Hi @madhav_dholakia , Unfortunately, Splunk Dashboard Studio does not support a full set of features for Tokens like Simple XML dashboards. So I doubt if something like this complex requirement can be implemented.   You can try creating last months static in the dropdown, and that may work I think like, and then manually update the dashboard every month.   I hope this helps!!! Kindly upvote if it does!!!

@a_kearney - How many Search heads do you have in a cluster? Are any cluster members down? In recent incidents of cluster members being down? Are you also seeing "Consider a lower value of conf_replication_max_push_count" warning messages in your logs?? Usually "consecutiveErrors=1" isn't bad, unlike in your situation it happens a lot, which is concerning.   I hope this helps!!! Kindly upvote if it does!!!

Hi @krutika_ag ... what @richgalloway said was an excellent answer.  For Splunk newbies, let me rephrase it(the url link for your ref -  https://docs.splunk.com/Documentation/Splunk/9.1.2/Data/Monitorfilesanddirectories) as follows: How the forwarder monitors archive files In order to monitor archived files, forwarders decompress archive files, such as a TAR or ZIP file, prior to processing. Splunk then processes these files in a "single threaded format" (there are pros and cons, but that is a different topic). The following types of archive files are supported: TAR GZ BZ2 TAR.GZ and TGZ TBZ and TBZ2 ZIP Z If you add new data to an existing archive file, the forwarder reprocesses the entire file rather than just the new data. This can result in event duplication. so, to avoid duplication, you should monitor the whole archive file.  Lets say if these files are small, then you can monitor the whole archive and the license usage may not be impacted so much (the search time vs index time... should be considered clearly and well planned for this task).  One more thing to consider: are you using UF or HF      --- or both      ---- or neither(you may directly upload thru SH GUI) - Splunk Support does not support this deployment model)    hope this helped some new Splunkers, thanks. 

Hi @krutika_ag , let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors

This is the query that helped me get the required output. index=_internal sourcetype=splunkd | stats count by source,host | regex source="(?:\/|\x5c)splunkd\.log$" | rex field=source "(?<installation_path>.*)(?:\/|\x5c)var(?:\/|\x5c)"

Everything ingested by Splunk should have props.conf settings.  Start with the "Great 8": LINE_BREAKER, SHOULD_LINEMERGE, TIME_PREFIX, TIME_FORMAT, MAX_TIMESTAMP_LOOKAHEAD, TRUNCATE, EVENT_BREAKER_ENABLE, and EVENT_BREAKER. Field extraction from events like this are tricky because the field delimiter is also an allowed character within a field.  It means using lookahead to determine if the current character is part of a field name or field value.  As it turns out, Splunk is not great with lookahead.  Try these settings to see if they work for you. Props.conf:     [mysourcetype] SHOULD_LINEMERGE=true LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true TIME_PREFIX=\s\d\s TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N%Z TRANSFORMS-extract = tripwire_fields TRUNCATE = 10000 EVENT_BREAKER_ENABLE = true EVENT_BREAKER = ([\r\n]+)     Transforms.conf:     [tripwire_fields] REGEX = (\w+)=(.*?)(?=\s\w+=) FORMAT = $1::$2    

Most Simplified Explanation != is a field expression that returns every event that has a value in the field, where that value does not match the value you specify. Events that do not have a value in the field are not included in the results. For example, if you search for Location!="Calaveras Farms", events that do not have Calaveras Farms as the Location are returned. Events that do not have Location value are not included in the results. On the other hand, NOT is an operator that returns every event except the events that contain the value you specify. This includes events that do not have a value in the field. For example, if you search using:  NOT Location="Calaveras Farms", every event is returned except the events that contain the value “Calaveras Farms”. This includes events that do not have a Location value.   Here’s an example to illustrate the difference between the two methods. Suppose you have the following events: Table   ID Name Color Location 101M3 McIntosh Chestnut Marin Meadows 104F5 Lyra Bay   104M6 Rutherford Dun Placer Pastures 101F2 Rarity   Marin Meadows 102M7 Dash Black Calaveras Farms 102M1 Roan     101F6   Chestnut Marin Meadows 104F4 Pinkie Sorrel Placer Pastures If you search with Location!="Calaveras Farms", every event that has a value in the Location field, where that value does not match Calaveras Farms, is returned. Events that do not have a value in the Location field are not included in the results. The following events are returned: Output Table   ID Name Color Location 101M3 McIntosh Chestnut Marin Meadows 104M6 Rutherford Dun Placer Pastures 101F2 Rarity   Marin Meadows 101F6   Chestnut Marin Meadows 104F4 Pinkie Sorrel Placer Pastures   If you search with NOT Location="Calaveras Farms", every event is returned except the events that contain the value Calaveras Farms. This includes events that do not have a Location value. The following events are returned: Output Table   ID Name Color Location 101M3 McIntosh Chestnut Marin Meadows 104F5 Lyra Bay   104M6 Rutherford Dun Placer Pastures 101F2 Rarity   Marin Meadows 102M1 Roan     101F6   Chestnut Marin Meadows 104F4 Pinkie Sorrel Placer Pastures

Hi @Gomathy.Govindarajan,  I recently started using this community little regularly now, I see you posted it quite sometime back. Did you able to find solution for your issue? If yes, would you mine to post the solution you applied, will help me and may help others as well. Thank you, Mahendra Shetty 

I appreciate all the help and apologize for my late response. I am still a low man on the totem pole and been trying to research more into this with the recommendations. The file gets automatically updated periodically with all the new intel we ingest, this one specifically regarding malicious URLs. My higher up suggested recently a recommendation from a 13 year old Splunk community post to try and fix this issues. (https://community.splunk.com/t5/Splunk-Search/Lookup-table-Limits/m-p/75336) I am not familiar with this recommendation so need to look into it. If anyone believes this is not a good recommendation from a 13 year old post then please let me know. Thank you very much.

I think the addition of a few evals can account for the error line as well. Maybe something like this? <base_search> | rex field=_raw "Processing\s+(?<process>[^\-]+)\-" | rex field=_raw "Person\s+Name\:\s+(?<person_name>[^\,]+)\," | sort 0 +_time | streamstats reset_before="("isnotnull(process)")" values(process) as current_process | streamstats window=2 first(_raw) as previous_log | rex field=previous_log "Person\s+Name\:\s+(?<previous_log_person_name>[^\,]+)\," | eval checked_person_name=if( match(previous_log, "\-Check\s+for\s+Person\-"), 'person_name', null() ), status_error_person=if( match(previous_log, "Person\s+Name:\s+") AND match(_raw, "\-error\s+in\s+checking\s+status"), 'previous_log_person_name', null() ) | stats min(_time) as _time by current_process, status_error_person | fields + _time, current_process, status_error_person