If data is not in an index, Splunk cannot create what is not there, so to solve this type of problem you have to a) get the data of events for hosts that DO write to the index b) append a list of hosts you want to know about from a lookup file i.e. your search will look something like this index="index" source="C:\\Windows\\System32\\LogFiles\\Log.log" "Detection!" earliest=-45m latest=now | stats count by host ``` This bit gets all the hosts you want to know about and just contains a field called host ``` | append [ | inputlookup list_of_wanted_hosts.csv | eval count=0 ] ``` now this joins all together, so you have a list with the counts found and 0 where no data is present ``` | stats max(count) as count by host

transaction command is not a good command to use for long transactions if you have a reasonable volume of data, as it will silently run out of memory and your results will be incomplete/wrong. It is often better to use stats, e.g. | stats min(_time) as Start max(_time) as Finish by CARS_ID | eval duration=Finish-Start or if you have lots of events for the same ID that come before and after you could do | stats min(eval(if(match(_raw, "Reading Control-File"), _time, null))) as Start max(eval(if(match(_raw, "Completed Settlement file processing"), _time, null))) as Finish by CARS_ID but it will depend on your events - but this will be reliable

Hi PickleRick, Agreed.  Than do i remove the sourcetype= statement from stanza in inputs.conf  ? ( becuase it is over written any way ) please share your thoughts. also  do i create seperate index for metrics mentioned in my inputs.conf of keep with eventtype index ? here is snipped of inputs.conf ------------------------------- inputs.conf ----------       # ###### OS Logs ###### # [WinEventLog://Application] disabled = false start_from = oldest current_only = 0 checkpointInterval = 5 renderXml=true index = winos ----- ------ ----- # ###### Host monitoring ###### # [WinHostMon://Computer] interval = 600 disabled = false type = Computer index = winos [WinHostMon://Process] interval = 600 disabled = false type = Process index = winos ----- ----- # ###### Win Registry Monitoring # [WinRegMon://default] disabled = false hive = .* proc = .* type = rename|set|delete|create index = winos ------- ------ # # perfmonance Monitoring # ###### Splunk 5.0+ Performance Counters ###### ## CPU [perfmon://CPU] counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec instances = * interval = 30 mode = single object = Processor _meta = os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host useEnglishOnly = true sourcetype = PerfmonMetrics:CPU disabled = 0 index = ????? Please share your expertise thanks    

Splunk can index data locally and forward it to another system.  The assumption, however, is that the other system is Splunk. Splunk indexers can forward to non-Splunk systems, but only as raw TCP or syslog.  See https://docs.splunk.com/Documentation/Splunk/9.1.0/Admin/Outputsconf#TCP_Output_stanzas and https://docs.splunk.com/Documentation/Splunk/9.1.0/Forwarding/Forwarddatatothird-partysystemsd for more information.

Hello, no problem.  In the screenshot below, there a numerical values in the each cell of the Count column.  Currently, we see when the Cell color is Green, the Text color is Black, and when the Cell color is Red, the Text color is White.  I need a way to change that Text color to be Green if the Cell is Green, and Red if the Cell is Red in order to hide the Text from the Count column.  Or if there is a way to hide the Text Value in the Count Column and only display the Cell color.  That would be awesome.     Thanks, Tom

Check the TA default configs or anything else for field aliases or evals that have the same name i.e. FIELDALIAS-user and EVAL-user in props or GUI. Either remove the duplicate field alias or eval, or rename them like FIELDALIAS-userTest and see if the new field pops up. I know the Crowdstrike TA 3.1.6 has duplicate names for user and severity which causes Splunk to drop the alias or eval altogether