hi @inventsekar Thank you , you are right,  some events not have that particular "log_processed.message". when i put | spath input=_raw i am seeing the events in table format but also seeing the duplicate events. can we avoid that. index="sample" "log_processed.app"=mercury "log_processed.traceId"=dc57c0b7f0e8cfdee5002b62873f5de7 | spath input=_raw | table _time, log_processed.message

You have a common field, just not a common name.  That's easy to fix using the coalesce function. index=foo (UserID=* OR ID=*) | eval commonID=coalesce(UserID, ID) | stats min(_time) as startTime, max(_time) as endTime, values(*) as * by commonID | eval diff=endTime - startTime  

Hi, I stumbled across this while searching the same error, and thought I'd provide an answer in case someone else comes along from the first hit in their favorite search engine.  Have you tried doing exactly what it says to do? Specifically, here's the process on my own machine.  Note I'm starting out in /opt/splunk/etc/auth.  From there, let's find the path of the sslRootCAPath file specified in server.conf splunk@curie:/opt/splunk/etc/auth$ grep sslRootCAPath ../system/local/server.conf sslRootCAPath = /opt/splunk/etc/auth/mycerts/chain.pem  Now that I know the active cert, I can make a backup copy of it just in case splunk@curie:/opt/splunk/etc/auth$ cp mycerts/chain.pem mycerts/chain.pem.2024-01-24 then append appsCA.pem to that file and restart Splunk. splunk@curie:/opt/splunk/etc/auth$ cat appsCA.pem >> mycerts/chain.pem splunk@curie:/opt/splunk/etc/auth$ splunk restart Worked like a charm.

If scheduled search is not being run it's typically due to one of two reasons: 1) it's disabled so it's not being scheduled 2) it's skipped due to SH(C) overload If I remember correctly, there could be some other rarer reasons typically connected with role capabilities (I think if a user created a scheduled search and then was revoked the schedule_search it could cause some problems or if the owner of the scheduled search was deleted and the search was orphaned). So you can either check which of your searches are disabled, which were skipped and alternatively you can check scheduler log for searches actually run and compare this list with the list of defined searches.

Here's the answer https://community.splunk.com/t5/Splunk-Search/how-to-use-a-field-as-timestamp-for-a-timechart/m-p/145037 Use strptime to format your field Opened_At and create a unixtimestamp Then assign that to _time    

Honestly, you just need two sources of truth. One for hardware, which I typically see in customer environments as tenable, crowdstrike, or some sort of application that scans most of the network devices that is reliable. One for identities, which I have used okta, ldap, or some sort of identities service. Then next I would create some spl that would look like the following: (This example I am using okta) index=prod_okta user=*@* | eval identity = user | rename profile.* AS * | eval prefix = honorificPrefix | eval nick = nickName | eval first = firstName | eval last = lastName | eval suffix = honorificSuffix | eval email = ciscoUsername | eval phone = primaryPhone | eval managedBy = manager | eval priority = debugContext.debugData.risk | eval bunit = coalesce(label,department) | eval category = actor.type | eval watchlist = admin_interest | eval startDate = thousandeyesStartDate | eval endDate = thousandeyesTermDate | eval work_city = city | eval work_country = country | eval work_lat = latitude | eval work_long = longitude | eval device_name = client.device | eval work_state = state | eval postal_code = postal | eval employee_num = employeeNumber | eval employee_status = employmentStatus | eval manager_id = managerId | eval manager_email = mgr_email | eval postal_address = postalAddress | eval sam_account_name = sAMAccountName | eval second_email = secondEmail | eval mobile_phone = mobilePhone | eval title = title | stats first(prefix) AS prefix first(nick) AS nick first(first) AS first values(last) AS last first(suffix) AS suffix first(email) AS email first(phone) AS phone first(managedBy) AS managedBy first(priority) AS priority first(bunit) AS bunit first(category) AS category first(watchlist) AS watchlist first(startDate) AS startDate first(endDate) AS endDate first(work_city) AS work_city first(work_country) AS work_country first(work_lat) AS work_lat first(work_long) AS work_long first(device_name) AS device_name first(work_state) AS work_state first(postal_code) AS postal_code first(employee_num) AS employee_num first(employee_status) AS employee_status first(manager_id) AS manager_id first(manager_email) AS manager_email first(postal_address) AS postal_address first(sam_account_name) AS sam_account_name first(second_email) AS second_email first(mobile_phone) AS mobile_phone first(title) AS title by identity | table identity prefix nick first last suffix email phone managedBy priority bunit category watchlist startDate endDate work_city work_country work_lat work_long epkey device_name work_state postal_code employee_num employee_status manager_id manager_email postal_address sam_account_name second_email mobile_phone title | append [| inputlookup okta_identies.csv] | stats first(prefix) AS prefix first(nick) AS nick first(first) AS first values(last) AS last first(suffix) AS suffix first(email) AS email first(phone) AS phone first(managedBy) AS managedBy first(priority) AS priority first(bunit) AS bunit first(category) AS category first(watchlist) AS watchlist first(startDate) AS startDate first(endDate) AS endDate first(work_city) AS work_city first(work_country) AS work_country first(work_lat) AS work_lat first(work_long) AS work_long first(device_name) AS device_name first(work_state) AS work_state first(postal_code) AS postal_code first(employee_num) AS employee_num first(employee_status) AS employee_status first(manager_id) AS manager_id first(manager_email) AS manager_email first(postal_address) AS postal_address first(sam_account_name) AS sam_account_name first(second_email) AS second_email first(mobile_phone) AS mobile_phone first(title) AS title by identity | outputlookup okta_identies.csv Hope this helps.