Hi @isoutamo,  thanks for your reply.  I have seen the topics you've sent me. Unfortunately I noticed that these can not be applied to my case mainly because the errors are not on a custom Dashboard but on the Splunk Monitoring Console, so any modifications would be more complicated.  It seems that my problem is strictly correlated to the folder "search_mrsparkle" that contains all the  scripts giving me the error messages. This folder ended up to the path /opt/splunk/quarantined_files/share/splunk/  instead of its original path.  Thanks,   

Hi @blazingblu, I don't think that's relevant and anyway Splunk will upgrade Splunk Cloud soon, so the versions will be aligned. Only for your better tranquillity, open a case to Splunk Support. Ciao. Giuseppe

Hi @yuanliu, both working perfectly. but for example there is some os log, the red hat are in middle, example: Linux(Red Hat Linux Enterprise 7.1) and Linux(Red Hat Linux Enterprise) 8.6 for above log, the regex also detect the linux. can you assist on regex that cover only red hat and version of it? also i have same issue on the windows server log which need regex for only detect windows server and which year.  

26,26,29 : 3 numbers are not equal  , so return results with 3rd number which is nor equal to other 2 .  26,28,29: again 3 number are not equal , so return results with all 3 yes , it is always 3 number itself   

Hi @AllandNothing, probably you didn't saved any alert or report in these apps but in different ones, for this reason you don't see savedsearches.conf in those apps. Also because TA_Windows is also not visible and usually you don't use TA_nix. Ciao. Giuseppe

Hi @tomapatan, check if the two files have the same content, even if a different name: Splunk doesn't index twice the same log. If this is the issue, you can use crcSalt = <SOURCE> option in inputs.conf to index both files. [monitor:///var/log/pihole.log] disabled = 0 sourcetype = pihole index = your_index crcSalt = <SOURCE> [monitor:///var/log/pihole-FTL.log] disabled = 0 sourcetype = pihole:ftl index = your_index crcSalt = <SOURCE> One additional my personal hint: don't use main index, create a custom one: not many indexes, few ones but not main. Ciao. Giuseppe

Hi @sarge338 , the solution is the same using the sync-time field instead _time, being in epochtime it's easier to manage. As I said you have only to define if you want the exact sync-time or a period (e.g. 5 minutes) and what's the rule to apply filter. index=your_index host IN (M1, M2, M3) | stats dc(host) AS host_count BY "time-sync" | where host_count=3 if the timestamps must be exactly the same, if instead they must be similar (e.g. 5 minutes ranges), you could run: index=your_index host IN (M1, M2, M3) | bin span=5m "time-sync" | stats dc(host) AS host_count BY "time-sync" | where host_count=3 If possible, don't use the minus char "-", but understand char "_", because Splunk read it as the minus operator, so yu have to use quotes. Ciao. Giuseppe

It really depends on how you design your "standardized OS".  Without a definition, there is no definitive answer.  Make no mistake, there are as many ways to "standardize" OS as there are OS's. If all you need is an OS family name and a major release, and assuming the operating system's full name is in field os.  You can do | rex field=os "(?<os_family>Red Hat|Utunbu|Fedora|SuSE)\D+(?<os_maj>\d+)" | eval os_standard = os_family . " " . os_maj Alternatively, | eval os_standard = replace(os, "(Red Hat|Utunbu|Fedora|SuSE)\D+(?<os_maj>\d+).*", "\1 \2") or | rex field=os mode=sed "s/(Red Hat|Utunbu|Fedora|SuSE)\D+(\d+).*/\1 \2/" Hope this helps.

Hello, Thanks for your help.   There was a workaround to use condition value using a drilldown https://community.splunk.com/t5/Dashboards-Visualizations/Condition-value-using-a-drilldown/m-p/255914 It worked fine when I  tested it, but the issue is it's difficult to read and it's not transferrable to Dashboard Studio <eval token="dmp">if(like($row.VulnerableIPs$,":"), "| search ip=\"" . $row.VulnerableIPs$ . "\" | rex mode=sed field=ip \"s/<regex>/<replacement>/<flags>"", "ip=" . $row.VulnerableIPs$ ) </eval>

then something like index=your_index earliest=-1d@d latest=now() ``` Collect all combinations of key 1, 2 and 3 by day ``` | bin _time span=1d | stats count by _time key1 key2 key3 ``` Count the number of days these key combinations occur ``` | stats dc(_time) as times list(_time) as days by key1 key2 key3 ``` and then if there is only 1 variant and it is today, it's a new type ``` | where times=1 AND days=relative_time(now(), "@d")