Are you talking about a user preference issue or an issue in ingested data?  If data is in UTC, your user can always select UTC as their UI preference; if your application logs in a local zone AND includes zone info in data, Splunk internally still uses UTC. If data is in a different time zone but lacks zone info, that's a really bad situation.  There are several documents about how to configure time correctly.  A good place to start is Configure timestamps.  Hope this helps.

Hi @vikas_gopal, at first the configuration you defined isn't recommended by Splunk, but its isn't a production system, so it could go. About the idea to have a stand alone server containing the old data (that are in an Indexer Cluster), you could use one of the Cluster search peers disconnecting it from the old cluster, you have to put attention to the steps to follow: disconnect from the cluster one by one all the indexers, in this way on the last remaining Indexer you'll have a copy of all the data, then you can disconnect also it from the cluster. It isn't an usual procedure and I'm not sure that it was tested, but it should work. Ciao. Giuseppe

Its not working for this requirement. I see its returning entire output field value multiple times (equal to number of lines in the field.) Note "not working" is about the least informative phrase in the best of scenarios as it conveys virtually no information.  Yes, the original output field is expected to be attached to each row.  If you don't want to see that, filter it out.   | eval _raw = replace(output, "\|", ",") | multikv | fields - _* linecount output   The real question is: are fields DbName, CurrentSizeGB, etc., extracted? (Each row is its own event.  If you want multivalued fields in  instead, you can do some stats.)  Here is an emulation that you can play with and compare with real data:   | makeresults | eval output = "DbName|CurrentSizeGB|UsedSpaceGB|FreeSpaceGB|ExtractedDate abc|60.738|39.844|20.894|Sep 5 2023 10:00AM def|0.098|0.017|0.081|Sep 5 2023 10:00AM pqr|15.859|0.534|15.325|Sep 5 2023 10:00AM xyz|32.733|0.675|32.058|Sep 5 2023 10:00AM" ``` data emulation above ```   The above emulated input combined with the search gives CurrentSizeGB DbName ExtractedDate FreeSpaceGB UsedSpaceGB 60.738 abc Sep 5 2023 10:00AM 20.894 39.844 0.098 def Sep 5 2023 10:00AM 0.081 0.017 15.859 pqr Sep 5 2023 10:00AM 15.325 0.534 32.733 xyz Sep 5 2023 10:00AM 32.058 0.675 If these fields are not extracted as expected, you need to illustrate your original data more precisely so volunteers can help diagnose. (Anonymous as needed.)  In addition, illustration of actual output will also be helpful instead of a useless phrase like "not working".

Hi @Adpafer, what do you mean with disable Automatic AutoLoadBalancing and why do you want to do this? Anyway, if you want to send logs from one UF to a specific Indcexer (there's no reason to do this!), you can use only that address in the outputs.conf of the UF. if you want to perform a selective forwarding, see the configurations at https://docs.splunk.com/Documentation/Splunk/9.1.1/Forwarding/Routeandfilterdatad#Route_inputs_to_specific_indexers_based_on_the_data_input Ciao. Giuseppe

Hi @anooshac, let me understand, you could have different log formats: "C:\a\b\c\abc\xyz\abc.h" or ""C:\a\b\c\abc.pqr.a1.b1.jkl\xyz\abc.h", is it correct? in this case, you could try: | rex field=your_field "^\w*:\\\\[^\\\]*\\\\\w*\\\\[^\\\]*\\\\[^\\\]*\\\\(?<filename>.*)" that you can try using this search: | makeresults | eval your_field="C:\a\b\c\abc\xyz\abc.h" | append [ | makeresults | eval your_field="C:\a\b\c\abc.pqr.a1.b1.jkl\xyz\abc.h" ] | rex field=your_field "^\w*:\\\\[^\\\]*\\\\\w*\\\\[^\\\]*\\\\[^\\\]*\\\\(?<filename>.*)" Ciao. Giuseppe

Hi @Sponi, you cannot directly receive syslogs on Splunk Cloud. Usually the best approach is to have one (better two) Forwarder (Heavy or Universal) on premise as syslog server and it has the job to send the logs to Splunk Cloud. Ciao. Giuseppe

If something is "not giving (you) the correct result," you need to describe what the correct result is.  In addition, you   Otherwise volunteers will be wasting their time guessing. Maybe you mean the alternative NOT DisplayName="Carbon Black Cloud Sensor 64-bit"? Maybe there is something else in the data that you didn't describe that others need to know in order to help?

Hi @gcusello , I tested it and it is working fine. The paths in my data are vary from another. I may have data something like this. In these conditions will it work. C:\a\b\c\abc.pqr.a1.b1.jkl\xyz\abc.h