OK, let's take back the argument... upgrading from 7.x to 8.x, new servers, new infrastructure... same annoying message... We saw how to hide warning message icons in dashboards. Well, this is good! Now, how to set a threashold for the ms or remove the message at all from UI?   It becomes very very annoying!!!

Please take look at this blog post : https://www.linkedin.com/pulse/unveiling-secrets-enhancing-adobe-aem-performance-through-kulkarni-xrzec/ Optimizing Adobe AEM Site Performance: A Deep Dive with Splunk RZ/ SPL  

Looks like the HEC event is sending the "Request.body" field as a string literal and splunks KV_MODE=json (or INDEXED_EXTRACTION=json) is extracting it that way.  It should be possible to extract it from there still but if you want it extracted at search time you may need to either adjust the source sending the data to send "Request.body" as a valid json array or set up a calculated field in props.conf to get the desired fields extracted (regex is also an option using props/transforms) Here is some SPL of simulated data to give an example of what I think is going on and how Splunk is extracting the fields. | makeresults | eval _raw="{\"ParentId\": \"\", \"Request\": {\"type\": \"RequestLogDTO\", \"body\": \"[ { \\\"recordLocator\\\": \\\"RYVBNQ\\\" } ]\", \"hostname\": \"IT-SALI\" }", example="Example 1: JSON Payload sent with 'Request.body{}' as a string wrapped in quotes" | spath input=_raw | append [ | makeresults | eval _raw="{\"ParentId\": \"\", \"Request\": {\"type\": \"RequestLogDTO\", \"body\": [ { \"recordLocator\": \"RYVBNQ\" } ], \"hostname\": \"IT-SALI\" }", example="Example 2: JSON Payload sent with 'Request.body{}' as a json array (no quotes)" ``` The spath below would better represent how splunk would parse it at search time using KV_Mode=json if the array wasn't wrapped in double quotes ``` | spath input=_raw ] | fields - _time | fields + example, _raw, "Request.body", "Request.body{}.recordLocator" Output looks something like this. It is also possible to still get those fields in your search pipeline if that is the route you want to go. | makeresults | fields _ time | eval _raw="{\"ParentId\": \"\", \"Request\": {\"type\": \"RequestLogDTO\", \"body\": \"[ { \\\"recordLocator\\\": \\\"RYVBNQ\\\", \\\"depStartDate\\\": \\\"2023-12-14T14:00:19.671Z\\\", \\\"depEndDate\\\": \\\"2023-12-15T09:20:19.671Z\\\" } ]\", \"hostname\": \"IT-SALI\" }", example="Example 1: JSON Payload sent with 'Request.body{}' as a string wrapped in quotes" | spath input=_raw ``` This spath command should extract fields in "Request.body" fully and will be available with fieldnames formatted with a leading "{}" since it is an array ``` | spath input=Request.body | fields + _raw, Request.body, "{}.*"   Snapshot of the expected output From here you can rename the funky "{}.*" fields by doing the SPL | rename "{}.*" as *

@lujr ... may we know, when was the last time you used the Palo Alto networks app for, to  view and filter out network traffic activity.  if its very longer, then, probably, that feature may has become obsolete / replaced with "new name".   i installed the latest app - 8.1.1 (Nov 2023 release date)... this is having this "Network Security" Dashboad.. maybe this is what you are looking for, "maybe".   

one more questions pls... are you able to use "spath" splunk command to view each json field separately? https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Spath if yes, then, you can use regular expressions (rex) to search portion of the field u r looking to search. 

For those who like to learn the different error codes and their details: Possible error codes The following status codes have particular meaning for all HTTP Event Collector endpoints: Status code HTTP status code ID HTTP status code Status message 0 200 OK Success 1 403 Forbidden Token disabled 2 401 Unauthorized Token is required 3 401 Unauthorized Invalid authorization 4 403 Forbidden Invalid token 5 400 Bad Request No data 6 400 Bad Request Invalid data format 7 400 Bad Request Incorrect index 8 500 Internal Error Internal server error 9 503 Service Unavailable Server is busy 10 400 Bad Request Data channel is missing 11 400 Bad Request Invalid data channel 12 400 Bad Request Event field is required 13 400 Bad Request Event field cannot be blank 14 400 Bad Request ACK is disabled 15 400 Bad Request Error in handling indexed fields 16 400 Bad Request Query string authorization is not enabled   more info on HEC troubleshooting: https://docs.splunk.com/Documentation/Splunk/9.1.2/Data/TroubleshootHTTPEventCollector   thanks, have a great day! 

well, this requires some testing to find out whether this is really an issue.  if yes, then, my view is... the forwarder mgmt in DMC works as per its design. it may have some "frequency" of when to read and load the fwders info. at times some "small delay" is accepted.  if no, then, may we know, your splunk version details pls. could you pls suggest what delay you felt.. i will try to find more details for you.  thanks for learning splunk. have a great day! 

@heskez Hello there, I am having this same issue (stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template with id 5206) were you able to get this resolved? If so, how did you fix it? I've searched for documentation and not specific to this problem. Thanks

That's a fair question.  So, first let me break the search to a less nested form, then describe the intentions/semantics. (As always, consult syntax and usage in Search Reference.)     | makeresults | eval ip = split("119.0.6.159,62.0.3.75,63.0.3.84,75.0.3.80,92.0.4.159", ",") ``` data emulation above ``` | eval idx = mvrange(0,4) | foreach ip mode=multivalue [| eval interim1 = split(<<ITEM>>, "."), interim2 = mvmap(idx, printf("%.3d", tonumber(mvindex(interim1, idx)))), interim3 = mvjoin(interim2, "."), sorted_ip_padded = mvappend(sorted_ip_padded, interim3)] | eval sorted_ip_padded = mvsort(sorted_ip_padded) | foreach sorted_ip_padded mode=multivalue [| eval interim4 = split(<<ITEM>>, "."), interim5 = mvmap(idx, printf("%d", tonumber(mvindex(interim4, idx)))), interim6 = mvjoin(interim5, "."), sorted_ip = mvappend(sorted_ip, interim6)]     (I'm using a different approach to fill your homework from @tscroggins's proposal because foreach is easier to break down.  I also use a more symmetric approach so it can be explained more readily.) Here is a key card behind the formula: split An IPv4 address will result will contain a 4-element array, indexed from 0 to 3. mvrange Generate a 4-element array with values from 0 to 3. mvsort This is lexicographic sort of array elements.  For 0-padded IPv4 addresses, it is equivalent to numeric sort that you desired. printf Pad and unpad To examine the formula, first take a look at output below: idx interim1 interim2 interim3 interim4 interim5 interim6 ip sorted_ip sorted_ip_padded 0 1 2 3 92 0 4 159 092 000 004 159 092.000.004.159 119 000 006 159 119 0 6 159 119.0.6.159 119.0.6.159 62.0.3.75 63.0.3.84 75.0.3.80 92.0.4.159 62.0.3.75 63.0.3.84 75.0.3.80 92.0.4.159 119.0.6.159 062.000.003.075 063.000.003.084 075.000.003.080 092.000.004.159 119.000.006.159 Inside the foreach loop, the following steps are followed: Breakdown IPv4 into octets. (interim1, interim4) Pad/unpad each octet. (interim2, interim5) Reassemble IPv4 with/without padding. (interim3, interim6) Assemble padded/unpadded IPv4 into array. (sorted_ip_padded, sorted_ip) Now, the only nested element is padding/unpadding: mvmap(idx, printf("%.3d", tonumber(mvindex(interim1, idx))))/mvmap(idx, printf("%d", tonumber(mvindex(interim4, idx)))).  Because of the way tonumber works in SPL, it cannot be broken down further.  But the principle is not too complicated.  idx is the index of octet.  So, it is an iteration of printf("%d", octet) over each octet, where octet = mvindex(interim4, idx) wrapped in tonumber(). Hope this helps.