Hi @mlevsh, maybe you should try to have a different approach in indexes creation: usually different indexes are used when there are different retention periods and/or different access grants. Indexes are siloes in which it's possible to store data, different data are differentiated by sourcetype not by index. So you could reduce the number of indexes: 280 indexes are very difficoult to manage and to use, why do you have so many indexes? In other words there isn't any sense  having one sourcetype in one index. In other words, indexes aren't database tables. the best approach is usually to limit the time that a user can use in a search and not the indexes. Ciao. Giuseppe

Hey @siraj , there should be no need to modify the Generated Search, as both the aggregate_raw_into_entity and aggregate_raw_into_service macros are intended to be part of the KPI's SPL. Are you getting the error when running the Generated Search in a separate Search tab? If so, what App context are you in while attempting to run the search? To troubleshoot, follow the instructions in the error message to make sure that your user account has the appropriate permission for the macro. Also, make sure that the macro is not only shared in the SA-ITOA app while you're trying to run the test search in a different App context. Both of these settings are accessed from the Permissions setting of the macro. Let me know if this helps, avd

@niketn  I miss you, my friend. I remember this started a great bunch of conversations between us that included a hug at .conf19. I want to give a shout out to @kaeleyt for providing my go-to solution for this problem: https://community.splunk.com/t5/Splunk-Search/How-to-add-colors-to-a-table-for-dynamic-columns/m-p/411419 After looking further, I found this line in the documentation, https://docs.splunk.com/Documentation/Splunk/latest/Viz/TableFormatsXML: "If you do not specify a field, the format rule is applied to the entire table. " So the magic is not specifying a field in the line:   <format type="color">   I also want to provide, like Niket taught me by example, to include a run-anywhere example implementing the solution.   <dashboard version="1.1"> <label>Erics Column Test</label> <row> <panel> <title>Data Example</title> <table> <search> <query>index=_internal sourcetype=splunkd log_level!=INFO earliest=-7m@m latest=now | eval Time=strftime(_time,"%Y-%m-%d %H:%M") | chart count as Error by component Time</query> <earliest>-1h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color"> <colorPalette type="list">[#118832,#1182F3,#CBA700,#D94E17,#D41F1F]</colorPalette> <scale type="threshold">0,30,70,100</scale> </format> </table> </panel> </row> </dashboard>    

Your quotes before the http appear to be two SINGLE quotes rather than a double quote. Once you fix that you get a different error about dynamic fields and it looks like it doesn't like the $ sign in the searchmatch string.  

not sure you understood my question the curl command below create an event with "hello world" curl -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://localhost:8088/services/collector/event -d '{"event":"hello world"}' imagine that in my json file I have many items with a different event name for example "hello world", "hello world1", "hello world2"..... is the good curl command to apply is like this? curl -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://localhost:8088/services/collector/event -d '{"event":}'  what i mean is that if i dont mention the name of the event, 3 events will be created in splunk with "hello world", "hello world1", "hello world2"?

That's not really a Splunk or ES-related question. It's related to your data and your use-cases. If you filter out some data, you don't have it. And if you don't have events, you can't base your searches (and thus use-cases) on them. As simple as that. It's more a windows-related question to your admins to help you review the use cases you want to enable.

+1 on that. Why in what system should 14.84 ever mean 14.084? That's what leading zeros are for. It's definitely an application error. Also - where do you get that value from? It's the _time field or some other time? While the app should be fixed either way, if it's the main timestamp of the event, it's simply plain wrong in terms of it being the proper timestamp for the event.

Hey @Sak08092015 , are you able to specify which exact Apex EventType are you trying to send to Splunk? Is it one of the standard Apex EventTypes that are EventLogFile supported? (Eg. Apex REST API Event Type) avd

I don't get it. index=vulnerability_scan Risk=Critical earliest=-7d latest=now | stats values(CVE) as CVE_7d by extracted_Host | appendcols [ search index=vulnerability_scan Risk=Critical earliest=now -7d latest=now | stats values(CVE) as CVE_now by extracted_Host ] I see two practically identical searches (with one having "earliest=-7d" and the other one having "now-7d" which mean the same). The only difference between them might be if some event got ingested between run of the outer search and inner one.