1. I don't understand how removing unused apps would save you money (apart from premium apps like ES or ITSI, but here you should know already if your company is using them). There is a small number of paid apps for Splunk but they are - if I remember correctly - typically associated with particular input types so you need them if you ingest data of given kind. 2. An app upgrade typically (if the app is properly written) just boils down to deploying a new version of an app. The new app version should contain new default files but should leave your local settings untouched. But. 3. There might be some apps which introduce some incompatibilities across versions and need additional things to be done after upgrade. To find out what those are you need to check the app's docs. There is no other way. 4. The method of deploying new versions of your apps will greatly depend on your environment architecture - whether you use clustering on your search-heads and indexers, if you push apps from deployment server, what push mode do you use on your SHC deployer (if applicable). This might be as easy as going to the apps menu and clicking "upgrade" a few times, but can be much more complicated. EDIT: Sorry, I didn't notice you posted this in the Cloud section. In this case the "main" part should be easier (but if there are apps manually added - not from splunkbase), you'd need to go through vetting new versions again. But you'll need to upgrade apps on DS/HFs/UFs as well which _probably_ (unless you manage everything by hand) means uploading new versions to the DS and letting the clients download and deploy it.

thanks for the reply but  I want the total count when the timeval is latest. (in this case 2023), so according to my lookup result should be 2. with BIE count is 0 and  RAD count is 2 so 0+2=2. Hope this helps in understanding

If you want to just get some statistical report on data read from your lookup, use the inputlookup command. Like | inputlookup mylookup | stats count will give you number of rows in your lookup. You can do any operation on fields read from the lookup that you would normally do in a "normal" event search.

Actually, SplunkWeb crashes in the "preview" stage of creating a new input so I can't even create the input that way. That is why I'm using the Python SDK (which is basically the REST API) and I very much see that error message in the debug log so it's not a SplunkWeb issue at all.

Hi @bowesmana , the lookup (outside the Data Model) correctly runs, for this reason I opened the question in Community, because it seems that there's an issue in the lookup usage in the Data Model. Ciao. Giuseppe

Thank you very much @dtburrows3!! I can see the results for each application but looks like the map does not work for me. I also tried to use just sendemail command but it does not work either. When i give the email id manually i can see an email getting triggered but not when i use the field name which has email id's. Can you provide suggestion on this? Thanks in advance!

Hi @inventsekar , Here is my SPL for Missle Map, | tstats `security_content_summariesonly` count from datamodel=Intrusion_Detection.IDS_Attacks where (NOT IDS_Attacks.src IN(192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 8.8.8.8, 0.0.0.0, 1.1.1.1, 0:0:0:0:0:0:0:1,"unknown",34.87.171.169 )) NOT IDS_Attacks.severity IN (low, informational) by IDS_Attacks.src | rename IDS_Attacks.* as * | eval animate="true" | iplocation dest prefix=end_ | iplocation src prefix=start_ | eval end_lat=if(isnull(end_lat),21.007647, end_lat) | eval end_lon=if(isnull(end_lon),105.807235, end_lon) | eval color = case(count <= 100, "#8fce00", count > 100 AND count <= 300, "#ed8821", 1=1, "#f44336") | eval end_City="Hanoi", end_Country="Vietnam", end_Region="Hanoi" | sort -count | dedup start_Country | table animate color count dest end_City end_Country end_Region end_lat end_lon src start_City start_Country start_Region start_lat start_lon

Here's a one-liner that handles both decimal and hexadecimal code points: | eval name=mvjoin(mvmap(split(name, ";"), printf("%c", if(match(name, "^&#x"), tonumber(replace(name, "&#x", ""), 16), tonumber(replace(name, "&#", ""), 10)))), "") You can also pad the value with XML tags and use the spath command: | eval name="<name>".name."</name>" | spath input=name path=name or the xpath command: | eval name="<name>".name."</name>" | xpath outfield=name "/name" field=name However, avoid the xpath command in this case. It's an external search command and requires creating a separate Python process to invoke $SPLUNK_HOME/etc/apps/search/bin/xpath.py.

Hi @tmaoz, The errors are reported when onboarding data through Splunkweb; however, if you're using INDEXED_EXTRACTIONS = csv, for example, the fields should be present in the index itself. You can verify this with the walklex command after indexing your CSV file: | walklex index=xxx type=field | table field You may need to increase the [kv] indexed_kv_limit settings in limits.conf or set it to 0 to disable the limit.

Here's an example that extracts all the &#nnnn; sequences to a multivalue char field, which is then converted to the chars MV. It seems like the mvdedup can be used to remove duplicates in each case and the ordering appears to be preserved between the to MVs, so then the final foreach will replace that inside name | makeresults format=csv data="id,name 1,&#1040;&#1083;&#1077;&#1082;&#1089;&#1077;&#1081;" ``` Extract all sequences ``` | rex field=name max_match=0 "\&#(?<char>\d{4});" ``` Create the char array ``` | eval chars=mvmap(char, printf("%c", char)) ``` Remove duplicates from each MV - assumes ordering is preserved ``` | eval char=mvdedup(char), chars=mvdedup(chars) ``` Now replace each item ``` | eval c=0 | foreach chars mode=multivalue [ eval name=replace(name, "\&#".mvindex(char, c).";", <<ITEM>>), c=c+1 ] You could make this a macro and pass a string to the macro and the macro could do the conversion. Note that fixing the ingest is always the best option, but this can deal with any existing data. Assumes you're running Splunk 9