Did anyone get any solution for this? Or is there any hot fix available to resolve this? Creating lot of issue as bundle size is quite high each time it is getting pushed.  Current Splunk version is 8.2.3. Upgrading now is bit difficult due to other dependencies.

Thanks for your response, but I'm sorry I wasn't quite precise.  In fact, i extract data from syslog from windows event, and the structure of the data is more complex than the sample i gave. The command field is contained in an xml field like these below. The search : index=app_bisql host=TRUC | rex ".*action_id:(?<action>\S+)*" | where action = "CR" | rex ".*command:(?<command>\w+(\s\w+)?)" | fields command command = sp_addlinkedsrvlogin additional_information I was expecting : command = sp_addlinkedsrvlogin   The field concerned in an xml event. <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='TRUC$AUDIT'/><EventID Qualifiers='16384'>33205</EventID><Level>0</Level><Task>3</Task><Keywords>0x80a0000000000000</Keywords><TimeCreated SystemTime='2023-08-31T04:30:01.964529800Z'/><EventRecordID>134063208</EventRecordID><Channel>Security</Channel><Computer>truc.net</Computer><Security UserID='secret'/></System><EventData><Data> audit_schema_version:1 event_time:2023-08-31 04:30:00.9332742 sequence_number:1 action_id:CR succeeded:true is_column_permission:false session_id:53 server_principal_id:272 database_principal_id:1 target_server_principal_id:0 target_database_principal_id:0 object_id:0 user_defined_event_id:0 transaction_id:5417128 class_type:SL duration_milliseconds:0 response_rows:0 affected_rows:0 client_ip:100.255.120.234  permission_bitmask:00000000000000000000000000000000 sequence_group_id:93E8C63F-640E-4EC4-B401-76F0ED6947A9 session_server_principal_name:truc  server_principal_name:truc  server_principal_sid:truc database_principal_name:dbo target_server_principal_name: target_server_principal_sid: target_database_principal_name: server_instance_name:truc  database_name:master schema_name: object_name:LSuser command:sp_addlinkedsrvlogin additional_information:&lt;action_info xmlns="http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data"&gt;&lt;server_name&gt;&lt;![CDATA[SWPDFRSQLADM1\MWPADM01]]&gt;&lt;/server_name&gt;&lt;/action_info&gt; user_defined_information: application_name:SQLAgent - TSQL JobStep (Job 0x451A71BE3BB91D4DBF2A1A6C12446006 : Step 1) </Data></EventData></Event>   Regards

Now this has fixed (read: removed) on 9.1.1. 2023-08-30 SPL-242093, SPL-242240 Should not create default "splunkfwd" account by Linux RPM/DEB installer during upgrade when Splunk has been managed by another account

Remove these lines (they were only required when you had the extra row (that you originally asked for) | eval inserts=if(isnull(_time),null(),inserts) | eval updates=if(isnull(_time),null(),updates) | eval errors=if(isnull(_time),null(),errors)

Hi @Hema_Nithya , this check highly depends on the format of the version, so if the format is always the one you shared (git-2.31.1-3.el8_7 and git-2.39.3-1.el8_8), you could use a regex to extract the numeric version: | rex field=installed ".*(?<version_installed>\d+_\d+)" | rex field=shouldbe ".*(?<version_shouldbe>\d+_\d+)" so you can compare them. Ciao. Giuseppe

@gcusello  It will not always  "Triumph.*Processor CarsUnbilledProcessor - CARS.UNBILLED event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}] CarsDeltaHierarchyProcessor - CARS_HIERARCHY event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}] 2023-08-30 04:30:48.058 [INFO ] [Thread-43] TriumphProductProcessor - TRIM.PRD event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}] Its both CARS and Triumph  @gcusello can you provide me regex now.

Thank you so much! I will install TA_nix addon tomorrow. One more question. I have a problem like this.   https://community.splunk.com/t5/Getting-Data-In/How-to-make-a-search-for-some-analytics-with-SPL/td-p/656201   Can you help me?

Hi @10061987 , in the Splunk_TA_nix, there's an input stanza for /etc/passwd that's usually disabled. If you enable it, you'll have the content of the above file with the sourcetype= Unix:UserAccounts so you can run a search like this following: index=os sourcetype=Unix:UserAccounts | eval timestamp=strftime(_time,"%Y-%m-%d %H:%M:%S") | stats dc(_raw) AS raw_count list(timestamp) AS timestamp | where raw_count>1 Obviously check if you stored Unix logs in the os index. Ciao. Giuseppe