1. This part | table hostname sourceIp | dedup hostname You realize that you will lose additional IP addresses on multihomed hosts? 2. Depending on your data (number of results, size of raw events, time of each search execution) there could be different ways to do that. There is a "join" command but its use is generally discouraged. The typical way is to either append two result sets and do stats by the common field(s) or do a search across two sets, classify the fields into one of the sets (possibly rename fields) and then do the stats.    

Licensing is fine. I switch to TCP from UDP input from the SAME source and everything is fine. All the logs are ingested and indexed and are searchable properly. UDP seems to be the issue. I am using the admin account created during install. Splunk installed on windows server with admin privileges.  It is just a single head. No cluster or separate indexers. 

How old is your deployment? Because the "internal" Splunk communication on 8089 and KVstore on 8191 has been TLS-enabled for a long time now by default. It's just that if you've not configured it with your own certs, it's using the default Splunk certs (which is not the best idea). But the TLS as such is enabled. With inputs/outputs it's a different story - you have to explicitly enable splunktcp-ssl inputs and outputs. And keep in mind that you can't have both TLS and non-TLS inputs if you're using indexer discovery.

nice idea the conversation doesn't really works but it's a nice direction! Anyway, the filter doesn't work. the error (studio) :"Cannot convert undefined or null to object" code: {     "options": {         "items": [             {                 "label": "All",                 "value": "*"             }         ],         "defaultValue": "*",         "token": "WinTimeStamp"     },     "title": "Multiselect Input Title",     "type": "input.multiselect",     "dataSources": {         "primary": "ds_ICA_General"     } } classic studio code: <input type="multiselect" token="WinTimeStamp" searchWhenChanged="true"> <label>Time</label> <choice value="%">All</choice> <default>%</default> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>(WinTimeStamp like("</valuePrefix> <valueSuffix>"))</valueSuffix> <delimiter> OR </delimiter> <fieldForLabel>WinTimeStamp</fieldForLabel> <fieldForValue>WinTimeStamp</fieldForValue> <search base="ICA_General"> <query>  | stats values(WinTimeStamp) as WinTimeStamp_ | sort WinTimeStamp_</query> </search> </input>

individual search is working for below which extracts host_name field and joining with host_name field in search but getting error " Error in 'rex' command: Invalid argument: '('  index=_internal sourcetype=splunkd source="/opt/splunk/var/log/splunk/metrics.log" | rex field=hostname "(?<host_name>[^.]+)\." but its giving less results when using below search but individual search has many  here is the full query    index=_internal sourcetype=splunkd source="/opt/splunk/var/log/splunk/metrics.log" | rex field=hostname "(?<host_name>[^.]+)\." [ | table host_name, sourceIp

@bowesmana  I have made my window as below: I have taken time Range as Last 15 minutes and set Cron schedule as */15 * * * * Still not getting emails and Incidents on time If the events are getting generated at 12:30 pm IST I want alert should triggered at that time itself via email or via incident. @bowesmana  can you please help me what time Range and cron schedule I should set  to get alerts on time.

Hi @VK18 .. for HF to indexer (for LM also the method is similar i think).. pls check this: https://docs.splunk.com/Documentation/Splunk/9.1.1/Security/ConfigureSplunkforwardingtousesignedcertificates