Hi As @gcusello said, you could try to create a support case or maybe better way is create idea on https://ideas.splunk.com. Splunk's product managers are followed that forum and maybe they react it? r. Ismo

HI @paulkilpatrick, the Splunk Add-On for Amazon Web Services (AWS) is directly maintained by Splunk itself, so I'm not sure that's possible to contribute to its improvement, probably you could create your own branch, but outside of this products name. Eventually you could to try to open a not technical Use case on Splunk Support to be sure about this. Ciao. Giuseppe

Hi @lucky .. for the rex beginners, i have created this youtube playlist.. pls check it, thanks. . https://www.youtube.com/watch?v=rXT35CnWorw&list=PLIJcAov3YzES8PJSX8gZ8cTHWsjh8KeyG   Youtube channel link is: https://www.youtube.com/@SiemNewbies101  

HI  "citiuuid":"3faa9e6e-c66d-4e52-898e-207219e87d9a","uriTemplate":"/v1/security/onlineBanking/registrations/status","method":"GET","apiStartTimestamp":1694413789916,   I need to extract uriTemplate  field  please help on this 

Hi As this sounds like you are asking answer for your course lab I just give pointers to you where you could find the answers. https://docs.splunk.com/Documentation/Forwarder/9.1.1/Forwarder/Enableareceiver https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/WhatSplunkcanmonitor https://docs.splunk.com/Documentation/Splunk/9.1.1/Forwarding/Aboutforwardingandreceivingdata I suppose that also your course material should give the answer what is missing/wrong on your configuration and how to debug it. On comment for security. You should never run UF as a root on source node. Also don't use root as a splunk's internal admin user and never use the same password than you have in OS level. r. Ismo

Hi as those are Splunk's own scripts and they should fix those by themselves, I said that the easiest way to get rid of those is just add e.g. this to your SPL | rex field=value "exited\s+with\s+code\s+(?<exit_status>\d+)" ``` Add this one line ``` | where (script != ".$SPLUNK_HOME/etc/apps/splunk-dashboard-studio/bin/save_image_and_icon_on_install.py" AND script != ".$SPLUNK_HOME/etc/apps/splunk_instrumentation/bin/instrumentation.py") | stats first(started) as started, first(stopped) as stopped, first(exit_status) as exit_status by script, stanza r. Ismo 

Hello Noopur, Thank for your response. We tried the https://fra-ana-api.saas.appdynamics.com:443/_ping and it responded back pong as you suggested. So is it sill fine if we get posted error in logs? BR, Abhiram

Hi @darphboubou , I haven't event samples so I cannot see the field in interesting fields panel, so, running the main search  index=windows EventCode=3000 source="WinEventLog:Microsoft-Windows-SMBServer/Audit" which fields do you have in Interesting Fields panel? Choose the ones to use for stats searches: e.g. if you want the number for user or for host, you could run something like: index=windows EventCode=3000 source="WinEventLog:Microsoft-Windows-SMBServer/Audit" | stats count BY user or  index=windows EventCode=3000 source="WinEventLog:Microsoft-Windows-SMBServer/Audit" | chart count OVER user BY host then choose the fields to display in a table search: index=windows EventCode=3000 source="WinEventLog:Microsoft-Windows-SMBServer/Audit" | table _time host user domain action ... As I said the most valuable job is to know what to search, then you can learn how to search in Splunk using the Search Tutorial. Saving these searches in different dashboard's panels, you'll have your dashboard, to monitor your Use Case Ciao. Giuseppe

 if the search result of "past days count=0 and today count>0" then trigger another search to show count >0 log as _time field1 _raw Yes, that's exactly what a subsearch can do. index=... earliest=-3d@d [search index=... earliest=-3d@d | bin _time span=1d@d ``` Calculates the count for a field by day ``` | stats count by field _time ``` Now calculate today's value and the total ``` | stats sum(eval(if(_time=relative_time(now(), "@d"),count, 0))) as today sum(count) as total by field ``` And set a field to be TRUE or FALSE to alert ``` | where today > 0 AND total - today == 0 | fields field] This use of subsearch is very inefficient.  Efficiency aside, I highly doubt if raw events is of value in an E-mail alert if today's finding are going to be more than a couple of events. If I am to receive an alert like this, I would rather it simply tells me which fields are triggering this behavior so I can go back to a search window or a dashboard or a report to review event details.  If I really want a little more in the E-mail itself, aggregation of a handful of most concerned fields.  If there are going to be only a couple of events to ever satisfy the criteria, you can use an alternative to produce an ordered list of _raw - provided it is really desirable by recipients. index=... earliest=-3d@d | bin _time span=1d@d ``` Calculates the count for a field by day ``` | stats count list(_raw) as _raw by info _time ``` Now calculate today's value and the total ``` | stats list(_raw) as _raw sum(eval(if(_time=relative_time(now(), "@d"),count, 0))) as today sum(count) as total by info ``` And set a field to be TRUE or FALSE to alert ``` | where today > 0 AND total - today == 0 This way, you don't need to run two searches sequentially. BTW, last time I used field name "info" in place of "field".  This is corrected.