Hi @leykmekoo, are you sure that the field to use as search key is exactly named "Email_Address" in both the searches and that values are compatible? if you manually extract a value from the subsearch, do you have results using this result in the main search? Ciao. Giuseppe

Hi @Ammar, let me understand: is your issue that the search doesn't find any result or that the search finds results but you don't have any action? in the first  case, you have to debug your search: I see that you didn't used the index definition, if the index to use isn't in the default search path, you cannot find anything: index=your_index host=192.168.1.1 "DST=192.168.1.174" | stats count AS Requests BY SRC | sort -Requests | where Requests>50 Then are you sure that in your logs you have a scring exaclty "DST=192.168.1.174"? this isn't a field definition used for the search: if you have the field DST (that usually is in lowercase!) you can use it without quotes. in the second case, you have to check the response actions configuration, which one did you configured? To be listed in the triggered alerts or to receive an email you have to configure this actions in the response actions, it isn't automatic by default. Ciao. Giuseppe

Essentially, I'm trying to create a checklist of hosts I manage and which ones haven't had this event occur yet. This is the first half of what I want: index="index" source="C:\\Windows\\System32\\LogFiles\\Log.log" "Detection!" earliest=-45m latest=now | chart count by host This query shows me 2 columns: host and # of times "Detection!" happened. I just need a 3rd column  or a continuation of the 2nd column that shows hosts with count 0 so I know which ones I still need to work on.

Hi @samsign, As I said you have three solutions: manually modify the inputs.conf file by SSH, create an empty local index on the HF that you can use only for this configuration, override the index assignment on the HF (for more details see at https://community.splunk.com/t5/Getting-Data-In/overwrite-index-on-heavy-forwarder-based-on-port/m-p/507093). Ciao. Giuseppe

Thank you @bowesmana for quick response. I am writing down the exact query here. I have to combine both the queries to get Failure %  using timechart.   Query 1 ( Success ) : index=dl* ("Record_Inserted")  | fields msg.attribute.ticketId | rename msg.attribute.ticketId as ticketId | table ticketId,_time | timechart span=1d dc(ticketId)   Query 2 ( Failure ) : index=dl* ("Error_MongoDB")  | fields msg.attribute.ticketId | rename msg.attribute.ticketId as ticketId | table ticketId,_time | timechart span=1d dc(ticketId)    

Thank you for the reply. I wasn't clear enough about the hosts already being in the index. If I run this query: index="index" source="C:\\Windows\\System32\\LogFiles\\Log.log" earliest=-45m latest=now I have 34 hosts listed. That Log.log is used for many things. It is constantly being updated. I want to know which hosts have had that Log.log updated but don't have the string "Detection!"

the ticket i had open was closed. you can generally work around the issue, if you can get the proper URL you need to do what you want to do and enter it directly.  the issue is known and being repaired, but there is no notice of a resolution yet.   

I have a case open on it.  But all they are doing is suggesting clearing client caches and refreshing the server  by issuing the: http://<host>:<mport>/debug/refresh None of that works at all.  I've tried different clients, different browsers, incognito mode, etc.  Nothing attempted makes any difference. I really hope that someone figured it out and fixed it in the 9.1.1 code.

I see they just released 9.1.1 today.  Wondering if anyone can confirm if this issue is fixed in 9.1.1?  Additionally if anyone who opened a case could respond, I'd like to hear what support is suggesting as I am currently experiencing this on some important screens. Thanks, David

I have another issue in comparing and want to compare should_be with server_installed_package . Sometime package installed is higher after patching . Example given below for git , if the number 2 < 3 , it should mark as completed , else it should check for the next digit if it is 2. and it should check for another number .    CI Installed  shouldbe server_installed_package   server1 git-2.31.1-3.el8_7 git-2.39.3-1.el8_8 git-3.40.3-1.el8_8 Not complete

@gcusello  Thanks for the response.   As an app creater we don't have control on the Indexes available on the Splunk Cloud on user environment.  In App's Input.config we set the index= default.   during the app install flow the configuration shows the new input stream  .. which index, it should assign to..  .. how can we achieve ability to show up all available indexes in the drop down If the desired index is not in the available list .. how can we enable user to  input  a string and trigger a search If user don't want to pick a index then.. the default should be selected    Hope you got the clarity on my ask. 

Assuming you have a "domain" field in both the lookup file and an index, this should get you started. index=foo [ | inputlookup denieddomains.csv | field domain | format ] The subsearch (inside square brackets) fetches the contents of the lookup table (I made up a name - replace it with your own), extracts only the "domain" field, then formats the results into a search string which is then returned to the main search for execution.