Hi @RS , I suppose that the total execution time is always displayed in minutes, otherwise, you have convert it based on the forma, so, please try, something like this: index = XXXXXX1 host = hostname.com source = artifactory-servicesourcetype = artifactory-service "Storage TRASH_AND_BINARIES garbage collector report" | rex "Total\s+execution\s+time:\s+(?<minutes>\d+)\.(?<seconds>\d+)" | eval Total_execution_time=minutes*60+seconds | timechart sum(Total_execution_time) AS Total_execution_time BY host  Ciao. Giuseppe

Hi @Roy_9 , if it's a script from the Universal Forwarder, you can open a case to Splunk Support. Some yers ago I had an issue with the UF installed on a server that wasn't able to connect to DNS server and used too much memory to resolve addresses, and Support solved the issue, call them. Ciao. Giuseppe

Hi @shonias, I don't believe this functionality exists in Dashboard Studio today; however, you can create custom dashboards using @splunk/create and ReactJS. See https://splunkui.splunk.com/Packages/create/Overview and https://splunkui.splunk.com/Create/ExamplesGallery#Custom%20dashboards%20and%20visualizations. An interested user has also created a Splunk Idea related to tooltips. See https://ideas.splunk.com/ideas/EID-I-2183.

@AL3Z  To get Notable events from ES into SOAR you need the Splunk App for SOAR Export  setup on your Search Head then you will need to add the Adaptive Response to send to SOAR when the detection triggers an event in Splunk. 

Hi @kate, You can enable the introspection generator add-on on forwarders by following the process at https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/ConfigurePIF#Enable_the_introspection_generator_add-on_using_deployment_server. If you're not using a deployment server, you can enable the add-on locally on any forwarder. Note that the SplunkForwarder service account, e.g. NT SERVICE\SplunkForwarder, must have the "Debug programs" (SeDebugPrivilege) user right. While this isn't equivalent to administrator privileges, it does grant the user the ability to inject arbitrary code into another process running with administrator privileges. You can find more information in Microsoft security documentation. Don't fear the privilege, though. Just understand what it does and how to mitigate the risk of assigning in the context of Splunk. By default, introspection:generator:resource_usage will be enabled and collect metrics every 10 minutes when the add-on is enabled is enabled on universal forwarders. You can find metrics in index=_introspection, an event index containing source types with INDEXED_EXTRACTIONS = json: | tstats avg(data.cpu_idle_pct) as cpu_idle_pct where index=_introspection sourcetype=splunk_resource_usage component=Hostwide by _time host | chart avg(eval(100-cpu_idle_pct)) ``` cpu_used_pct ``` over _time by host On instances of Splunk Enterprise, metrics are also cloned to index=_metrics; however, events sent from forwarders with INDEXED_EXTRACTIONS set are "cooked" by the forwarder, and transforms on receivers will not be applied without modifying configuration to reroute cooked events to parsingQueue or adding ingest actions (rulesets) that reference the transforms behavior.  

@phanTom  I dnt see any notables set to soar in the adaptive response action, But we dnt relay on incident review dashboard in our environment, All incidents are automated through the soar it self.  

Hi @kate, surely you are using an add on for your Universal Forwarder (Linux or Windows), in this case, you have to enable the cpu counter metrics in this add-on, then you can use these data to calculate percentage use. Ciao. Giuseppe

@uagraw01 , I am not experienced about Kafka inside Kubernetes. Please check how to install Kafka Connect Cluster inside Kubernetes, after that you can install "Splunk Connect for Kafka" into this cluster.