It's been a while but btw I get here. The password.conf is located at this folder in the HF or where you installed the TA: /opt/splunk/etc/apps/TA-QualysCloudPlatform/local ... View more

Thanks for the query and I am almost there. So far, it looks like this: index=proofpoint s=* | eval from = if(cmd=="env_from",value,null()) | eval to = if(cmd=="env_rcpt",value,null()) | stats values(from) as From values(to) as To by s There are two more fields _time and subject showing in return from the query above and that I need to add to the result table. Sample record reads: Jul 22 10:32:04 MTAMXIPLP002 filter_instance1[145122]: rprt s=2tuw17mc0b m=1 x=2tuw17mc0b-1 mod=mail cmd=msg module=pdr rule=pass action=continue attachments=1 rcpts=1 routes=default_inbound,uth_tmc_edu_recipient size=39071 guid=QuKJZcb8D_D9rfLfgOf02Nw1xMPS6b0Y hdr_mid= qid=x6MFW4Gb105384 hops-ip=192.161.148.9 subject="Hello, I was unable to login to MD Coder 10 from m..." spamscore=0 virusname= duration=0.308 elapsed=0.517 Thanks, ... View more

Works perfectly. Script by VatsalJagani should work as well. Thank you! ... View more

I tried all the suggestions, but still not seeing the records of when the report was deleted and by whom. The report was deleted after 8:00AM 05/15/19 and before 8:00AM 05/16/19. I already opened a case with Splunk with diag file. Hope they find something. Thanks, ... View more

The report was deleted from Splunk web GUI. I tried both _internal and _audit indexes, but didn't gain much info about the incident. Thanks, ... View more

I have all logs to the right indexes, but data still not populated. Your post seems invaluable if you can give more details on what you have done. Thanks, ... View more

My lookup site reads like: | inputlookup lookup_host_site.csv | stats count by SiteName But I still don't see any data populated to the board. ... View more

Can you give a time window when the newer version with OU pulling is available? Thanks, ... View more

It works well. My index main <2000 records. Thank you. ... View more

The key is "userid" in a different index/sourcetype. I meant looking for records in index A for only userid in index/sourcetype B. index=A OR sourcetype=B ...somewhere I need to add A.username=B.userid that means only userid in soucetype B will display ... View more

I already once signed up for this group, but now I don't know where to login. Can you share me the login page? Thanks, ... View more

v1.3.1 is the latest on Splunkbase and not extracting OUs. I am looking forward to the newer version with the field name. Thanks, ... View more

Can you give more details on how to remove the quota limitation? I couldn't find the variable to remove. Also, it would be very helpful if you can tell where I can find the name of Organization Unit (OU) that a user belongs to. May be from which API that I need to include in the log. Thank you, ... View more

That shows exactly what I was looking for. Thank you, Renjith.nair. Appreciate it. ... View more

Thank you so much. It's a big help. I have been searching for days to resolve this issue. ... View more

That's correct. DS pushed the app down to SH and I was able to remove it from the root. The follow up question, what is pro and con to have apps in DS and directly install on the SH? thanks, ... View more

Thank you for sharing the great detail info. ... View more