Hi @Marta88, as you can read at https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf?utm_source=answers&utm_medium=in-comment&utm_term=limits.conf&utm_campaign=refdoc, the differences are: use_stats_v2 = [fixed-width | <boolean>] * Specifies whether to use the v2 stats processor. * When set to 'fixed-width', the Splunk software uses the v2 stats processor for operations that do not require the allocation of extra memory for new events that match certain combinations of group-by keys in memory. Operations that cause the Splunk software to use v1 stats processing include the 'eventstats' and 'streamstats' commands, usage of wildcards, and stats functions such as list(), values(), and dc(). * NOTE: Do not change this setting unless instructed to do so by Splunk Support. * Default: true and  stats = <boolean> * This setting determines whether the stats processor uses the required field optimization methods of Stats V2, or if it falls back to the older, less optimized version of required field optimization that was used prior to Stats v2. * This setting only applies when 'use_stats_v2' is set to 'true' or 'fixed-width' in 'limits.conf' * When Stats v2 is enabled and this setting is set to 'true', the stats processor uses the Stats v2 version of required field optimization. * When Stats v2 is enabled and this setting is set to 'false' the stats processor falls back to the older version of required field optimization. * Do not change this setting unless instructed to do so by Splunk support. * Default: false In few words, the difference is that in V2 it isn't required allocation of extra memory used, this is maintained for eventats and streamstats. Ciao. Giuseppe  

With the latest version of Splunk, I heard that there will be some changes, as reported on this link. But it is not specified which are the changes. https://docs.splunk.com/Documentation/Splunk/9.1.1/ReleaseNotes/Deprecatedfeatures   Thanks Marta

Help me understand why this 2 lines are for? I do have other fields other than values and sourcetype, need to apply this expansion for 2nd column.(column name= Values) | eval C1=mvmap(C1, C1."_R".row) | foreach 2 3 4 [ eval C&lt;&lt;FIELD&gt;&gt;=random() % 10000 ]

Here is something similar to what i have tried. Please let me know where i might be making mistake. <form version="1.1" theme="dark"> <label>test</label> <init> <set token="tok_row">0</set> </init> <search id="base_data"> <query>index="_internal" earliest=-15m@m |stats values(source) as Values by sourcetype | eval column_expansion=Values </query> </search> <row> <panel> <table> <search base="base_data"> <query> | eval Values=if(row=$tok_row$, column_expansion, mvindex(column_expansion, 0, 0)) </query> </search> <fields>"Values","sourcetype"</fields> <drilldown> <eval token="tok_row">if($row.row$=$tok_row$, 0, $row.row$)</eval> </drilldown> </table> </panel> </row> </form>

Hi, I've tried this and it does not work. I need to block all data being written to our indexers from a set of IPs (network security devices that try and find compromises on our servers including the splunk HFs, UF, etc - so I do want to drop this at the index level). I've placed this code in the etc system local props.conf and transforms.conf files - is that correct? Doesn't seem to drop it either for IP address or hostname. Thanks.

@bowesmana  This is exactly what i was looking for, and its excellent. Thank you for your response! I tried your query its working great but when i implement the same to my query it is not working. it is still showing the multiple values and when i clicked on the row it is displaying "search is waiting for input.." message. The results i am displaying is the values() through stats, please let me know if that could be the reason for not working or anything else?

I am also facing a similar problem while submitting my splunk addon app to splunk. In my case, I am making post request to my software using the code below: response=requests.post(url=url,headers=headers,json=temp_container,verify=False, timeout=60) After the review and feedback from the splunk team, I included a code in my html that will make users to enter the path to  their SSL certificate (optional field). After this, I made changes to my python script so that if the user has entered the path, the code below will be executed else the one above. response=requests.post(url=url,headers=headers,json=temp_container, timeout=60,verify=certloc) certloc is the path to the certificate. However, I am getting the same response as above from the review team on the code where I have kept verify=False. If I remove this code from the python then it will make it mandatory for the users to enter the path to the SSL certificate? In that case, do users have to use their own certificate and place the certificate inside default folder of the package or do we generate the certificate, and place it inside the default folder and then package it before distributing it.  Can the same certificate be used by all app users when we distribute the package? In our case, every customer has their own instance of our product just like every user has their own Splunk instance.

Hi @MScottFoley , only to complete the solution from @PickleRick that's perfect, you have to: go in [Settings > Lookups > Lookup definitions] choose the lookup flag Advanced Options insert "WILDCARD" in Match Type Save Ciao. Giuseppe