Hi @dm2, if you run this search in the SA-CIM_vladiator app, do you see fields? if not (as I understood) you have to share them at Global level. The app leval shared fields are visible only inside the app where they are created. Ciao. Giuseppe

I can see a little more information is need:  I can finde the user who checks out the cyberark account .. "PAM-DomainAdmin*"  by this search ... It is the suser that is of interesset  index="cyberark" duser="PAM-DomainAdmin*" ("cn2=(Action: Connect)" OR command="Retrieve password") | rename cn2 as Why | table _time, user, suser, src, command, Why Finding the action created by the user has done as PAM-admin is done as: index=wineventlog source=wineventlog:security EventID IN (4756, 4728, 4732) src_user="PAM-DomainAdmin*"  

Do you mean client_ip is no longer returned just because index _ad is included in OR phrase?  Does the following return client? (index=_ad (EventCode=4625 OR (EventCode=4771 Failure_Code=0x18)) Account_Name=JohnDoe Source_Network_Address IN (10.10.10.10 20.20.20.20)) OR (index=_network snat IN (10.10.10.10*,20.20.20.20*)) ``` get relevant data ``` | rex field=client "^(?<client_ip>.*?)\:(?<client_port>.*)" ``` this applies to index _network ``` | dedup client client_ip | table client client_ip  

Assuming regex is working, and you have successfully extracted all flag's.  fillnull and coalesce does not help because they only take effect when value is completely void. In olden days, people use mvzip-split string maneuvers to handle these conditions.  But since 8.2, Splunk added a set of JSON functions so you can represent data structure more expressively.  The following is a possibility:   | rex max_match=0 field=Aptlauncher_cmd "\s(?<flag>--?[\w\-.@|$|#]+)(?:(?=\s--?)|(?=\s[\w\-.\/|$|#|\"|=])\s(?<value>[^\s]+))?" | eval flag=trim(flag, "-") | eval flagidx = mvrange(0, mvcount(flag)) | eval compact = mvmap(flagidx, json_object("flag", mvindex(flag, flagidx), "value", mvindex(value, flagidx))) | fields - flagidx | mvexpand compact | eval value = json_extract(compact, "value"), flag = json_extract(compact, "flag") | eval value = if(isnull(flag), null(), coalesce(value, "true"))   Using the examples you gave, here is an emulation you can play with and compare with real data.   | makeresults format=csv data="Aptlauncher_cmd launch test -config basic_config.cfg -system test_system1 -retry 3 launch test -con-fig advanced-config_v2.cfg -sys_tem test_system_2 -re-try 4 launch update -email user@example.com -domain test.domain.com -port 8080 launch deploy -verbose -dry_run -force launch schedule -task \"Deploy task\" -at \"2023-07-21 10:00:00\" -notify \"admin@example.com\" launch clean -@cleanup -remove_all -v2.5 launch start -config@version2 --custom-env "DEV-TEST" --update-rate@5min launch run -env DEV --build-version 1.0.0 -@retry-limit 5 --log-level debug -silent launch execute -file script.sh -next-gen --flag -another-flag value launch execute process_without_any_flags launch special -@@ -##value special_value --$$$ 100 launch calculate -add 5 -subtract 3 --multiply@2.5 --divide@2" ``` data emulation above ```   Emulative results are Aptlauncher_cmd flag value launch test -config basic_config.cfg -system test_system1 -retry 3 config basic_config.cfg launch test -config basic_config.cfg -system test_system1 -retry 3 system test_system1 launch test -config basic_config.cfg -system test_system1 -retry 3 retry 3 launch test -con-fig advanced-config_v2.cfg -sys_tem test_system_2 -re-try 4 con-fig advanced-config_v2.cfg launch test -con-fig advanced-config_v2.cfg -sys_tem test_system_2 -re-try 4 sys_tem test_system_2 launch test -con-fig advanced-config_v2.cfg -sys_tem test_system_2 -re-try 4 re-try 4 launch update -email user@example.com -domain test.domain.com -port 8080 email user@example.com launch update -email user@example.com -domain test.domain.com -port 8080 domain test.domain.com launch update -email user@example.com -domain test.domain.com -port 8080 port 8080 launch deploy -verbose -dry_run -force verbose true launch deploy -verbose -dry_run -force dry_run true launch deploy -verbose -dry_run -force force true launch schedule -task "Deploy task" -at "2023-07-21 10:00:00" -notify "admin@example.com" task "Deploy launch schedule -task "Deploy task" -at "2023-07-21 10:00:00" -notify "admin@example.com" at "2023-07-21 launch schedule -task "Deploy task" -at "2023-07-21 10:00:00" -notify "admin@example.com" notify "admin@example.com" launch clean -@cleanup -remove_all -v2.5 @cleanup true launch clean -@cleanup -remove_all -v2.5 remove_all true launch clean -@cleanup -remove_all -v2.5 v2.5 true launch start -config@version2 --custom-env DEV-TEST --update-rate@5min config@version2 DEV-TEST launch start -config@version2 --custom-env DEV-TEST --update-rate@5min custom-env true launch start -config@version2 --custom-env DEV-TEST --update-rate@5min update-rate@5min true launch run -env DEV --build-version 1.0.0 -@retry-limit 5 --log-level debug -silent env DEV launch run -env DEV --build-version 1.0.0 -@retry-limit 5 --log-level debug -silent build-version 1.0.0 launch run -env DEV --build-version 1.0.0 -@retry-limit 5 --log-level debug -silent @retry-limit 5 launch run -env DEV --build-version 1.0.0 -@retry-limit 5 --log-level debug -silent log-level debug launch run -env DEV --build-version 1.0.0 -@retry-limit 5 --log-level debug -silent silent true launch execute -file script.sh -next-gen --flag -another-flag value file script.sh launch execute -file script.sh -next-gen --flag -another-flag value next-gen value launch execute -file script.sh -next-gen --flag -another-flag value flag true launch execute -file script.sh -next-gen --flag -another-flag value another-flag true launch execute process_without_any_flags     launch special -@@ -##value special_value --$$$ 100 @@ special_value launch special -@@ -##value special_value --$$$ 100 ##value 100 launch special -@@ -##value special_value --$$$ 100 $$$ true launch calculate -add 5 -subtract 3 --multiply@2.5 --divide@2 add 5 launch calculate -add 5 -subtract 3 --multiply@2.5 --divide@2 subtract 3 launch calculate -add 5 -subtract 3 --multiply@2.5 --divide@2 multiply@2.5 true launch calculate -add 5 -subtract 3 --multiply@2.5 --divide@2 divide@2 true Hope this helps.  (As you can see, the regex has some difficulty with quoted values.)

Something like this? index=atp category="AdvancedHunting-DeviceFileEvents" ( (properties.InitiatingProcessAccountName!="system" properties.ActionType="FileCreated" properties.FolderPath!="C:\\*" properties.FolderPath!="\\*") OR (category="AdvancedHunting-DeviceEvents" properties.ActionType="UsbDriveMounted") ) | spath input=properties.AdditionalFields | fields properties.ReportId, properties.DeviceId, properties.InitiatingProcessAccountDomain, properties.InitiatingProcessAccountName, properties.InitiatingProcessAccountUpn, properties.FileName, properties.FolderPath, properties.SHA256, properties.Timestamp, properties.SensitivityLabel, properties.IsAzureInfoProtectionApplied properties.DeviceName, DriveLetter, properties.Timestamp, ProductName, SerialNumber, Manufacturer | rename properties.ReportId as ReportId, properties.DeviceId as DeviceId, properties.InitiatingProcessAccountDomain as InitiatingProcessAccountDomain, properties.InitiatingProcessAccountName as InitiatingProcessAccountName, properties.InitiatingProcessAccountUpn as InitiatingProcessAccountUpn, properties.FileName as FileName, properties.FolderPath as FolderPath, properties.SHA256 as SHA256, properties.Timestamp as Timestamp, properties.SensitivityLabel as SensitivityLabel, properties.IsAzureInfoProtectionApplied as IsAzureInfoProtectionApplied, properties.DeviceName as DeviceName, properties.Timestamp as MountTime | eval Timestamp_epoch = strptime (Timestamp, "%Y-%m-%dT%H:%M:%S.%6N%Z") | eval MountTime_epoch = strptime (MountTime, "%Y-%m-%dT%H:%M:%S.%6N%Z") | sort Timestamp MountTime | stats list(FolderPath) as FolderPath, list(DriveLetter) as DriveLetter, list(MountTime) as MountTime, list(MountTime_epoch) as MountTime_epoch, list(Timestamp) as Timestamp, list(Timestamp_epoch) as Timestamp_epoch by DeviceId Not sure what the real question/difficulty is.  The above really performs the same task as your join, just more efficient with stats.

Hi @shrinathkumbhar , find a Splunk Partners and see ES with him/her in a PoC. Otherwise, ask to your Splunk reference People to enable a trial, but it's difficoult, the easiest way is a Splunk Partner, also because it's difficoult to see ES without an initial configuration that requires at least a little knowledge of this solution. If you want to see features, you can search in the free courses (https://education.splunk.com/Saba/Web_spf/NA10P2PRD105/guest/trqledetail/cours000000000003591?_gl=1*2tb7kt*_ga*MzU3MjIzOTU1LjE3MDA4MDg0NTc.*_ga_GS7YF8S63Y*MTcwNzIwNTAwNC4zMjcuMS4xNzA3MjA1MjYzLjYwLjAuMA..*_ga_5EPM2P39FV*MTcwNzIwNDk5Mi4zMzcuMS4xNzA3MjA1Mjg5LjAuMC4w&_ga=2.78551124.1756370686.1704629137-357223955.1700808457#/guest/trqledetail/cours000000000003591 ) a forty minute free course on ES. In addition, you can many videos in theYouTube Splunk Channel https://www.youtube.com/@Splunkofficial Ciao. Giuseppe Ciao. Giuseppe