Depending on what you mean by webhook - as @_JP already pointed out, Http Event Collector is one of the main and most often used ways of input. Also you can call Splunk using REST to perform various actions - see https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTlist (actually pushing events to HEC is also using one of those REST endpoints).

Also sometimes change on the source (like version upgrade) can result in change in log format/level of detail even without changing loglevel (i.e. new software versions logs additional fields in the events).

Sorting values in a multi-value field of IP addresses involves arranging the IPs in a specific order. Here's a simple way to do it: Separate IP Addresses: If your multi-value field contains multiple IPs in a single string, separate them into individual values. Convert IPs to Numeric Format: Convert each IP address to its numeric equivalent. You can do this by treating each part of the IP as a number and combining them. Sort Numeric Values: Sort the numeric representations of the IPs in ascending or descending order, depending on your preference. Convert Back to IP Format: Once sorted, convert the numeric values back to IP address format. Example: Suppose you have IP addresses like "192.168.1.2," "10.0.0.1," and "172.16.0.5." Separate: ["192.168.1.2", "10.0.0.1", "172.16.0.5"] Convert: [3232235778, 167772161, 2886729733] Sort: [167772161, 2886729733, 3232235778] Convert Back: ["10.0.0.1", "172.16.0.5", "192.168.1.2"] You can use programming languages like Python or JavaScript for this task. Always consider the specific requirements of your project and the tools available for your development environment.

Well, you're trying to force Splunk to do something it's not designed to do. You can have real-time search with Splunk but the real-time searches are not a very good solution and there are very limited use cases when their use is reasonable. They have their limitations and they hog up resources (each real-time search blocks a single CPU _on every participating indexer_). You can use a report with a minute schedule (but bear in mind that depending on the load, a search can be delayed or skipped altogether!) or create a dashboard with a relatively frequent refresh period. But all those walkarounds are fairly "heavy" for your environment since you're spawning a new search often (and spawning a search is a relatively complicated process). Splunk Enterprise is not really a real-time monitoring solution (even though it has some functionality that does real-time stuff) so forcing it to do something like that might end in disappointment.

I'm testing the code you posted and indeed something is very strange.  It is like base0 is not configured correctly.  Any thing chained to it cannot return anything unless it is a semantic noop like "| search *". I also see the method you experimented in that code using base1.  For now you can use that as a workaround.  I will continue to see what's wrong with base0 search.

Think I have the solution Given the base search is in fact not really a search, but a reference to and index: index=_internal It seems that as no pipeline exists, this seems to break the chain, as perhaps arguably there is no real search to begin with.   By changing my base (base2) search as follows (which combines base0 and base0chain1a) this creates a pipeline index=_internal | search useTypeahead=true This then allows be to extend it further with an additional chained search successfully: | stats count This provides me with the expected behaviour, shown in the bottom row of graphs.

Hi @jhooper33, no, I asked to share the search that caused the message "regex too long", not the lookup, to understand what could be the issue on the regex. I hint to explore the use of summary indexes or a Data Model instead a lookup if you have too many rows. Ciao. Giuseppe  

Hi @gcusello, Thank you for the response. I did not create this csv only working with it from past co workers. So I have been spending a bit of time trying to fix this issue. I've tried to find any regex issues with this file but it's a little difficult with how many lines there are. Are you asking if I can share the lookup file? And as far as using a summary index, this is something I haven't tried yet.

Hi @jhooper33, the error messge seems to be related to the regex contained in the search, it doesn't seem to be related to the lookup, could you share it? Anyway more than 50,000 lines is a max limit for a lookup , use a summary index instead a lookup. Ciao. Giuseppe

Hi @madhav_dholakia, your process is ok, only one questions: if the report is refreshed every minute, whay do you refresh panel every 15 seconds? iy's unuseful! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated

Hi @Thats_my_usrnme , you have to use Deployer to send the first version of an app to SHs. Then every configuration update (made by GUI) is replicated to all the other Cluster members, but not to the Deployer. If you have to make an update to the app, you have still to do it by Deployer but, anyway, the updated made on the members by GUI remain because they are in the local folders. If you try to make an update directly to a conf file it isn't replicated to the other members. You can find more details at https://docs.splunk.com/Documentation/Splunk/9.1.2/DistSearch/AboutSHC and https://www.youtube.com/watch?v=VPa3EjqD8Q4 Ciao. Giuseppe