You are correct about the size being affected by backup and save files.  The limit.conf setting is for the base file only so the total could be 4x that value. I don't see how the nmon TA has any bearing on this.

Thank you very much for the support @yuanliu . Your query works perfectly. However, it gave me more results than expected. Basically, I want only to see logs from Palo that only threat field equal to "SMB: User Password Brute Force Attempt(40004)" and resolve Windows logs fields (ComputerName & username) + Symantec logs fields (Symantec Detected User @ Destination & Symantec Destination Node) based on the dest_ip value of the Palo logs.  For your understanding below is what I get from your query (10000 statistics - 24hrs): I need something similar to the below table (106 statistics - Last 24hrs): Once again thank you very much for your support in this. Hope you can figure out my real requirement with this? Cheers, NeoKevin

Hi @ITWhisperer  THANKS for the above query which worked to get the data from that json in a table form.but data are displayed as duplicate/doble index="" source IN ("") "request body"| spath | spath input=eventBody,eventBody.objectIds{}  

Great that works when using between - but not for Last XXX, i get this error;  Error in 'eval' command: The expression is malformed. Expected ). Could you please explain why this works. This is OK, as ideally i would like to only have the option on the time picker of DATE RANGE -- BETWEEN. I think i need to make a css file for this to work - do you know if its possible to do this without css?

Hi @gcusello and thank you for your answer ! We do not use DS for Splunk Forwarders management (we do that with puppet), so we only have 2 clients, our indexers, in order to replicate HEC configs and so get the same tokens on both indexers. Normally we don't need to change these configs except to add new HEC inputs, so really ponctually. As for the Monitoring Console, we are basically afraid of warnings saying that it could lead to incomplete search results. But as I said, we only have two indexers that are already configured as search peers on the SH, so it's exactly the same pool of indexers that we want to integrate in MC distributed mode. In terms of load, our search head is used very sparingly, with only a few searches per day. I think there's a maximum of ten connections/searches per day. So if I understand you correctly, there are no real risks of functionality loss, the question is more about load, right ?

After @fredclown above stated there was no way to do a fourth dimension in a Bar Chart, I opened a case with Splunk. Low and behold, he was right, which lead to some changes in our SPL. I thought I would share, just in case somebody else runs into the same issue. ```Grab badging data for the previous week``` index=* sourcetype="ms:sql" CARDNUM=* earliest=-4w@w latest=-0w@w | bin span=1d _time | rename CARDNUM as badgeid | stats count by badgeid _time | join type=left badgeid ```Use HR records to filter on only Active and LOA employees``` [search index=identities sourcetype="hr:ceridian" ("Employee Status"="Active" OR "Employee Status"="LOA*") earliest=-1d@d latest=@d | eval "Employee ID"=ltrim(tostring('Employee ID'),"0") | stats count by "Employee ID" _time | fields - time | rename "Employee ID" as employeeID | fields - count ```Filter on Hybrid Remote users in Active Directory that are not Board Members and are in the Non-Branch region``` | lookup Employee_Data_AD_Extract.csv employeeID OUTPUT badgeid badgeid_1 RemoteStatus District employeeID Region] | where like(RemoteStatus,"%Hybrid%") AND NOT like(District,"Board Members") AND Region="Non-Branches" | eval badgeid=coalesce(badgeid,badgeid_1) ```Calculate the number of badge check-ins in a given week by badgeid``` | bin span=1w _time |stats latest(Region) as Region latest(employeeID) as employeeID latest(District) as District latest(RemoteStatus) as status count as "weekly_badge_in" by badgeid _time ```Calulation to determine the number of employees within District that are Hybrid Remote but have not badged-in``` | join District [| inputlookup Employee_Data_AD_Extract.csv | fields badgeid badgeid_1 RemoteStatus District employeeID Region | where like(RemoteStatus,"%Hybrid%") AND NOT like(District,"Board Members") ```AND NOT like(District,"IT")``` AND NOT like(District,"Digital") AND Region="Non-Branches" | stats count as total by District] | eval interval=case('weekly_badge_in'>=3,">=3", 'weekly_badge_in'<3,"<3") | table _time District interval total ```Modify District Here vvv``` | where District="Compliance" | stats max(total) as total count as total_intervals by _time District interval | sort District - _time | fields - District | chart max(total) as total_emp max(total_intervals) as total by _time interval | rename "total: <3" as "<3" "total: >=3" as ">=3" "total_emp: <3" as total | fields - "total_emp: >=3" | stats sum(eval(total-('<3'+'>=3'))) as no_badge_ins last("<3") as "<3" last(">=3") as ">=3" by _time | rename _time as week_of | eval week_of=strftime(week_of,"%Y-%m-%d")  

    Hi Team, First Event where i need to retrieve the uniqObjectIds {"name":"","awsRequestId":"","hostname":"","pid":8,"level":30,"uniqObjectIds":["275649"],"uniqObjectIdsCount":1,"msg":"unique objectIds","time":"","v":0} below is one event where i want the fields objecttype,objectids,version to retrieve {"name":"","awsRequestId":"","hostname":"","pid":8,"level":30,"eventBody":{"objectType":"material","objectIds":["275649"],"version":"latest"},"msg":"request body","time":"2023-11-06T22:48:03.330Z","v":0} Wanted to retrieve above two events data in the below query index="" source IN ("") | eval PST=_time-28800 | eval PST_TIME=strftime(PST, "%Y-%d-%m %H:%M:%S") | eval split_field= split(_raw, "Z\"}") | mvexpand split_field | rex field=split_field "objectIdsCount=(?<objectIdsCount>[^,]+)" | rex field=split_field "uniqObjectIdsCount=(?<uniqObjectIdsCount>[^,]+)" | rex field=split_field "recordsCount=(?<recordsCount>[^,]+)" | rex field=split_field "sqsSentCount=(?<sqsSentCount>[^,]+)"|where objectType="material" | table_time,PST_TIME,objectType,objectIdsCount,uniqObjectIdsCount,recordsCount,sqsSentCount | sort _time desc  

Thanks for your reply! I guess I should clarify my question though - I can figure out how to generate them, the question is where do I put them? Do I create additional fields in the lookup for the user and somehow splunk will use that field? Make the identify field a multivalue field?