Hi I am getting in the below data (green box in image). In green is the raw data and in purple is the event data.  The issue is there are 3 source types in one and I need a way to separate them into 3 source types using transforms (Or something like that).  However as the data is event data, how do I do that? For example, in the past when I had to create a new source type  I could use something like this.     [AMBER_RAW] SEDCMD-remove_header = s/^.*?\{/{/1 SHOULD_LINEMERGE = false NO_BINARY_CHECK = true TRANSFORMS-sourcetye_routing = AMBER_RAW_json_EVENT,AMBER_RAW_json_TRACE,AMBER_RAW_json_METRIC EXTRACT-CLUSTER_MACHINE_TEST = ^(?:[^\[\n]*\[){2}(?P<CLUSTER_MACHINE_TEST>[^/]+)       This shows the three different source types that is possible. So i need to create 3 different ones form the orginal one.    

Hi   I am new to OT, and I am struggling with a use case that I could really use some advice on, please I have a test case where we need to send 3.3K logs per second over HEC to Splunk using.   The data is being currently sent into one index and one source type (exporter below) The data is 3 different sourcetype defined by the event “logs.type” The issue is the speed in searching   The SPL I am using is below, but it is not fast for high volumes index="murex_logs" | regex mx.env="dell967srv:15017"  ```We have multiple environment sending in the data ``` | regex log.type="http" ```http is one of 3 that the data source could be``` To me this will be very slow 1st running regex is probably slow and also it has to sort out http from the other data (3 types).   I am talking to dev to see if they can send the data on three different exporters (Below)   However I still must run a regex mx.env="dell967srv:15017 to find the environment that I need.exporters:  splunk_hec/logs_1: # pushed to splunk    token: "a04daf32-68b9-48b2-88a0-6ac53b3ec002"    endpoint: https://mx33456vm:8088/services/collector    source: "mx"    sourcetype: "otel"    index: "murex_logs"    tls:      insecure_skip_verify: true Some of the possible answers I am looking into are Use transforms: To create 3 different sourcetype If possible? But can I do this on event data (regex mx.env="dell967srv:15017" )[Purple below], I know I can do it on raw data but not sure about event data (Green below) Ask the dev team to send the data by log.type and don’t put all the data into one index (But I will still have to use regex for the host) This is my log data. The green data is the Raw data – the Purple is the Event data. Any help would be amazing – thanks in advance   

Root Cause(s) The percentage of non high priority searches skipped (100%) over the last 24 hours is very high and exceeded the red thresholds (20%) on this Splunk instance. Total Searches that were part of this percentage=1. Total skipped Searches=1

I am trying to setup a federated index, on a federated search head, but i am only able to select an index as the remote dataset. the drop down for dataset type does not offer any other option. How do i have to configure the dataset on the remote search head in order to be able to use it on the federated search head. Bot systems are clustered search heads running Splunk enterprise 8.2.2

SOAR version 5.1.0.70187 on-prem installation. Can you please advise, how I can install a Python 2 app from the source code?   The python 2 app in question is GitHub - splunk-soar-connectors/talosintelligence

Our customer have 2 Windows Storage Server 2016 Standard which are performing data storage and backup for Splunk servers, in which we have recently identified a SMB related vulnerability since the "Microsoft network client: Digitally signed communication" is disabled. My client would like to enable this policy to ensure that packet signing is done for SMB and hence mitigate this VA finding. However I have question, if this will create any issue with the file sharing between Splunk server and these storage servers once this changes has been made?

| makeresults | eval value=1 | stats count as "count: 1", count by value If you try to use chart overlay with "count: 1" using the above query, nothing happens.  It doesn't apply the overlay.  If you try with "count", it works as expected.  Both have worked in the past.  Is this fixed in a future version?  I didn't see it on the known issues page.  Thanks.  

Hello Everyone. I wonder if anyone could help me with a report I'm trying to make. Below is my sample logs format. log1 example. ipfield sessionfield - - timefield urlfield methodfield  log2 example datefied midfield sessionfield2 sessionfield3 userfield functionfield ipfield2 rolefield.   what I want to do is search log2 if the sessionfield in log1 exists, then print out a table that has  userfield from log2, ipfield from log1orlog2, all sessionfield from log1 and log2,   userfield from log2, urlfield and mehtodfield and the counts of methodfield.   I have something like this  (index=1 log2) OR (index=1 log1)| eval sessionfield=coalesce(sessionfield,sessionfield2,sessionfield3) | stats values(sessionfield) values(ipfield2) by sessiontuser I got the sessionfield(s) to print but it did not print the sessionfield in log1. I could not figure out how to print the other fields that I needed  I don't have much experience in Splunk search so any guidance or help would be excellent. thank you.    

I have a field properties.policies  in json format  field value: [{"fieldname":"fieldvalue","fieldname":"fieldvalue","fieldname":"fieldvalue",[priview] "fieldname":"fieldvalue",[]}] i want to remove first and last [] so that other fields can populate  can some one send me the rex please ? Thanks in advance