Hi @SplunkySplunk  All three are three big concepts and looks like you have done some studying on the Splunk docs(if not, the links are below).  maybe you should ask your requirements more clearly.. so there will be better answers. thanks.    https://docs.splunk.com/Documentation/Splunk/9.1.2/Knowledge/Usesummaryindexing https://docs.splunk.com/Documentation/Splunk/9.1.2/Knowledge/Aboutdatamodels https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/Knowledge/Manageacceleratedsearchsummaries  

Sure. But how do you define "assets"? How do you differentiate between them? Because while you can use the general approach of combining two separate searches (either by means of append or multisearch) with additional field to classify your results into one of two sets, there might be more effective ways in specific cases.

Hi @kyokei, this is another question, even if on the same data. Anyway, if you want to discard a part of your events at index time, you have to use the SEDCMD command in your props.conf [your_sourcetype] SEDCMD = s/^([^,]*,)([^,]*,)(.*)/([^,]*,)()(.*)/g Ciao. Giuseppe

makeresults can be used to generate search results. An example from the documentation. | makeresults | eval test="buttercup rarity tenderhoof dash mcintosh fleetfoot mistmane" | makemv delim=" " test | mvexpand test _time test 2024-01-01 00:00:00 buttercup 2024-01-01 00:00:00 rarity 2024-01-01 00:00:00 tenderhoof 2024-01-01 00:00:00 dash 2024-01-01 00:00:00 mcintosh 2024-01-01 00:00:00 fleetfoot 2024-01-01 00:00:00 mistmane   Then you can use `search` or any other commands as usual. | makeresults | eval test="buttercup rarity tenderhoof dash mcintosh fleetfoot mistmane" | makemv delim=" " test | mvexpand test | search test="m*" _time test 2024-01-01 00:00:00 mcintosh 2024-01-01 00:00:00 mistmane

Hi, forgive my English, I'm using a translator. About the problem it is better that you send a ticket to Splunk directly, it seems to be a bug in the end I gave up because whenever they ask about the version of splunk they always make the excuse that they do not support old versions of Splunk, in this case although it is true that I was using an old version of Splunk clearly the problem was the add-on.

Hi @gcusello , With your help i am able to extract the timestamp, _time = 23-11-26 01:20:51.500 AM but _time is same for each event. 23-11-26 01:20:51.500 AM, +0.000000000E+00,+2.90500E+00,0 23-11-26 01:20:51.500 AM,+1.000000000E-01,+1.45180E+01,0 23-11-26 01:20:51.500 AM,+2.000000000E-01,+7.93600E+00,0 23-11-26 01:20:51.500 AM,+3.000000000E-01,+3.60100E+00,0 23-11-26 01:20:51.500 AM,+4.000000000E-01,+3.19100E+00,0 23-11-26 01:20:51.500 AM,+5.000000000E-01,+3.17300E+00,0   How can i achieve below format during data ingest? 23-11-26 01:20:51.500 AM, +2.90500E+00,0 23-11-26 01:20:51.600 AM, +1.45180E+01,0 23-11-26 01:20:51.700 AM, +7.93600E+00,0 23-11-26 01:20:51.800 AM, +3.60100E+00,0 23-11-26 01:20:51.900 AM, +3.19100E+00,0 23-11-26 01:20:52.000 AM, +3.17300E+00,0 Basically, add those duration under time to the trigger time to create _time. "Time","U1-2[]","Event" +0.000000000E+00,+2.90500E+00,0 +1.000000000E-01,+1.45180E+01,0 +2.000000000E-01,+7.93600E+00,0 +3.000000000E-01,+3.60100E+00,0 +4.000000000E-01,+3.19100E+00,0 Thanks a lot for your help.

@PickleRick Thanks for the reply. Please, ignore both searches. What I want to pull out the total unique assets in the DHCP source. I then want to be able to compare to the totals of unique assets in the SysMon source and output these assets that do not have SysMon present. Thanks in advance.

If you look into outputs.conf specs, you'll see that it supports both SQS output as well as RFS output which should be able to write into S3 buckets. Never used them myself though so I have no idea how they work and whether they require HF or if they will work with UF as well (I suspect the former).

It's not clear how you distinguish your "sources". Your first search simply pulls data from two separate indexes while the second one does something completely strange. Please describe what constitutes those sets of sources you want to calculate difference from.