@bowesmana @yuanliu  Thank you for your help. I understand now if I want to use Student="Total", I just use the following | addcoltotals labelfield=Student label=Total | eval Score = if(Student="Total", floor(Score) + 1, Score) if I leave the label blank, I can use | eval Score = if(isnull(Student), floor(Score) + 1, Score)

That is correct, but an indexer cluster would not solve that problem. I suggest having two HFs in an active/warm standby configuration.  There would need to be some means to copy state information from the active HF to the standby.  That would be a non-Splunk solution.

You should be able to utilize built in Splunk JSON commands and/or JSON functions to build out valid STIX 2.1 objects from Splunk events. Here is some sample SPL to give you an example of how to build out the json from individual fields in Splunk. | makeresults | fields - _time ``` gen properties data ``` | eval enum=split("attack-pattern|campaign", "|"), description="The type of this object, which MUST be the literal `attack-pattern`.", type="string" | tojson str(enum) str(type) str(description) output_field=properties | fields - enum, type, description ``` gen ID data ``` | eval title="id", pattern="^attack-pattern--" | tojson str(title) str(pattern) output_field=id | fields - title, pattern ``` gen Name data ``` | eval type="string", description="The name used to identify the Attack Pattern." | tojson str(type) str(description) output_field=name | fields - type, description ``` gen description data ``` | eval type="string", description="A description that provides more details and context about the Attack Pattern, potentially including its purpose and its key characteristics." | tojson str(type) str(description) output_field=description | fields - type, description ``` gen kill_chain_phases data ``` | eval "$ref"="../common/kill-chain-phase.json" | tojson str($ref) output_field=items | fields - "$ref" | eval type="array", description="The list of kill chain phases for which this attack pattern is used.", minItems=1 | tojson str(type) str(description) json(items) num(minItems) output_field=kill_chain_phases | fields - minItems, items, description, type | tojson json(properties) json(type) json(id) json(name) json(description) json(kill_chain_phases) output_field=allOf | fields - properties, type, id, name, description, kill_chain_phases | eval ref="../common/core.json" | tojson str(ref) output_field=allOf_2 | eval allOf=mvappend( 'allOf_2', 'allOf' ) | fields - allOf_2 | eval required="name", type="object", description="Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets. ", title="attack-pattern", "$schema"="http://json-schema.org/draft-04/schema#" | tojson str($schema) str(title) str(description) str(type) json(allOf) str(required) output_field=stix_2_payload | fields + stix_2_payload   For this example I used a generative command to put together sample data first, but if you are building from a Splunk event then the fields should all be derived from _raw or already extracted. The example is more of a demonstration on how to build a valid STIX 2.1 json object using Splunk. Below is the json object build out from the SPL above. { "$schema": "http://json-schema.org/draft-04/schema#", "allOf": [ { "ref": "../common/core.json" }, { "id": { "pattern": "^attack-pattern--", "title": "id" }, "kill_chain_phases": { "description": "The list of kill chain phases for which this attack pattern is used.", "items": { "$ref": "../common/kill-chain-phase.json" }, "minItems": 1, "type": "array" }, "name": { "description": "The name used to identify the Attack Pattern.", "type": "string" }, "properties": { "description": "The type of this object, which MUST be the literal `attack-pattern`.", "enum": [ "attack-pattern", "campaign" ], "type": "string" } } ], "description": "Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets. ", "required": "name", "title": "attack-pattern", "type": "object" }

The only inputs that should be enabled on an indexer are those that query the local server.  Otherwise, data duplication may results. Per the SentinelOne installation instructions, the inputs app should be installed on a heavy forwarder.  No matter what the indexer configuration is, the IA goes on a HF.  Only the TA should be installed on the indexers. FTR, it is not necessary to use an index cluster to have high availability on ingest.  HA on ingest is provided by having forwarders distribute data across more than one indexer.  Indexer clusters protect the data by having multiple copies of it.  The extra copies offer HA at search time.

I have the same issue.. Is there a way? I tried writing into submitted token model inside "on" call but cannot "get" the token on the higher level. On the console I can see that it was indeed writen into the token though.

Hi!  Thanks for taking the time, sadly this didn't work out for me.  Ideally if I can keep the same format of:  | timechart span=1s count AS TPS | eventstats max(TPS) as peakTPS | eval peakTime=if(peakTPS==TPS,_time,null()) | stats avg(TPS) as avgTPS first(peakTPS) as peakTPS first(peakTime) as peakTime | fieldformat peakTime=strftime(peakTime,"%x %X") With the addition of a couple lines for Min TPS and when it took place that would be ideal. 

Hello @WanLohnston you can try something like this :   | timechart span=1d count(myfield) as nb_myfield | eventstats min(myfield) as min_fields max(myfield) as max_fields avg(myfield) as moy_fields