I am trying to make a comparison of one field against itself but from a previous day.  The use case is I'm trying to see if that value changes from day to day, the field is a file hash.  I sun a search for today and rename the field I want to compare then run a subsearch and rename the field again so I can then compare them after the subsearch finishes but the eval always evaluates to false and displays the last response you place in the eval line.   My code: index=my_index RuleName="Monitor The File" FileName="file.exe" earliest="06/11/2021:00:00:00" latest="06/11/2021:24:00:00" | rename FileHash as "todays_hash" | append [ search index=my_index RuleName="Monitor The File" FileName="file.exe" earliest="06/12/2021:00:00:00" latest="06/12/2021:24:00:00" | rename FileHash as "yesterdays_hash"] | eval description=case(todays_hash=yesterdays_hash,"Hash has not changed", todays_hash!=yesterdays_hash,"Hash has changed") | table description todays_hash yesterdays_hash   I have tried changing the order of the eval putting != before == and it will always take the second options.  The table it showing the eval results and the 2 hashes. Thanks!

Hello, We are planning to upgrade our splunk to version 8.1.4. We have 2 separate indexer cluster for 2 different client. All of then is running version 8.0.8. We are planning to upgrade all of our splunk enterprise except for the indexer cluster (composed of 3 splunk indexer servers) of one of our client due to app not supported by 8.1.4. Will the indexer cluster of the splunk 8.0.8 still continue to function normally even though the rest of the splunk servers (search head, heavy forwarders, and the other client indexer cluster) is on version 8.1.4? Thank you.

Hello, we just updated ES from 6.4 to 6.6. The new incident review dashboard completely ignores suppressed events, showing them in the list. Is this a known issue or something caused by the upgrade? Anyone has a solution for this? (Splunk Enterprise version 8.1.3) Thanks  

Is there  any possibility to over write the index data , for example the data is indexing by the below query. | inputlookup  sample_Data.csv  | collect index= Collected_data  if i indexing the some other data to the same index , in this scenario the old data in the index should be over write by the new data , if it is possible ,  can you please explain how to do it.  | inputlookup  sample_Data2.csv  | collect index= Collected_data 

Hi All , My query was is there any way we can reload the changed python script without restarting the splunk everytime?  I understand we have _bump for javascript and CSS & debug/refresh for .conf files but do we have a similiar command for changed python scripts as well? Thanks & Regards AG.  

hi everyone i installed splunk after delete splunk  i go /splunk/bin and ./splunk start i see error message "ERROR: Couldn't determine $SPLUNK_HOME or $SPLUNK_ETC; perhaps one should be set in environment" how i can do? thank you very much!