Hi @linaaabad  The Splunk App for Salesforce is a search head app containing views and dashboards shared by a Splunk community member as a starting point for other users, like yourself, to get a head start at looking at and understanding the SF event data.  Splunk would have no interest in providing a search head app for Salesforce as they are not experts in the Salesforce data.  Being limited to only using Splunk produced apps will only slow down any development in understanding the SF data. Having said that, an app is just an archive file containing configuration in flat text files - *.conf file and *.xml files for dashboards/views.  You do not have to install the app to be able to view these files, simply download the app and open the archive file using your favored utility, e.g. zip on Windows or tar on *nix and look at these types of  files under the default folder.  If you are not very experienced in Splunk then it will be a confusing place to start, however. Alternatively, if there is a test system you could install the app you could look at the configuration via the Web UI and copy what you want to your other system. Hope that helps a little bit.    ... View more

Hi @linaaabad  This is a 3rd party Splunk app that relies on the Splunk Add-on For Salesforce so it's likely that it has some compatibility. Splunk App for Salesforce: https://splunkbase.splunk.com/app/1931 Hope that helps ... View more

Hi @sathiyasun  You can find this information in the Cloud Monitoring Console (CMC) app > License usage > Ingest (Daily license usage details, split by index). Hope that helps   ... View more

Hi @Strangertinz  Really!  It is being parsed correctly?  I've know idea how it could be based on your example sample data and the props.conf shown.  Using LINE_BREAKER=(<log_entry>) and SHOULD_LINEMERGE=FALSE would rip the <log_entry> line out of the XML which would break the XML structured data format.   This might explain why the data appears clumped as timestamp extractions would only work on events which had the log_time value in it.  Events without timestamps would have to full back on to other sources, such as the mod time of the source file, for example.  If you use the hidden _indextime metadata (you need to rename the field to see it, e.g. "rename _indextime to indextime) this will give you the time (in epoch seconds) the data is ingested by Splunk (written to index) and you can check if the event time and index time match or vary wildly. ... View more

Nice, I was working on a similar solution and had not seen your update yet. ... View more

OK,  I think I have a workable solution using the fieldformat command.  Here's an example | makeresults | eval size=split("2147483648:2GB,1099511627776:1TB,1125899906842624:1PB", ",") | mvexpand size | eval size_pretty=mvindex(split(size, ":"), 1), size=mvindex(split(size, ":"), 0) | fieldformat size=size_pretty   Basically, size shows the size_pretty value but the sort uses the size value to do the column sort order. Give it ago and see if it meets your requirements.  It will not help with colour scale mind you. ... View more

Hi @lindonmorris  Yeah, it would not meet your second requirement to sort on the size_pretty column, when clicked.  For that you need to look at javascript, which starts getting complicated.  Not recommended. The only other way is to use a consistent size scale. | makeresults format=json data="[{\"item\":\"disk1\", \"size\":2147483648, \"size_pretty\":\"2 GB\"}, {\"item\":\"disk2\", \"size\":1099511627776, \"size_pretty\":\"1 TB\"}]" | eval size_pretty_gb=round(size/1024/1024/1024, 2) | table item size_pretty_gb You could then define colour scales too. Hope that helps     ... View more

Hi @lindonmorris  Have a look at this answer https://community.splunk.com/t5/Splunk-Search/How-do-I-hide-a-column-in-a-table/m-p/425273 In a dashboard table you can define which columns are visible.   I don't think you can use colours if the scale is different, e.g. GB and TB Hope that helps. ... View more

Hi @Strangertinz  To correctly break the events the LINE_BREAKER value would be ([\r\n]+)<\?xml.  The newlines in the regex capture group define the line break and are not ingested.  So, something like this should work on the heavy forwarder or parsing tier. [sample_xml_st] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+)<\?xml TIME_PREFIX=<log_time> TIME_FORMAT=%Y%m%d-%H:%M:%S TRUNCATE=0   Hope this helps ... View more

Hi @Vish  The example you show is a column chart.  You can order the fields with the table command like this example ...your search... | table _time pa failed aborted "not tested" Note, field names are case sensitive so you'll need to change to match you result set. Hope that helps ... View more

Also, please use the Insert/Edit code sample button when adding event or SPL code content as it helps make the question clearer and prevents the web browser view doing any strange formatting to the example data. Cheers ... View more

Hi @Sureshp191  Not sure how that regex could work as there is no double quote for the exclusion group to match against. This is the regex you need to not put the , in the field value... ... | rex "PortfolioSymbol: (?<PortfolioSymbol>[^,]+) Records: (?<Records>[^,]+) Elapsed: (?<Elapsed>[^\s]+)" ... The regex [^,]+ syntax means match anything that is not a comma.  Once it matches a comma the capture group match stops and moves to the next match, etc. Hope that helps ... View more

Hi @KalebeRS  Here's a link to the lookup command documentation, which based on the limited information provided should be what you need. https://docs.splunk.com/Documentation/Splunk/9.0.5/SearchReference/Lookup I'm assuming your table and the csv file have a matching field column to link the data. ... View more

Hi @Sureshp191  Based on the what you presented that could not happen.  Can you maybe provide a screen shot of the search and results in the Splunk UI. ... View more

Hi Dan In props.conf on your heavy forwarder (or indexer) tier do something like this...    [WinEventLog] SEDCMD-filter-winevent = s:(.+)(<EventID>\d+</EventID>)(.*)(<Data Name='ParentProcessName'>.+?</Data>)(.*):\2\4:g As before, by using colon as the sed command separator you do not need to backslash escape the forward slash delimiters that exists in the event data.  This is very important, otherwise the sed syntax will be invalid.  Also note, give the SEDCMD a label, which can be whatever you like.   Finally, double check the sourcetype of the incoming event, as usually XML events have the XmlWinEventLog sourcetype. You should be able to test the SEDCMD above via Add Data, in case it needs some more tweaking.  Hope that helps ... View more

Hi @adespino  I'm not exactly sure what you are trying to do, but it's the format command that is adding the double backslashes to the search field.  Generally you'd use this command if you required a subsearch in your base search to filter the result set (include or exclude).  If that was the use case, the escaped backslashes are needed and make sense. https://docs.splunk.com/Documentation/Splunk/9.0.5/SearchReference/Format Maybe providing the whole query will help clarify what you want to achieve. As a final note, if you still want to make the double backslashes single again, you could use a sed command like in this example...   | makeresults | eval whitelisted_process_name="c:\some\folder\here" | fields whitelisted_process_name | rename whitelisted_process_name as process_name | format | rex mode=sed field=search "s/\\\\\\\/\\\/g"    Hope that helps ... View more

Yes, the rex syntax needs to change to match alphanumerics.  Here's some updated example code.   | makeresults | eval event="Order 1AB5 failed to retrieve the workOrder. Error DataBase mapping incorrect. Order 1MB1 failed to retrieve the workOrder. Error DataBase mapping incorrect. Order 2MB5 failed to retrieve the workOrder. Error DataBase mapping incorrect. Order 2MB5 failed to retrieve the workOrder. Error DataBase mapping incorrect. Order 1MB1 failed to retrieve the workOrder. Error DataBase mapping incorrect." | eval event=split(event, " ") | mvexpand event | rename event AS _raw ``` the above just creates dummy events to test the following code ``` | rex "Order (?<Order>[^\s]+)" | stats count BY Order | addcoltotals count | rename Order AS "Order#", count AS "# of times failed"    In this case, the rex will match the ID value after the word "Order ", up to the next whitespace. ... View more

Hi @Sureshp191  Based on the example events provided, here's some demonstration run anywhere code showing a method to do what you want... | makeresults | eval raw="myappstatus got Created, symbolName: AAPL ElapsedTime: 0.0002009 myappstatus got Ended, symbolName: GOOGL ElapsedTime: 0.0005339 myappstatus got Created, symbolName: AAPL ElapsedTime: 0.0005339" | eval raw=split(raw, " ") | mvexpand raw | rename raw AS _raw ``` the above is just creating dummy events to test the following SPL code with ``` | rex "symbolName: (?<symbolName>\w+) ElapsedTime: (?<ElapsedTime>[^\s]+)" | eventstats count AS "Total Count" list(ElapsedTime) AS listElapsedTime sum(ElapsedTime) AS "Total ElapsedTime" BY symbolName | table symbolName "Total Count" "Total ElapsedTime"  Hope that helps ... View more

Hi @Sureshp191  Based on what you have provided my solution would work.  Here is a run anywhere example showing it working... | makeresults | eval event="Order 12345 failed to retrieve the workOrder. Error DataBase mapping incorrect. Order 12666 failed to retrieve the workOrder. Error DataBase mapping incorrect. Order 12345 failed to retrieve the workOrder. Error DataBase mapping incorrect. Order 12666 failed to retrieve the workOrder. Error DataBase mapping incorrect. Order 12771 failed to retrieve the workOrder. Error DataBase mapping incorrect. Order 12888 failed to retrieve the workOrder. Error DataBase mapping incorrect." | eval event=split(event, " ") | mvexpand event ``` the above just creates dummy events to test the following code ``` | rex field=event "(?<Order>\d+)" | stats count BY Order | addcoltotals count | rename Order AS "Order#", count AS "# of times failed"  If the real raw events look different to the ones above then please provide a valid example. ... View more

Hi @DanAlexander  Here's a run anywhere SPL example to get you started... | makeresults | eval _raw="<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid=' XXXXXXXX -4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-13T10:39:41.797279900Z'/><EventRecordID>12536409</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='15216'/><Channel>Security</Channel><Computer> XXXXXXXX </Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>XXXXXXXX</Data><Data Name='SubjectDomainName'> XXXXXXXX </Data><Data Name='SubjectLogonId'>0 XXXXXXXX 7</Data><Data Name='NewProcessId'>0x2734</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x17d4</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>XXXXXXXX -16384</Data></EventData></Event>" | rex mode=sed "s#(.+)(<EventID>\d+</EventID>)(.*)(<Data Name='ParentProcessName'>.+?</Data>)(.*)#\2\4#"  You should be able to put the final sed command into your props.conf SEDCMD.  No double quotes needed.  Also note, I used colon as separator instead of usual forward slash so the other forward slashes did not need escaping. Hope that helps  ... View more