect as clients of the deployment server to deploy these Apps. * This is something people follow as practice, I don't find it helpful as it creates so much confusion managing apps and upgrading them.   A good option for automation (ex. ansible) if you have it in place, or manual.