Thank you for the reply. The end goal of the exercise is to build report for agents that are not updated in last 24 hours and mot updated in last 7 days. That is why I try to extract last time of update and last date of update. 

It is interesting because the mechanics itself works. You can verify it by replacing count(eval()) by creating a temporary field. | stats count(eval(condition)) is equivalent to | eval tempfield=if(condition,something,null()) | stats count(tempfield) So you can rework your search to contain explicit helper fields instead of eval-ed counts and see if they are counted properly and if they are evaluated properly.

3. Most importantly - why would you use json functions when pan:traffic format does not have anything to do with json? (unless you have some completely non-standard configuration we know nothing about).   I have no idea, I was following the some ingest_eval examples and was confused why it was always using json functions, kind of assumed it was just some way splunk was interpreting it in the backend. How else would I go about accomplishing this at ingest?   For the first two questions - it's in system/local and the lookups are globally available 

Hi how about something like  index=test_index | rex "\.(?<TestMQ>.*)\@" | chart count by TestMQ Priority r. Ismo  PS. Please use </> option when you are writing some SPL etc. That way it's formatted correctly and we can be sure that what we are seeing is what you have written.

First thing to verify would be to check your _internal logs for the sendemail.py activity and see whether it reports sending the email with the full subject (you won't see the message contents in the log) or truncated one. This way you'll know if it's something between Splunk and the sendemail.py script or is it something in sendemail.py/between it and your email server.

Hi this should work as expected and documented. Only thing is what you have on $email$ and where you have set it? And where you are calling this partially SPL? I suppose that this csv file prefix is fixed and you cannot change it? r. Ismo

Hi this could explain that behaviour to you https://docs.splunk.com/Documentation/Splunk/9.1.2/DMC/Configurefeaturemonitoring Based on this instructions you could see what those health messages means. r. Ismo

Hi @gcusello  Thank you for your kind response. I tried the suggested approach but the result is same. This gives me result like example below: TestMQ    | TotalCount | Low | Medium | High MQNam1 | 120               | 0       | 0               | 0 MQNam2 | 152               | 0       | 0               | 0 The problem is that I am getting "0" value for Low, Medium & High columns - which is not correct. I want to combine both the stats and show the group by results of both the fields. Please suggest.

Hi based on those warnings You have some files on your app which have something else on umask that 0644 (owner r+w; group + other only read). You should fix this to avoid security issue. You have at leas one dashboard which haven't "<... version=1.1>" element on it's header r. Ismo

Hi you also must have working email sending feature configured on your splunk. You could test this with command sendemail like index=* | head 1 | stats count | sendemail to="<your email address>" subject="Testing Splunk email sending" If this send email to you, then email sending is configured and in use. Otherwise your Splunk admin needs to configure it with your organisation email operator. After that you could use email action on Alert configuration. r. Ismo 

In which version AOB your app is build? Is it so old that it support only Python2 or is there also Python3 support? It seems that current AOB versions from 3.0.+ are supporting only python3 versions. I'm not sure but I expecting that older versions contains libaries like .../aob_py2/... or are even without that directory? Is it possible that you will get up a dev environment which contains that original AOB version and that app also? Then just check what that AOB will said about it. If it works then follow up how to update AOB to some recent versions. Another option (maybe) could be that you install that app on your current dev environment and then add current AOB version and try again if it could manage that app or not? Third option is just forget AOB and build that app from scratch if possible or using AOB and start from scratch with it.

Hi unfortunately (at least I don't know) that there is separate endpoints to get splunk audit logs. But you could get those by using search endpoint. https://docs.splunk.com/Documentation/Splunk/9.1.2/RESTREF/RESTsearch Just create some saved searches which give you needed information and then call those or use ad hoc queries over REST api. r. Ismo