The problem with moving to Studio for just one feature is that it doesn't support all the features that are available in Classic (yet). You need to weigh up the pros and cons of each and decide what costs you are willing to pay for your choice. Having said that, you may be able to do something in Classic with using the done handler for the inputs. Did you investigate that?

Hi, I agree. I moved to studio because someone recommended me:https://community.splunk.com/t5/Dashboards-Visualizations/How-to-improve-the-filter-input/m-p/668513#M54700 I have already converted the dashboard and created a much more impressive visualization so i prefer to stay with the studio version but i have a problem because tabs are not supported. Do you know about a workaround solution?  thanks

@gcusello , Hi   I want to blacklist C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe of creatorprocessname would it block the newprocessname of C:\Windows\System32\cmd.exe  as well ?   Thanks

Thank you @PickleRick for your inputs. I was able to build my solution using it as below: - index=custom_index earliest=-4w@w latest=@d |search [ |inputlookup append=true table1.csv |where relative_time(now(),"-1d@d") |dedup fieldA |where fieldB<fieldC |fields + fieldA |fields - _time ] |bin span=1d _time |stats sum(xxx) AS xxx BY fieldA _time |eventstats median(xxx) AS median_xxx BY fieldA

Hi @gcusello I have added below code but the image is not loading. I have given dummy link below, but my actual private link is working fine <html> <centre> <img style="padding-top:60px" height="92" href="https://sharepoint.com/:i:/r/sites/Shared%20Documents/Pictures/Untitled%20picture.png?csf=1&amp;web=..." width="272" alt="Terraform "></img> </centre> </html>  

Your second approach is what we are trying to do now, and it has worked very well for the most part, but we've run into some issues with file precedence —when using the [default] stanza. I guess we'll keep doing this, since I think, as you do, that it is more manageable to have the small pieces of configuration in their own apps. BTW, we are naming this apps starting with numbers following the example of the 100_app that contains the tls credentials to forward traffic to the cloud. The issue with the Cloud vs. Enterprise is that to deploy to the cloud you need to pass the inspection proccess, and it fails if you have inputs.conf, which for the forwarders you always want. So that's another good reason to have them in separate pieces.

Hi @gmbdrj , it's realli diffi coult to answer to your question in few words. A>nyway, installi the MItre Att@ck app, you can start from a mapping of your Searches with this framework. Then you can use the Enterprise Security (if you have) and/or the Splunk Security Essentials App to be guided in Use Cases implementation. Anyway, remember that the starting poins is always data: you have to analyze the data you have to understand which Use Cases you can enable. Ciao. Giuseppe 

It is more likely that your performance issue is caused by the sort+streamstats rather than the lookup Here is an example that does not use sort or streamstats - it may or may not work in your data, but the principle is to use stats. You can run this example and it will give you your results.  The piece you would want is shown by the comment before the fields statement.   | makeresults format=csv data="_time,DEV_ID,case_name,case_action 01:00,111,ping111.py,start 01:20,111,ping111.py,end 02:00,222,ping222.py,start 02:30,222,ping222.py,end 02:40,111,ping222.py,start 03:00,111,ping222.py,end" | eval _time=strptime("2023-11-21 "._time.":00", "%F %T") | append [ | makeresults format=csv data="_time,LOG_ID,Message_Name 01:10,01,event_a 02:50,02,event_a" | eval _time=strptime("2023-11-21 "._time.":00", "%F %T") | eval DEV_ID=111 ] ``` So use your first two lines of your search and then the following``` | fields _time DEV_ID case_name case_action LOG_ID Message_Name | eval t=if(isnull(LOG_ID),printf("%d##%s##%s", _time, case_action, case_name), null()) | eval lt=if(isnull(LOG_ID),null,printf("%d##%s##%s", _time, LOG_ID, Message_Name)) | fields - LOG_ID Message_Name case_* | stats values(*) as * by DEV_ID | where isnotnull(lt) | mvexpand lt | eval s=split(lt, "##") | eval _time=mvindex(s, 0), LOG_ID=mvindex(s, 1), Message_Name=mvindex(s,2) | rex field=t max_match=0 "(?<report_time>\d+)##(?<case_action>[^#]*)##(?<case_name>.*)" | eval min_ix=-1 | eval c = 0 | foreach mode=multivalue report_time [ eval min_ix=if(_time > '<<ITEM>>', c, min_ix), c=c+1 ] | eval case_name=if(min_ix>=0, mvindex(case_name, min_ix), "unknown") | eval case_action=if(min_ix>=0, mvindex(case_action, min_ix), "unknown") | fields - s lt t c min_ix report_time | table _time Message_Name LOG_ID DEV_ID case_name    

Hi @MayurMangoli , did you configured your Indexers to receive encrypted logs? It seems that you forgot to add the correct configuration in the outputs.conf that you deployed to your UFs. For more infos see at https://docs.splunk.com/Documentation/Splunk/8.2.12/Security/Aboutsecuringdatafromforwarders  Ciao. Giuseppe

Hi @Sirius_27 , you can associate to your account another app at startup instead of Launcher. Or you can define an Home Page dashboard to display after login. To setup another App as default you hav e to go in your Account and choose preferences. To setup a dashboard as default home page, you have to go in your dashboard and, after click on "Edit", setup the option "Set up Home Dashboard". Ciao. Giuseppe 

Hi @Splunkerninja , in Splunk Cloud, you don't upload images but you use external on line images. You have to follow the above procedure to avoid to approve each time the access to an external content. Ciao. Giuseppe