Hello @isoutamo Hello @yuanliu, thank you for your reply. At the moment i use the "coalesce" to quick fix the issue but i think in the long run in will do implement the lookup solution.  Thank you both for your help! Kind regards, Flenwy

Hi one option is use several strategies which are pointing to different LDAP servers which have identical content. Another option is use LB before LDAPs and use this VIP address as server for strategy. That is probably more easier solution for overall. r. Ismo

Hello there, Is there a solution for this question. We too (like many others i guess) have domains with multiple LDAP servers behind. Either we register per domain several strategies what gives us in the end about 15 strategies an more or we can solve with the DNS record for the Domain (example demo.domain.local). In my opinion Splunk will then connect to one of the multiple Servers behind this DNS record with Round Robin. What are the possibilities and how did you solve this? With so many strategies we have the problem that with an adjustment to roles with subsequent reload the whole thing with a search head cluster at the end goes very long. Clearly, the strategies here are only one part of many in a reload, and yet this would help us.

Hi @Adpafer, let me understand because I don't understand your requirement: at first if you have one Indexer receiving on port xx and port yy, what do you mean that you need the Indexer forwardrs data on the above ports? are you speaking of an Indexer or a Forwarder? or are you speaking of forwarding data to a third party? In other words, could you better describe your requirement, in terms od data flow? Ciao. Giuseppe

Hi @anooshac, these seems to be data in json format. If they aren't  in a lookup, you could parse them and store in an index using the INDEXED_EXTRACTIONS=json option of props.conf (https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Propsconf). In this way you extract all the fields and you can use the values for your matches. Ciao. Giuseppe

@abi2023 - You would use timechart instead of stats with span=1mon. But you are using by name, groupby field won't work with a single value chart. You could though a table with trendlines if you want to use groupby. You can find example of this inside the App called Splunk Dashboard Examples on Splunkbase.   I hope this helps!!!

Just change the regex in the 2 rex statements | makeresults | eval _raw="Group;Value;Data {'Ala_ABC':'1','Bob_XX_':'2'};{'Ala_ABC','Bob_XX_'}; {'Ala_ABC':1,'Bob_XX_':'2'};{'Ala_ABC'};{'Bob_XX_'} {'Ala_ABC':1,'Bob_XX_':'2','_c_is_for_Charlie':'3'};{'Ala_ABC'};{'Bob_XX_','_c_is_for_Charlie'}" | multikv forceheader=1 | table Group Value Data ``` This is your Splunk SPL ``` | rex field=Group max_match=0 "'(?<g>[A-Za-z_]+)':'" | rex field=Value max_match=0 "'(?<v>[A-Za-z_]+)'" | eval Calculated_Data=mvmap(g, if(g!=v, g, null())) | eval Calculated_Data="{'".mvjoin(Calculated_Data, "','")."'}" | fields - g v

This is the received payload. index=us_whcrm source=MuleUSAppLogs sourcetype= "bmw-crm-wh-xl-retail-amer-prd-api" ((severity=ERROR "Transatcion") OR (severity=INFO "Received Payload")) | rex field=message "(?<json_ext>\{[\w\W]*\})" | table _time properties.correlationId json_ext | spath input=json_ext | rename properties.correlationId as correlationId processRetailDeliveryReporting.processRetailDeliveryReportingDataArea.retailDeliveryReporting.retailDeliveryReportingVehicleLineItem.vehicle.vehicleID as VinId | eval BMWUnit=replace(BMWUnit,"([file://w%7b3%7d)(/w%7b2%7d]\\w{3})(\\w{2})", \\1-\\2) | table _time correlationId BMWUnit dealerId Description VinId | stats earliest(_time) as _time values(*) as * by correlationId | where isnotnull(Description) I am using this query to get all the errors and their field details in the table and it is working but now there is one condition that I have to differentiate that error they are of two types one we can get from the flow end event [sync/c2v] which I shared. And these errors I am calculating from description field. what could I do chnage in my query to find the- error type.  

Should the csv file uploaded as lookup file? Can we avoid that? Also the strings can contain _ as well as they can be capital letters and small letters.. how can i do this? This [A-Za-z_] regular expression is fine?

You can do it like this runnable example with your data - using from the rex statement | makeresults | eval _raw="Group Value Data {'a':'1','b':'2'} {'a','b'} {'a':1,'b':'2'} {'a'} {'b'} {'a':1,'b':'2','c':'3'} {'a'} {'b','c'}" | multikv forceheader=1 | table Group Value Data ``` This is your Splunk SPL ``` | rex field=Group max_match=0 "'(?<g>\w)':" | rex field=Value max_match=0 "'(?<v>\w)'" | eval Calculated_Data=mvmap(g, if(g!=v, g, null())) | eval Calculated_Data="{'".mvjoin(Calculated_Data, "','")."'}" | fields - g v  So, if you have a CSV file with Group and Value in it, then | inputlookup your_csv.csv | rex field=Group max_match=0 "'(?<g>\w)':" | rex field=Value max_match=0 "'(?<v>\w)'" | eval Data=mvmap(g, if(g!=v, g, null())) | eval Data="{'".mvjoin(Data, "','")."'}" | fields - g v  

you can achieve this by modifying the inputs.conf and output.conf. Can you follow the below steps   your input config should be  [monitor:///path/to/data1] disabled = false index = your_index1 sourcetype = your_sourcetype1 [tcpout] defaultGroup = your_index1_group [tcpout:your_index1_group] server = 10.10.10.10:xx [monitor:///path/to/data2] disabled = false index = your_index2 sourcetype = your_sourcetype2 [tcpout:your_index2_group] server = 10.10.10.10:yy   --------------------- and output.conf is below   [tcpout] defaultGroup = default-autolb-group [tcpout-server://localhost:PORT1] compressed = false [tcpout-server://localhost:PORT2] compressed = false