we upgraded our Splunk search heads from 8.x to 9.x and our customers report a discrepency in their IPGeo location searches, where version 8.x.x was reporting a different city for the same IP address as 9.x.x is reporting. I thought ok, let me go upgrade the what ever IPGeo add-on app to the latest version (or to the same version on both Splunk servers) but I don't know what app I am looking for or if even that is a separate app or somehow part of the general Splunk code. your feedback is greatly appreciated 

hello as you can see, I use a token in order to drilldown from a table panel to another table panel <drilldown> <set token="host">$click.value$</set> </drilldown> </table> </panel> </row> <row> <panel> <table> <title>% de paquets VMware perdus</title> <search> <query>`index`(sourcetype=netproc_tcp" host=$host$ but when I refresh te dashboard my second panel says "waiting for input" is there a solution to always display the events in the second panel and to drilldown when I click on the token field? thanks    

Hello,   I am trying to get a list of values using max_match=5.  However I need the results to only return unique values and not just list 5 values regardless of them being duplicates. | rex max_match=5 (?P<BrandID>(202\d.+?))\" |table BrandID Your help and energy is greatly appreciated.   Thank you, Spencer Neal  

Hello, I have some issues with field extractions and getting error messages. Sample data, extraction codes (REGEX), and error messages provided below. Any recommendation would be highly appreciated. Thank you so much, appreciate your support in these efforts.  Sample Data: TESTUser|TESTSYSTEM|DNSTEST|USERTEST|CREATE_SUPER_USER_GROUP|TEST_ELEMENT<GROUP_NAME_group3>|19e4e88e-7fb1-4309-b8a3-93180e41ef86|76.253.69.172|00||2022-04-14T23:59:33.059-0400|{dsUrn: testgroup:'da04c367-b41c-421a-85e1-d5ab759c0c82'}|NA|||||10.207.92.23|23| TESTUser|TESTSYSTEM|DNSTEST|USER|VIS_EXPORT_EXCEL|TEST_ELEMENT<DNSTES_801482320>|ce01fdc2-2bbe-45ef-845b-f79576e215bf|65.144.148.136|00||2022-05-09T10:21:44.021-0400|{dsUrn: testgroup:'6f10e8f8-100b-4482-9b09-10e18504924c'}|NA|||||10.207.92.23|23|23as TESTUser|TESTSYSTEM|DNSTEST|USERTEST|IMPERSONATE_USER|TEST_ELEMENT<USERNAME_TESTUser4>|c594626f-e6e9-4abd-9e0b-fa9861c47285|236.214.26.15|00||2022-05-10T07:52:48.052-0400|{dsUrn: testgroup:'DNS -3ac6-4e92-b50b-e903961f5894'}|NA|||||10.207.92.23|23| TESTUser1TESTUser|TESTSYSTEM|DNSTEST|USER|VIS_SAVE|TEST_ELEMENT<UNVERIFIED_648656466>|5143518f-dc60-433b-a0cc-2fa024b25360|241.254.244.33|00||2022-05-02T05:01:58.001-0400|{dsUrn: testgroup:'157c4534-d970-4b7b-9181-1bddb8f7a670'}|NA|||||10.207.92.23|23| |TESTSYSTEM|DNSTEST|USERTEST|ENABLE_USER|TEST_ELEMENT<USERNAME_TESTUser1>|2923b00c-0a95-465d-85aa-3af5387e992c|19.173.21.53|00||2022-05-29T12:13:26.013-0400|{dsUrn: 'DNS', groupId:'49de37d5-ea28-45ba-be52-84d933425636'}|NA|||||10.207.92.23|23| TESTUser6|TESTSYSTEM|DNSTEST|USERTEST|ENABLE_USER|TEST_ELEMENT<USERNAME_TESTUser5>|0f1ba654-03bf-DNS-ac8f-8f5185232d42|245.236.181.176|00||2022-04-09T02:14:23.014-0400|{dsUrn: testgroup:'b6a89e91-ac03-4641-a3bc-166d013df252'}|NA|||||10.207.92.23|23| TESTUser2|TESTSYSTEM|DNSTEST|USERTEST|UPDATE_TESTDATA|TEST_ELEMENT<USERNAME_TESTUser>|0acf2593-d7ee-4ba8-bf4e-29a4d4adcdaf|213.184.95.84|01|Failed to update TESTDATA. TESTDATA.|2022-03-12T08:03:19.003-0500|{dsUrn: 'gp', groupId:'9850940e-ff7b-4b77-820b-8d0472933c4a'}|NA|||||10.207.92.23|500|2w1 TESTUser|TESTSYSTEM|DNSTEST|USERTEST|CREATE_SUPER_USER_GROUP|TEST_ELEMENT<GROUP_NAME_group3>|9717a152-3809-416a-87a3-e9a4bc9b01a9|14.22.163.187|00||2022-03-19T10:34:35.034-0400|{dsUrn: 'DNSTEST', groupId:'cf9263ba-aff7-4e34-98c1-a09d17aaf8d6'}|NA|||||10.207.92.23|23|header12 REGEX (?P<UserID>.*?)\|(?P<UserType>.*?)\|(?P<System>.*?)\|(?P<EventType>.*?)\|(?P<EventId>.*?)\|(?P<Subject>.*?)\|(?P<SID>.*?)\|(?P<IPAddr>.*?)\|(?P<EventStatus>.*?)\|(?P<Msg>\w*?)\|(?P<TimeStamp>.*?)\|(?P<DATA>.*?)\|(?P<Period>.*?)\|(?P<MCode>.*?)\|(?P<Type>.*?)\|(?P<Type>.*?)\|(?P<DeviceId>.*?)\|(?P<DesIP>.*?)\|(?P<Code>.*?)\|(?P<Headers>.*?) Error Messages:      

Hi Users,  I have to create a gauge component to show the available memory in the system. As we know the gauge component take only single numeric value. So I need to extract the single numeric value from the latest event. My real time search event format is as follows -  INFO c.h.i.d.HealthMonitor - [100.64.29.192]:5701 [gfms] [3.12.9] processors=1, physical.memory.total=4.0G, physical.memory.free=3.4M, swap.space.total=0, swap.space.free=0, heap.memory.used=1.8G, heap.memory.free=1.3G, heap.memory.total=3.1G, heap.memory.max=4.0G, heap.memory.used/total=58.78%, heap.memory.used/max=45.22%, minor.gc.count=0, minor.gc.time=0ms, major.gc.count=0, major.gc.time=0ms, load.process=0.00%, load.system=72.25%, load.systemAverage=6.00, In order to update the Gauge component, I need to extract the  value field of "physical.memory.free" property from the recent search event. Could you guys please let me know the Splunk query for it? 

I am using a HEC and configured a custom source type that sets _time based on a field in the JSON data and when using the "add data" sample data, it works great.  _time gets updated, however, when actually sending data to the HEC, _time stays at indexed time (not the _time based on the data). To give the concrete example, in the JSON i have this line: "timestampStr": "2022-06-03 19:38:19.736995059",   And built this sourcetype: [_j_son_logan_test] DATETIME_CONFIG = LINE_BREAKER = \}()\{ NO_BINARY_CHECK = true category = Custom pulldown_type = 1 disabled = false BREAK_ONLY_BEFORE_DATE = SHOULD_LINEMERGE = false TIME_PREFIX = \"timestampStr\": \" TIME_FORMAT = KV_MODE = json INDEXED_EXTRACTIONS = json And when using the Settings --> Add Data option, and selecting that Source Type, _time shows as 2022-06-03 19:38:19.736995059 However, when I sent that json blob via curl to the HEC (which is set to a particular index and to use that sourcetype), the _time value shows the time it was index (i.e. right now (2022-06-24)). In looking at the data itself, (index="my_index"), the sourcetype column shows _j_son_logan_test Not sure what to check next, but open to thoughts and thank you!

Hello all, Referring to the previous post of: https://community.splunk.com/t5/Installation/Does-kvstore-upgrade-from-8-0-to-8-2-needs-to-be-done-on-the/m-p/603172#M11665 I had tried to upgrade our kvstore to wiredtiger on our license server/cluster master and our deployer. Here are the errors:  Am I not supposed to be upgrading them then? I was following this advice from the previous community answer I received.  Help? I am just trying to do this upgrade correctly. The reason I was doing this is because I was getting errors on our GUI about upgrading the kvstore after I had upgraded the search heads kvstore.