rex can only happen after scooping up all events.  That is why you feel slow with your second search. When match happens in search command, you only pick up that matching one.  The search is just as your first search.  No matter whether the token is IPv4 or IPv6, search command is the same   index=vulnerability_index ip="$ip_token$"   Consider the following mock data: ip 10.10.10.12 50.10.10.17 10.10.10.23 fa00:0:0:0::1 fa00:0:0:0::2 1. $ip_token$ = fa00::1/128 Result: _time ip 2023-09-25 22:05:27 fa00:0:0:0::1   | makeresults | eval ip = split("10.10.10.12 50.10.10.17 10.10.10.23 fa00:0:0:0::1 fa00:0:0:0::2", " ") | mvexpand ip | search ip=fa00::1/128 ``` the above emulates index=vulnerability_index ip = fa00::1/128 ```   2. $ip_token$ = 10.10.10.23/32 Result: _time ip 2023-09-25 22:13:01 10.10.10.23   | makeresults | eval ip = split("10.10.10.12 50.10.10.17 10.10.10.23 fa00:0:0:0::1 fa00:0:0:0::2", " ") | mvexpand ip | search ip=10.10.10.23/32 ``` the above emulates index=vulnerability_index ip = 10.10.10.23/32 ```    

@Jana42855 - The document that I shared also contains the Splunk queries, which you may not be able to run on its own without installing the App as it will contain macros. But you will be able to run with some modifications. Plus here is a GitHub repo for the same, which you can use to fetch more info about the use cases https://github.com/splunk/security_content  I would say pick one use case from the list (https://research.splunk.com/detections ) that you understand by looking at the name and spending time on it and you get all the generic concepts of implementing all security use cases.   I hope this helps!!!

Can we consider using socket packages and using the correct "try except" and timeout for filtering, which may be faster? Alternatively, asynchrony can be used, but most importantly, each event must have a timestamp

I guess you don't have permission of root directory of C drive, because it's worked when you place file into "C:\Program Files",  just check if you can create the new file (instead of folder) in roo directory of C drive. I guess you should only have permission to create folders now.

Hi @bluewizard  Please test this on a test lookup before running it on the original lookup.    | inputlookup append=true suspicious_domain.csv | eval TIME=strptime(_time,"%m/%d/%Y") | eval 90dAgo=now()-(86400*90) | where TIME<90dAgo | outputlookup suspicious_domain.csv

Hi VatsalJagani, Thanks for the update. it will be useful for the user who has admin access. I am working in a organization and having only user access. Could u please help me at my level how can i ;earn the usecase and where to start manually... Thanks,

The drilldown tokens for a stacked chart will be Value of the X-axis (where x_axis_name is the name of the field on your x-axis - i.e. build info) - both of these will work. $click.value$ $row.x_axis_name$ Name of the X-axis column   $click.name$ Value of the clicked stacked element (duration) $click.value2$ and name of the clicked stacked element (process name)   $click.name2$  

You might want to consider just keeping a couple of the fields along with the Atrributes.* fields index = websphere_cct (Object= "HJn3server2" Env="Prod") OR (Object = "HJn8server3" Env="UAT") SectionName="JVM Configuration" | table Attributes.* SectionName Object Env | foreach Attributes.* [| eval name=SectionName.".<<MATCHSEG1>>" | eval {name}='<<FIELD>>'] | fields - Attributes.* name SectionName | stats values(*) as * by Object | transpose column_name='SectionName.Attribute' header_field=Object | eval match = if('HJn3server2' == 'HJn8server3', "y", "n") The stats values(*) as * by Object will put all the values of all the fields (which don't start with _) in the same row for the same Object field value.

The whole S3 SmartStore bucket is not immutable. At least in my instance anyway. The actual index data, tsidx files, and other metadata files subtending the 'db' folder are immutable. However, data model acceleration files located under the 'dma' folder do get updated/deleted as a normal part of Splunk operation. Do we have something misconfigured here? Or, is what am what I am saying normal?

ITWisperer: Thank you so much for the response.  I believe what you gave me will do the job; however, I have some questions. Here is the code I used and how it turned out. For expediency, I just used one 'SectionName' ... this field holds the name of the section in WebSphere that holds the attributes of a section of the Application Server.  index = websphere_cct (Object= "HJn3server2" Env="Prod") OR (Object = "HJn8server3" Env="UAT") SectionName="JVM Configuration"      | foreach Attributes.*           [| eval name=SectionName.".<<MATCHSEG1>>"            | eval {name}='<<FIELD>>'] | fields - Attributes.* name SectionName | stats values(*) as * by Object | transpose column_name='SectionName.Attribute' header_field=Object | eval match = if('HJn3server2' == 'HJn8server3', "y", "n") And here are the results: My questions are: 1) How does the command 'stats values(*) as * by Object' work? The 'Object' field is the name of the application server is this case.  How does that command group the values of the Attributes by Object?  2) Why are there so many extra fields in the table? Such as: Order, OrderType, Index, etc (per below) Why do these get included and is the only way to get rid of these fields is thru the 'fields' command? (ie fields - Order - Ordertype - Index ..) Thank you very much for the help !!!

HI@arist0telis ! A percentage is number of escalations out of the total established, times 100. Or with more math notation: (BotEscalated/ChatbotEstablished) x 100 = Percentage Escalated So we convert that to eval statements. I haven't tested it below, but it should be pretty close. index=sfdc sourcetype=sfdc:conversationentry EntryType IN ("ChatbotEstablished", "BotEscalated") | stats count(eval(EntryType=='BotEscalated')) as "BEcount", count(eval(EntryType=='ChatbotEstablished')) as "CEcount" ``` get the counts``` | eval mypercentage = round(('BEcount'/'CEcount')*100, 2) ```get the percentage and round to 2 places```

I think I may have figured it out myself, just had to take a step away for a minute. Pasting what I got here in case this comes up in a Google search and someone else needs help. index=sfdc sourcetype=sfdc:conversationentry EntryType IN ("ChatbotEstablished", "BotEscalated") | stats count(eval(if(EntryType="ChatbotEstablished",1,null()))) as ChatCount count(eval(if(EntryType="BotEscalated",1,null()))) as EscalationCount by ConversationId | stats sum(ChatCount) as sumChat sum(EscalationCount) as sumEscalation | eval pctEscalation=round(((sumEscalation/sumChat)*100),2) | table sumChat, sumEscalation, pctEscalation