Hi @PickleRick ,    I don't want to remove the value, I just want to skip for that instance only if DMZ is passed as token value, when other values are passed, the condition needs to be there,    I'm having a value from dashboard input dropdown to macro, where I need the condition to skip when DMZ is passed.     Thanks in Advance! Manoj Kumar S

If you run the code snippet I shared, you should see results i.e. it works. This seems to imply that there is something else going on in your search which is causing you to have no results. Please share your full search in a code block </>

Hi @chakavak, the default folder has a minor priority than local and you cannot modify it. [default] host = mydashboard must be inserted in inputs.conf not in server.conf. Open a case to Splunk Support for behavior non aligned with documentation, sending them a diag from that UF. Ciao. Giuseppe

you can run below query in your CMC. | rest splunk_server_group=* /services/licenser/pools | eval total_quota_gb = round(your_quota_field / (1024 * 1024 * 1024), 2) | eval used_gb = round(your_used_field / (1024 * 1024 * 1024), 2) | eval usage_percentage = round((used_gb / total_quota_gb) * 100, 2) | table splunk_server, total_quota_gb, used_gb, usage_percentage | eval alert_level = case( usage_percentage > 90, "Critical", usage_percentage >= 80, "High", usage_percentage >= 70, "Medium", true(), "Normal" ) | eval alert_message = case( usage_percentage > 90, "License usage has crossed critical threshold at " . usage_percentage . "%. Immediate attention required!", usage_percentage >= 80, "License usage has reached " . usage_percentage . "%. Please take immediate action.", usage_percentage >= 70, "License usage has reached " . usage_percentage . "%. Please take action.", true(), "License usage is within normal range." ) | where usage_percentage > 70 | table splunk_server, total_quota_gb, used_gb, usage_percentage, alert_level, alert_message   Make sure to replace your_quota_field & your_used_field with the correct field name representing the license quota in your Splunk Cloud environment.

I found a serverName = $COMPUTERNAME in the path blow: \Peogrm Files\splunkuniversalforwarder\etc\system\default \server.conf  I changed this parameter and also added [default] host = mydashboard in config file , it didn't work  

Hi @PickleRick    Works like a charm! Thank you! It's way better than reverting to the /raw endpoint. Unfortunately I can't mark your answer as a solution anymore. I will edit my solution adding what you suggested.   Thank you!

You have to be more specific. 1. There are many index names and sourcetypes which are not used in your environment. For example, I don't think you're using index names that I use in my private lab environment at home. You have to be more specific about what you need (while with the indexes you can mean checking just all defined indexes, with sourcetypes it's not clear) 2. You can't find something that isn't there. So you must have a list against which you'll be comparing your search results.  See https://www.duanewaddle.com/proving-a-negative/

It is probably due to the add-on calling an obsolete method from the splunklib. You can't do anything about it yourself except for either updating the add-on (if possible) or asking the developer to fix it.

Hi @anandhalagaras1 , in this case see in the Cloud Monitoring Console App at https://<your_instance>.splunkcloud.com/en-US/app/splunk_instance_monitoring/alerts, you can find the aler named "CMC Alert - Ingest Volume Exceeds 80%". You can open in search this alert and enable it: the search is  `sim_licensing_summary_base` | `sim_licensing_summary_no_split` | append [| search `sim_licensing_limit`] | stats latest(GB) as usage latest("license limit") as limit | eval ratio = usage/limit | where ratio > .8 but maybe the macros don't run outside this app, but you can run it in the app. if you want to use it outside the app, you should replae the macros. Ciao. Giuseppe