Hi @sun1000, in blacklist and whitelist options, you have to use a regex not only insert your conditions. So please find the correct regex and try something like this: | rex "(?ms)EventCode\=5145.*Message\=Relative Target Name:\s.+Registry\.xml" You can see a similar regex at https://regex101.com/r/7HVoS2/1  Ciao. Giuseppe ... View more

Hi @Itzloi, are you speaking of both Search Heads and Indexers Clusters or only one? Did you already make a Capacity Plan of your needs? Did you designed an architecture for your infrastructure? (for your info  see at https://www.splunk.com/pdfs/technical-briefs/splunk-validated-architectures-it.pdf) if you already did these preliminary steps, you can see at: https://docs.splunk.com/Documentation/Splunk/8.1.3/DistSearch/AboutSHC https://docs.splunk.com/Documentation/Splunk/8.1.3/Indexer/Aboutclusters for configuration steps Ciao. Giuseppe   ... View more

Hi @Harold, as @scelikok said, if you're speaking about hardening, you should see at https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/WhatyoucansecurewithSplunk, in addition in the last .Conf there was an interesting  webinar https://conf.splunk.com/files/2020/slides/TRU1537C.pdf  about Splunk hardening. Anyway, if you want the connections used by Splunk, you should see at https://docs.splunk.com/Documentation/Splunk/8.1.3/InheritedDeployment/Ports Ciao. Giuseppe   ... View more

Hi @chuck_life09, Sorry but I don't understand your requirement: you have a multiselect, the values of this multiselect are   "my name is" "the desktop is mine" "there are many likes", you want to have these values in a lookup to dinamically manage them, and use them to filter events in dashboard's panels. What's the problem, to have these values in the lookup? or what else? As I said, did you tried to put each value in a different row of the lookup, so you can call all the values from the lookup? Ciao. Giuseppe ... View more

Hi @chuck_life09, did you tried to create a lookup like this: Name Type AAA ttt AAA sss BBB fff BBB ggg CCC eee CCC hhh CCC qqq  Calling it in the multivalue? Ciao. Giuseppe ... View more

Hi @aditsss, I see that there isn't any search in this panel. As I said I don't understand why create a panel with this input instead to put it in the dashboard header, but it isn't a problem because you know why. The question is what's the condition to display this panel? maybe when you have results in another search? if this panel must be displayed when you have results in another panel with search, you can use this other search to configure the visibility of the panel as I described in the other answer. e.f. taking part of the previous question code: <dashboard> <label>Your dashboard</label> <search id="your_search"> <query> your_search | fields your_fields </query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> <progress> <condition match="'job.resultCount' == 0"> <set token="show_html">foob</set> </condition> <condition> <unset token="show_html"></unset> </condition> </progress> </search> <row> <panel> <table rejects="$show_html$"> <title>Process</title> <search base="your_search"> <query> | table your_fields </query> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> <html depends="$show_html$"> <p style="color:red;margin-left:30px;font-size:24px">No data:</p> <br/> <p style="color:blue;margin-left:30px;font-size:24px">in search results</p> </html> </panel> </row> <row> <panel> <title>Number of Licenses (Total, Used , Unused)</title> <input type="dropdown" token="license" searchWhenChanged="true" rejects="$show_html$"> <label>Licenses (Total, Unused, Used)</label> <choice value="a">Total</choice> <choice value="b">Unused</choice> <choice value="c">Used</choice> <default>a</default> <change> <condition value="a"> <unset token="b-details"></unset> <unset token="c-details"></unset> <set token="a-details"></set> </condition> <condition value="b"> <unset token="a-details"></unset> <unset token="c-details"></unset> <set token="b-details"></set> </condition> <condition value="c"> <unset token="a-details"></unset> <unset token="b-details"></unset> <set token="c-details"></set> </condition> </change> </input> <html depends="$show_html$"> <p style="color:red;margin-left:30px;font-size:24px">No data:</p> <br/> <p style="color:blue;margin-left:30px;font-size:24px">in search results</p> </html> </panel> </row> </dashboard> At least, I'd put it in the dashboard header! Ciao. Giuseppe ... View more