Assuming your timepicker is called timepicker and you want to use sTime to filter your events, try something like this index=summary sourcetype=prod source=service DESCR="Central Extra" | dedup SI_START,NAME,DESCR | eval sTime=strptime(SI_START,"%Y-%m-%d %H:%M:%S") | where relative_time(now(),$timepicker.earliest$) <= sTime AND relative_time(now(),$timepicker.latest$) > sTime

So I have a stand alone splunk instance with only data that is imported from botsv3 and I used these instructions for  Adjusting Splunk memory in settings: You can allocate more memory to Splunk by adjusting the settings in the limits.conf file. Locate this file in the Splunk installation directory and modify the max_mem setting to allocate more memory. This file typically resides in SPLUNK/etc/system/local/limits.conf.  I changed max_mem = <new value>MB And so far changing the max_mem from the original 200 mb to 6,144 mb to make it 6gb for splunk to use, it seems like I do not have the bad allocation issue anymore. I will continue monitoring for the error and update my comment if I run into the bad allocation error again. This solution may not work for everyones specific situation especially since you may enter an organization and the memory allocation has already been configured and you may not have permissions to change any configurations but if you are working just with a home lab and you are making your own configurations as the splunk admin this is a good place to start. Since none of the solutions seem to actually provide steps on how to make the actual adjustments for people that are learning I figured I would include some descriptive steps to this discussion so people can contribute their expertise for people that are learning. Please build on the discussion with actionable steps instead of replying that this solution may not work so people can actually learn what the solution steps are.

There's no OOTB feature, rather you can add tag/flag values in the search results itself and individual team members can just filter based on the flag. Let me know if you have any questions / thoughts?

Hello @ITWhisperer @yuanliu , Thank you so much for your help Is it possible to do it in one stats, instead of two, so I can keep my previous original calculation? I currently have stats ip with the following result ip dc(vuln) dc(vuln) score > 0 count(vuln) sum(score) 1.1.1.1 3 2 7 23 2.2.2.2 3 1 4 10 After adding "stats values(score) as score by ip vuln"  above the current stats ip, count(vuln) no longer calculated the count of non distinct/original vuln   (7=>3,  4=>3) sum(score) no longer calculated the count of non distinct/original score  (23=>10, 10=>5) ip dc(vuln) dc(vuln) score > 0 count(vuln) sum(score) sum (dc(vuln) score > 0) 1.1.1.1 3 2 *3 *10 10 2.2.2.2 3 1 *3 *5 5 This is what I would like to have  ip dc(vuln) dc(vuln) score > 0 count(vuln) sum(score) sum (dc(vuln) score > 0) 1.1.1.1 3 2 7 23 10 2.2.2.2 3 1 4 10 5

That lists all USer IDs that have over 10 disconnects.  I need the total number of users that have disconnected in that time frame.  I essentially need to add the number of USER IDs that have over 10. Just one number. 

The stats command can count the number of disconnects for each user.  Then filter out users with fewer than ten disconnects. index=gbts-vconnection sourcetype=VMWareVDM_debug "onEvent: DISCONNECTED" (host=host2) OR host=Host1) earliest=$time_tok.earliest$ latest=$time_tok.latest$ | rex field=_raw "(?ms)^(?:[^:\\n]*:){5}(?P<IONS>[^;]+)(?:[^:\\n]*:){8}(?P<Device>[^;]+)(?:[^;\\n]*;){4}\\w+:(?P<VDI>\\w+)" offset_field=_extracted_fields_bounds | stats count by IONS | where count >= 10 | rename IONS as "User ID"  

Thank you for your advice, in this case if my token name is for example "actor.displayName" in this case in the main query in need to wrap it like this? :  $"actor.displayName"|s$ Sorry for asking probably very basic question...

Hi If I have understood right you could/should define used splunk version on configuration when you are building this up? See: https://splunk.github.io/splunk-operator/SplunkOperatorUpgrade.html Configuring Operator to watch specific namespace Configuring Operator to watch specific namespace Under "Configuring Operator to watch specific namespace" are example where Splunk Enterprise version has defined. r. Ismo

After speaking to our local Splunk admin, what I am trying to do is not possible. So decided to break it into the 2 searches; 1 correlation search and then a drill down. Then we're building a playbook to auto-close the alert if the drill down finds hits.  I was trying to build this alert to not hit SOAR and thus reduce resources on our Splunk instance, but this was not possible in this manner.