I have two Splunk queries, each of which uses the _rex command to extract the join field. Example:       QUERY 1 index=index1 "Query1" | rex field=_raw "abc(?<MY_JOIN_FIELD>def)" QUERY 2 index=index2 "Query2" | rex field=_raw "ghi(?<MY_JOIN_FIELD>jkl)"       I want to use the Transaction command to correlate these two queries, but I can't figure out how to do it. Thanks! Jonathan

Hi to all, I have three machines: 1 deployment-server, 1 SH/Indexer and 1 forwarder. Looking at "monitoring console-panoramics" on deployment-server, i don't see the correct configuration (is available only deployment server, SH/Indexer and forwarder are not visible). The data arrives correctly in the index and in "forwarder management" I see correctly the forwarder client. Finally, the lookup "dmc_forwarder_assets" is empty. Can someone help me please? Thanks. 

This is kind of open ended, but essentially I'm looking for things that you view as bad config, or at least configuration settings that should be flagged for review. Some ideas I've had so far: - Indexes with a very short retention period (100 seconds or the like) - Searches with `index=*` in them - A deployment server targeturi that doesn't match the name of your actual DS What other sorts of config would you flag as concerning? Do you have any automated checks for anything like this in house?

Hi All, We are using Splunk Cloud and have a Universal Forwarder setup on a windows machine - it reads CSV files from a particular folder and sends to indexer.  inputs.conf:       [monitor://D:\Test\Monitoring\Abc] disabled=0 index=indexabc sourcetype = csv crcSalt = <SOURCE>       props.conf:       [source::D:\Test\Monitoring\Abc\*.csv] CHECK_METHOD = modtime       various CSV files are being placed under D:\Test\Monitoring\Abc hourly/daily and this setup works without any issues most of the times for all the CSV files. but there are some instances where data from a single file for a particular hour/day is missing in the index "indexAbc" - this doesn't happen with a particular file but various files. for example, there is a CSV called memory.csv which updates daily at 23:47 and when I checked data for the previous month (timechart span=1d), it doesn't show data for 25th March - I have checked the 3rd party script which sends data to this windows server and it has done that successfully. when a CSV file is read and indexed, i see below entry in the splunkd.log but this is not available for the 25th march for which the data is missing:       03-26-2022 23:47:49.495 +0000 INFO WatchedFile [6952 tailreader0] - Will begin reading at offset=0 for file='D:\Test\Monitoring\Abc\memory.csv'.        for period 25th March 23:40 to 23:50, I have checked splunkd error in _internal index and the results are given below: Can you please suggest what could be causing this intermittent issue and whet troubleshooting steps I can follow? Thank you.

My logs are in the format:   My-Application Log: Some-Key= 99, SomeOtherKey= 231, SomeOtherKey2= 1231, Some Different Key= 0, Another Key= 121   I currently use query: index="myindex" "My-Application Log:" | extract pairdelim=",  " kvdelim="= " | table Some-Key  SomeOtherKey SomeOtherKey2 "Some Different Key" "Another Key"   It is able to extract events however the table is filled with blank/null values.   How can i visualise the data if i have this format of logs. I have to group by Some-key. Example visualization should be grouped basis Some-key Thanks in advance.