Checked each SH individually, they all behave exactly the same. I find the app in the management page, I klick the "launch app" link and I end up here: <splunkURI>:8000/en-GB/app/Splunk_SA_CIM/ta_nix_configuration

The CIM setup page now works just fine, it is the "launch app" or using the URI for the Splunk_SA_CIM app directly which lands me on the Splunkt_TA_Linux configuration page. I have not noticed this behaviour for any other app so far, everything else seems to be working just fine. It is possible, of course, that the problem exists outside of Splunk. At least I know this is not the expected behaviour, so now I just have to figure out why I cannot access the app without landing on the wrong page

OK. I was afraid that you tried to install the app using gui and it landed on one SH only. If you pushed it properly from deployer, it should be OK. No, it does not look like a  normal situation (although I seem to recall vaguely someone having a similar problem). Are you sure your LB (you must have some HTTP rev-proxy in place) isn't doing something strange with your requests? Are you able to launch the CIM setup properly if you connect directly to one SH?

Hi @BTB, the difference between an alert and a report is that if you don't any event, you do't receive an alert but you receive an empty report. As attachment of the alert you can have the csv or pdf file with all the search results, so why you cannot use an Alert? You have an hot for each result only if you configure one alert for each result, but you can also configure only one alert with all the results in one file. Ciao. Giuseppe

I am not using a base search but using two different queries to get the exact count what I want . So one query is this  index=US_WHCRM_int sourcetype="bmw-crm-wh-xl-cms-int-api" ("*Element*: bmw-cm-wh-xl-cms-contractWithCustomers-flow/processors/2/processors/0 @ bmw-crm-wh-xl-cms-int-api:bmw-crm-wh-xl-cms-api-impl/bmw-cm-wh-xl-cms-contractWithCustomers*") OR "*flow started put*contractWithCustomers" OR "*flow started put*customers:application*" OR "ERROR Message" OR "flow started put*contracts:application*" | rex field=message "(?<json_ext>\{[\w\W]*\})" | rex field=message "put:\\\\(?<Entity>[^:]+)" | rename attributes{}.value.details as details | rename properties.correlationId as correlationId | table _time properties.* message json_ext details Entity | spath input=json_ext | stats count as Entity which is giving me entity as total fetch count. Other query is this index=US_WHCRM_int (sourcetype="bmw-crm-wh-xl-cms-int-api" severity=INFO ("*Element*: bmw-cm-wh-xl-cms-contractWithCustomers-flow/processors/2/processors/0 @ bmw-crm-wh-xl-cms-int-api:bmw-crm-wh-xl-cms-api-impl/bmw-cm-wh-xl-cms-contractWithCustomers*") OR "*flow started put*contractWithCustomers" OR "*flow started put*customers:application*" OR "ERROR Message" OR "flow started put*contracts:application*") OR (sourcetype="bmw-crm-wh-xl-cms-int-api" severity=ERROR "Error Message") | rex field=message "(?<json_ext>\{[\w\W]*\})" | rex field=message "put:\\\\(?<Entity>[^:]+)" | rename attributes{}.value.details as details | rename properties.correlationId as correlationId | table _time properties.* message json_ext details Entity | spath input=json_ext | stats count by title | fields count which is giving me title count as error count. Now I want a success count which can be calculated by subtracting the total fetch count - error count. So how I will get that. Please help me with that. Hope this helps you to understand.

Ugh. There is so much going on here that I don't know where to start. 1. Don't use wildcards at the beginning of your search term. It kills your searches performance-wise. 2. You're doing the same (very inefficient) base search twice. That's not the best idea. 3. You needlessly extract many fields but in the end only do stats count as Entity or stats count by title  4. First search gives you one number as a result, the appended search (which will most probably get silently finalized due to exceeding permitted subsearch time and will return _wrong_ results) returns several numbers - one for each title. It seems you don't need any "merging" of two searches but need to design your search from the ground up to get the results you need. But to do so you need to know (and tell us if you want us to help): 1) What does your data look like 2) What do you want to achieve

Thank you for the insight. The "| table  * *" were the columns that all match with variances in AD and unix. I have everything broken down specifically per each index in order to have somewhat of a uniform and sanitary environment. I am having to retake a crash course right now in splunk query. Let me try the method you prescribed and we can continue from there. I'll double check my column headers between the three indexes. I will be more precise in my explanation on my next follow up. Thank you. ..update.. index=cyber AND index=AD | table act, devtype, safe, issuer, username, purpose (for cyber) | table audit, e_user, evnt_cat, evnt_tsk, proc_name,   (for AD) index=cyber AND index=unix | table act, devtype, safe, issuer, username, purpose (for cyber) | table proc, src, user, msg (for unix) Double checked my data. AD and unix searches are never done together, always cyber and one or the other.