Hi @Muthu_Vinith , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors

Hi @keorus, if the events are truncated also in raw visualization, this means that the logs are truncated at the ingestion and you canot do anything to solve the issue, only notice the problem to your colleagues that manage Splunk ingestion to change configuration. Ciao. Giuseppe

Hi @jip31, let me understand: you created an eventtype like the following counter="a" and you associated to this eventtype a tag called "a" then, when you run a search where this field is present, you don't see the value "a" in the tag field,  or the search tag="a" hasn't any result, is it correct? did you check if in the results of the search that you're analyzing the counter field is present? then, are you sure about the exact value of tag? tag field is case sensitive. Ciao. Giuseppe

Thanks for your message @gcusello  I just have a little issue, for now i can't touch the configuration of splunk, I have to handle with this configuration. It is a requirement of my team projects. Would that mean that the only solution was to change the splunk configuration? and that there would not be another solution

Hi @jeradb , as @richgalloway said, you should add in your Data Model, a new calculated field using your eval. Remember that you have to rebuild the Data Model, otherwise the new calculated field will be available only from the time when you added it. Ciao. Giuseppe

Hi @Kat456 , I suppose that you ingested these data from the csv file in Splunk. When you have them in Splunk you cas have in the order you like: index=your_index | table firstname lastname Ciao. Giuseppe

Hi @edalbanese , I still didn't used it, but I saw a colleague that used the OB OpenAI ChatGPT App at https://splunkbase.splunk.com/app/6957 . About images, for my knowledge, at the moment Splunk stores and searches only text files. Ciao. Giuseppe

Hi @Muthu_Vinith , you can use the Splunk Lookup Editor App ( https://splunkbase.splunk.com/app/1724 )to create the lookup. To create the Lookup Definition, you can use the second item of the dashboard that you shared. Ciao. Giuseppe

Hi   you can enable debug mode for splunkd.log file before taking diag.  Enable debug logging on all of splunkd.log Splunk software has a debugging parameter (--debug) that you can use when you start Splunk software from the CLI in *nix. This command outputs logs to the $SPLUNK_HOME/var/log/splunk/splunkd.log file. This option is not available on Windows. To enable debugging on Splunk software running on Windows, enable debugging on a specific processor. See Enable debug logging in Splunk Web or Enable debug logging using log.cfg. Navigate to $SPLUNK_HOME/bin. Stop the Splunk platform instance, if it is running. Save your existing splunkd.log file by renaming it, like splunkd.log.old. Restart the instance in debug mode with splunk start --debug. When you notice the problem, stop the instance. Move the new splunkd.log file elsewhere and restore the old file. Stop or restart the instance normally (without the --debug flag) to disable debug logging. Not all messages marked WARN or ERROR indicate actual problems with Splunk software; some indicate that a feature is not being used. for splunk diag run following command  *nix example Windows example ./splunk diag splunk diag             @raghunandan1

Hi @raghunandan1 , You can try below; index=mssql sourcetype="mssql:database" OR sourcetype="mssql:databases" state_desc!="ONLINE" | eval assignment_group = case(host=="sitpdb0033","Sql_Production Support", like(source,"%mssql_mfg%"),"Winows_Support - Operations",1=1, "Sql_Production Support")

Hello, The only count I need in my report is client_ip counts I dont understand how you can count matching events but if you can modify my last query (and replace join with something more efficient) that would be a great help. Thanks