@richgalloway , How we can correlate data across different languages or datasets. For the specific case of merging "Approuvé" (French) and "Approved" (English) fields..  english :    Approved Sachin tendulakr from 11/25/2023 07:03 AM until 11/25/2023 03:03 PM.   french : Approuvé - Approuvé Salmon du 11/23/2023 02:10 PM au 12/23/2023 02:10 PM .  English           French Approved     Approuvé from                du until                au Thanks      

For reference: 1. Microsoft Corporation. "About Event Logging." Windows App Development, 7 January 2021, https://learn.microsoft.com/en-us/windows/win32/eventlog/about-event-logging. 2. Splunk Inc. "inputs.conf Event Log allow list and deny list formats." Splunk Enterprise Admin Manual, 16 November 2023, https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Event_Log_allow_list_and_deny_list_formats.

You don't appear to be doing anything wrong, given the example you have shared. | makeresults | eval _raw="2023-11-25T21:18:54.244444 [ info ] I am a log message request = GET /api/myendpoint request_id = ff223452" | rex "(?<timestamp>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2})\.\d+\s+\[\s*(?<loglevel>\w+)\s*\]\s+"

I often simplify time deltas using stats range(): | stats range(eval(strptime(Time, "%Y-%m-%dT%H:%M:%S.%3N%:z"))) as duration by Employee Country | fieldformat duration=round(duration/86400, 0)."d" ``` or ``` ``` | fieldformat duration=tostring(duration, "duration") ``` ``` for Splunk-normalized [D+]HH:MM:SS display ```

Hi @AL3Z, Windows event log events are stored by Windows in a language-independent format. When using renderXml = true, Splunk does not forward the locale-specific message string. You can further optimize forwarder resource usage by also setting the suppress_* settings to true. In the case of the security event log Microsoft-Windows-Security-Auditing provider/source, event identifier 4688 will have no Message field beginning with "A new process has been created." You must instead use whitelist and blacklist values that reference $XmlRegex and match against the raw XML event. For example: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime="2023-11-19T16:06:34.0318973Z" /><EventRecordID>139624</EventRecordID><Correlation /><Execution ProcessID="4" ThreadID="344" /><Channel>Security</Channel><Computer>titan</Computer><Security /></System><EventData><Data Name="SubjectUserSid">S-1-5-18</Data><Data Name="SubjectUserName"></Data><Data Name="SubjectDomainName"></Data><Data Name="SubjectLogonId">0x3e7</Data><Data Name="NewProcessId">0x320</Data><Data Name="NewProcessName">C:\Windows\System32\lsass.exe</Data><Data Name="TokenElevationType">%%1936</Data><Data Name="ProcessId">0x1c8</Data><Data Name="CommandLine" /><Data Name="TargetUserSid">S-1-0-0</Data><Data Name="TargetUserName"></Data><Data Name="TargetDomainName"></Data><Data Name="TargetLogonId">0x0</Data><Data Name="ParentProcessName">C:\Windows\System32\wininit.exe</Data><Data Name="MandatoryLabel">S-1-16-16384</Data></EventData></Event> The raw XML event contains a series of <Data> elements, one of which is <Data Name="NewProcessName">. To exclude a specific NewProcessName value, e.g. C:\Windows\System32\lsass.exe, we can construct a blacklist value using the $XmlRegex key. I'll use percent (%) as the regular expression delimiter. You can use one $XmlRegex key to match multiple parts of the raw XML or multiple $XmlRegex keys to make your matches easier to maintain. I've used three $XmlRegex keys to match the Provider, EventID, and Data elements: blacklist3 = $XmlRegex=%<Provider[^>]+Name="Microsoft-Windows-Security-Auditing"% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name="NewProcessName">C:\\Windows\\System32\\lsass\.exe<\/Data>% Note that I've included the provider/source because all Windows events are uniquely identified by a three-tuple of log, provider/source, and event identifier, e.g. Security, Microsoft-Windows-Security-Auditing, and 4688. You can add additional processes to your blacklist by using a regular expression group construct within the NewProcessName match: blacklist3 = $XmlRegex=%<Provider[^>]+Name="Microsoft-Windows-Security-Auditing"% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name="NewProcessName">(C:\\Windows\\System32\\lsass\.exe|C:\\Program Files\\MyApp\\MyProgram\.exe)<\/Data>% This setting would be added to C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf. Note that the default blacklist1 and blacklist2 values provided by Splunk Add-on for Windows do not work when renderXML = true, so we'll modify those as well. I did not include the provider in the modifications; it's a direct translation of the default. [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 renderXml = true suppress_keywords = true suppress_opcode = true suppress_sourcename = true suppress_task = true suppress_text = true suppress_type = true blacklist1 = $XmlRegex=%<EventID>4662<\/EventID>% $XmlRegex=%<Data Name="ObjectType">(?!\s*groupPolicyContainer)% blacklist2 = $XmlRegex=%<EventID>566<\/EventID>% $XmlRegex=%<Data Name="ObjectType">(?!\s*groupPolicyContainer)% blacklist3 = $XmlRegex=%<Provider[^>]+Name="Microsoft-Windows-Security-Auditing"% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name="NewProcessName">(C:\\Windows\\System32\\lsass\.exe|C:\\Program Files\\MyApp\\MyProgram\.exe)<\/Data>% Deploy inputs.conf and restart Splunk Universal Forwarder using your configuration management tool of choice, e.g. a Splunk deployment server.

Firstly, it's a Cisco-provided app. Vendor-created app are, unfortunately, often sub-par written. They do understand their own products but they often do not understand Splunk well enough. Secondly, while you probably could edit app's files, pack it and try to deploy in Cloud, the app would probably not pass appinspect. Thirdly, the description in splunkbase says clearly that it's meant to be installed on a forwarder.

If you have a private link, your Splunk account management team and Splunk support may assist with sizing and configuration; however, I would recommend a heavy forwarder to 1) manage infrastructure and transit costs and 2) limit network access to your FMC to devices under your control. The eStreamer client can also be unstable, and having direct access to the heavy forwarder will reduce your MTTR.

    Hi @Arpit-Dwivedi, A description of your call graph may better illustrate the problem, but given your SPL, I would expect the following output, where [] represents a list or array:   R.exp-inbound-call R.count L.sapi-outbound-call[] L.count[]   You can often reduce joins to one or more stats commands. This may produce the expected output:   index=sample message.process IN (*app-name1 *app-name2) message.flowName="*| *" | rex field=message.correlationId "(?<UUID>^[0-9a-z-]{0,36})" | eval call-type=case(like('message.process', "%app-name1"), "sapi-outbound-call", like('message.process', "%app-name2"), "exp-inbound-call") | eval {call-type}='message.flowName' | stats list(exp-inbound-call) as exp-inbound-call list(sapi-outbound-call) as sapi-outbound-call by UUID | stats count by exp-inbound-call sapi-outbound-call | stats max(count) as exp-inbound-call-count list(sapi-outbound-call) as sapi-outbound-call list(count) as sapi-outbound-call-count by exp-inbound-call