Hi @anooshac, please try something like this: <your_search> | spath | table NUM TIME STATUS DURATION COMPONENTS{}.NAME COMPONENTS{}.NAME.TASK{}.ITEMID COMPONENTS.NAME.TASK{}.FILE I'm not sure about the last three field names, please check them. Ciao. Giuseppe ... View more

Hi @power12, good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

Hi @haripotu, if you want the percent of EventCode=19 over all the events, you could run something like this: index= server_123 host IN (12345678) uri_stem IN (http/hltchck)fields host | bin span=1h _time | stats count(eval(status=100) AS success count AS total BY _time host | search [ search index=prod-x7 host IN (12345678) sourcetype=“Wineventlog” Eventcode=“19” | fields host ] | stats sum(count) AS Success values(total) AS total BY _time | eval Percent=round((Success/total)*100,2) Ciao. Giuseppe ... View more

Hi @yaye , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

Hi @TanyaCnd, why don't you try to use two different tags? e.g: USER or ADMIN for the first one FIELD1 FIELD2 FIELD3, etc... for the second one then you can use them for your searches: tag=ADMIN tag=FIELD1 Ciao. Giuseppe ... View more

Hi @nicolasbagsarpa , there isn't a reference hardware for the Deployment Server. The only indication is that is a standard Splunk server, so at least 12 CPUs and 12 GB RAM. In general, you can use also less resources (8+8). In y experience I never found probles also scaling the number of managed clients. Also because for this role you don't need a physical server but a virtual one, so you can scalate if the load is too high, but i don't think that it will happen. You can also use a two tier architecture for the DS, but it isn't an immediate configuration architecture and it requires a Splunk Architect with experience in large architectures. Ciao. Giuseppe ... View more

Hi @n37w0rk, I don't see the date and time in the field name, maybe the new file is rebuilded, try adding date and time to the file name. ciao. Giuseppe ... View more

Hi @n37w0rk , Check the rsyslog configuration: does it write always on the same file or does it used a filename with date and time? Ciao. Giuseppe ... View more

Hi @n37w0rk, if you're speaking of the files in "/home/splunk/syslog", you're using the monitor command that reads files but doesn't delete them after reading. If you want to delete, you have to use batch instead monitor also in this stanza. ciao. Giuseppe ... View more

Hi @Deepz2612, if you haven't to check if there are events with sourcetypes not in the lookup, you could run something like this: index=* [ | inputlookup your_lookup | fields sourcetype ] | stats count BY sourcetype | append [ | inputlookup your_lookup | eval count=0 | fields sourcetype count ] | stats sum(count) AS total BY sourcetype | where total=0 You could also use tstats to have a more performant search: | tstats count WHERE index=* BY sourcetype | search [ | inputlookup your_lookup | fields sourcetype ] | append [ | inputlookup your_lookup | eval count=0 | fields sourcetype count ] | stats sum(count) AS total BY sourcetype | where total=0 Ciao. Giuseppe ... View more

Hi @thanchen , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

Hi @Sss, you have to use the chart command, something like this: <your_search> | chart values(Status) AS Status OVER Profile BY version Ciao. Giuseppe ... View more

Hi @thanchen, it's not clear for me where you take val1 and val2, anyway, you can use the subsearch two times: <your_main_search> ([ search <your_secondary_search> | rename field1 AS query | fields query ] OR [ search <your_secondary_search> | rename field2 AS query | fields query ]) ... Ciao. Giuseppe ... View more

Hi @thanchen , you can pass a value from a subsearch without specifying the field name renaming the field as "query", in this way you perform a full text search on the main search events, some thing like this: <your_main_search> [ search <your_secondary_search> | rename field1 AS query | fields query ] ... Ciao. Giuseppe ... View more

Hi @gcd24967 , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the Contributors 😉 ... View more

Hi @gcd24967, you have to change owner to all the folder and start the process as splunk user as described in the above documentation. ciao. Giuseppe ... View more

Hi @RanjiRaje, I cannot test your regex because you didn't share your raw events. Anyway, you said that in indexA you have user=firstname and in indexB you have userName=firstname,login. You already have the user field from indexA and using my regex you can extract the firstname from the userName field of the indexB and can you use it for matching with indexA. Isn't this your requirement? if you want, you can also rename user as userName at the end of the search. I could be more detailed, if you could share a sample of your raw logs from indexA and indexB. Ciao. Giuseppe ... View more

Hi @power12, at first, don't use the search command after the main search: your searches are slower! I'm not sure that's possible to setup the cell colour in dinamic mode, maybe someone else knows this solution, anyway it's surely possible in static mode. Is it acceptable for you to add a Status field (OK,NOK) and give the colour to it? if yes, you could use a search like this: index=abc host IN (*) NOT (host IN (No_exclusions)) | eval lower=((ref*l)+ref), upper=if(u="null","10000000",(ref+(ref*u))) | stats latest(perf_number) AS perf_number values(lower) AS lower values(upper) As upper BY host Test | eval Status=if(perf_number>lower AND perf_number<upper,"OK,"NOK") | table host Test Status perf_number lower upper then you can setup the Status colour based on the value. Ciao. Giuseppe ... View more