Hi @Bisho-Fouad , every Splunk system can have two kinds of users: local users: manually created on the system, users from the external authentication system: they depends on the Auth system. At least, every Splunk system has a local users usually called "admin", that's created at the installation moment. Did you tried using this admin account? It seems that in this system you have only the admin user and not other ones. Ciao. Giuseppe

Hi Again @gcusello  1- which kind of troubles ? please check the attach 2- Have you your login page ? Yes, its appears normal 3- is your account a local or LDAP account? sorry but can you guide me what is the difference as new user in Splunk thanks for your time

@gcusello  Same issue am facing as i had checked above solution worked on that it is working fine ,Till September  received(email notification ) the report for the alert triggered but it is stopped from October.  what could be the issue ??

Hi @Bisho-Fouad , which kind of troubles? Have you your login page? is your account a local or LDAP account? If local, you have only to remember the password, if LDAP, check the integration entering with a ocal account. Ciao. Giuseppe

Hi JohnEGones. I already have admin user, and is used it to login many times before, but I'm having trouble logging in with my admin account, even though I've added it to the cluster master twice and verified it with CLI commands. any recommendations ? 

Thanks for your reply .  index=dummyIndex source IN ("/dummy/Source")"support request details" |stats count | rename count as Re-ProcessRequest | appendcols [ search index=dummyIndex source IN ("/dummy/Source") "input params" OR "sqs sent count" OR "Total messages published to SQS successfully" OR "unique objectIds" OR "data not found for Ids" OR "dataNotFoundIds" | rex "\"objectType\":\"(?<objectType>[^\"]+)" | rex "\"objectIdsCount\":\"(?<objectIdsCount>[^\"]+)" | rex "\"uniqObjectIdsCount\":\"(?<uniqObjectIdsCount>[^\"]+)" | rex "\"sqsSentCount\":\"(?<sqsSentCount>[^\"]+)" | rex "\"totalMessagesPublishedToSQS\":\"(?<totalMessagesPublishedToSQS>[^\"]+)" | table objectType,objectIdsCount,sqsSentCount,totalMessagesPublishedToSQS,uniqObjectIdsCount | addcoltotals labelfield=total label="Total" | tail 1| stats list(*) as * ] | appendcols [ search index=dummyIndex source IN ("/dummy/source") "dataNotFoundIds" | spath output=payload path=dataNotFoundIds{} | spath input=_raw | stats count by payload | addcoltotals labelfield=total label="Total" | tail 1 | fields - payload,total | rename count as datanotfoundbynewway] While above is my query ,Let me first ask this: Can you please elaborate more on your statement "if this is your issue, use table at the end of your search listing fields in the wanted order." I am looking to modify the above query such a way the column "datanotfoundbynewway" should appear at last. Actual: It always displayed as a second column Expected : I wanted that column to appear as the last column .  # also how can i make use of stats in the above query instead of join  Thanks again!

Hi @Bisho-Fouad , you culd manage Cluster Manager and Deployment Server via CLI: it isn't so easy but it's possible! But anyway you need an admin user because every CLI command requires an authentication. Ciao. Giuseppe

Hi @leooooowang, as I said, you have to create a new dashboard in Simple XML that have the same panels and inputs of the Advanced XML dashboard. You have to create all the panels and inputs using the same searches of the old dashbord. Event Timeline can ve displayed using a chart or the timeline wiz (https://splunkbase.splunk.com/app/3120), instead fields summary should be a list of fields that you can insert in a table. Ciao. Giuseppe

Hi @cross521, your question id very vague. Anyway, in general you have to index data in Splunk to analyze and use them. The steps to do this are (in general) these: analyze data, finding the relevant ones (out of Splunk), ingest them using the Splunk features (for more infos see https://lantern.splunk.com/Splunk_Platform/Getting_Started/Getting_data_into_Enterprise), so you can search and use them. To save the search results in csv forma theres the outputcsv command (https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Outputcsv), but anyway you have to index data in Splunk. If you want to pre-process them, you have to use a script (done in the language you like) to prepare data before ingestion but I'am not an expert in scripting and this isn't a Splunk issue so I cannot help you. Ciao. Giuseppe

Hi, @gcusello  :   Yes, create those inputs fields by Simple XML is easy. But the hardest part is the UI  page of search result.    Our users want to keep the "event timeline" , and "fields summary" on the result page.    I can't find anyway to implement such UI function by Simple XML .     And the out-of-box  "search" page does not look like implemented by Simple XML,too...    

Hi @nithys , without a sample of your logs I cannot check yur regexes and I don't understand what't the key to correlate values because it seems that there isn't any common key to use in a stats command. Ciao. Giuseppe

Hi @aditsss , did you tried something like this: index= "abc*" (sourcetype=600000304_gg_abs_ipc1 OR sourcetype=600000304_gg_abs_ipc2) "Message successfully sent to Cornerstone" source!="/var/log/messages" ? Ciao. Giuseppe

Hi @nithys , Let meunderstand: your issue is the fields order at the end of your search? if this is your issue, use table at the end of your search listing fields in the wanted order. About the filter, you can add a search command after the objectType extraction. At least one hint: try to avoid to use join command: Splunk isn't a database and join command is very slow and resource consuming! in Community you can find many sampleas about replace join with stats. I could be more detailes. if you could share your search using the Insert/Edit Code Sample button (<>) because the search parameters aren't clear. Ciao. Giuseppe