Hi @Karthikeya , are you sure that you want to apply this extraction at index time? this means a greater job for indexers and this usually depends on the volume of indexed logs for extractions, how many logs must you index daily and in the peak period? here, you can find a comparation between the two modes and a description: https://docs.splunk.com/Documentation/Splunk/9.4.1/Indexer/Indextimeversussearchtime  Ciao. Giuseppe ... View more

Hi @Karthikeya , if it's runs it's correct! anyway I'd use this: | rex "vs_name\"\:\"\w\-(?<fqdn>[^-]+)-\d+"  Ciao. Giuseppe ... View more

Hi @splunklearner , the HEC is the channel to receive data, but the inputs and the parsing and normalization rules are in the add-on. Infact the link you shared is a description of the add-on configuration process: it isn't sufficient to configure the token to send data, you need also to configure the add-on to define the inputs to enable. Ciao. Giuseppe ... View more

Hi @splunklearner , it's always better to use the Add-On. And remember to install the add-on both on HF and SHs. Ciao. Giuseppe ... View more

Hi @splunklearner , if you need to configure an input from AWS to Splunk, you have to install the Splunk Add-on for Amazon Web Services (AWS) ( https://splunkbase.splunk.com/app/1876 )on the Heavy Forwarder. Ciao. Giuseppe ... View more

Hi @secure , are you sure about the field names? you used two different names for each of them (ostype and OS_type) but maybe it's a mistyping. Anyway, che ck the field names. Then check the value of os_version, if you use the "<" char, it must be numeric. Ciao. Giuseppe ... View more

Hi @whitefang1726 , Deployment Server is a stand-alone Splunk server, so it requires at least 12 CPUs and 12 GB RAM. if it has few clients to manage you can use reducted requirements, and if it has to manage many clientss, you could use more resourses. Ciao. Giuseppe ... View more

Hi @Sultan77 , if you have ES 7.x, you have to flag all the events and add to the same investigation. I haven't an ES 8.x to guide you  in this case. Ciao. Giuseppe ... View more

Hi @Sultan77 , this means that many Correlation Searches (or Detections from 8.X) triggered events. It isn't a good idea grouping different Detections in one alert. Anyway, the only solution is disable Notable (or Finding) creation and use only Risk Score, then use a Finding Based Detection to have only one Finding containing all the others. In addition, you can group more Findings in one Investigation. Ciao. Giuseppe ... View more

Hi @shraddha09 , you cannot use max in the eval command, max can be used only in stats or similar streaming commands. try something like this: index=wf_eit_ecio) | rename 'Properties.Gems.DataSyncsExecutionContext.dataSyncProvidersExecutionGroupULID' AS GroupULID 'Properties.Gems.DataSyncExecutionContext.DataSyncProviderName' AS ProviderName | where GroupULID = lstUlid | stats max(GroupULID) AS max BY ProviderName | chart count(max) as TotalApiCallsCount BY ProviderName I supposed that lstUlid is a threshold. another thing, don't bring these so long field names, rename them after the main search. Ciao. Giuseppe ... View more

Hi @osh55 , ok, please try this: index=sample1 ((sourcetype=x host=host1) OR sourcetype=y) | eval caller_party=if(sourcetype=x, substr(caller, 2), caller_party) | stats count(eval(sourcetype=x)) AS all_calls count(eval(sourcetype=y)) AS messagebank_calls BY caller | search all_calls=* See my approach and adapt it to your use case. Ciao. Giuseppe ... View more

Hi @shraddha09 , as also @livehybrid and @richgalloway said, it's really difficoult to help you without any information. The only additional information that I can add is that you cannot use an eval condition in a where command: you must use the eval command and then in a different row the where condition. Ciao. Giuseppe ... View more

Hi @osh55 , please share your search, anyway, you have to adapt the eval commands to the different kinds of logs. Ciao. Giuseppe ... View more

Hi @Karthikeya , is the question is on the license exceedings, you don't have problems exceeding less than 45 times in 60 days. if the problem is the storage, you could change the dimension of the index where these logs are stored so they will be deleted more frequently and you will not use all the disk space. You could also change this max dimension when you have excessive data ingestion and then restore the normal parameter at the end, anyway the easiest method is configure the max dimension for your indexes. Ciao. Giuseppe ... View more

Hi @Karthikeya , you can exceed the license limit without any violation (only a message) for 45 times in 60 solar days. So it shouldn't be a problem you situation. for more information see at https://www.splunk.com/en_us/resources/splunk-enterprise-license-enforcement-faq.html?locale=en_us Ciao. Giuseppe ... View more

Hi @osh55 , let me understand: is the issue the number or results of the subsearch that are more than 50,000? did you tried to put bo the searches in main search? index=sample1 ((sourcetype=x host=host1) OR sourcetype=y) | eval caller=coalesce(caller, caller_party) | stats count(eval(sourcetype=x)) AS all_calls count(eval(sourcetype=y)) AS messagebank_calls BY caller | search all_calls=* Ciao. Giuseppe Ciao. Giuseppe ... View more

Hi @splunkreal , as @livehybrid said, the easiest approach is to create two copies of the Splunk_TA_Windows that differ only for the index in the input stanzas. If not possible, you could follow the approach that you described. Remember that in the second case, you have to put these configurations not in the Universal Forwarders, but in the first full Splunk instance that data pass throug, in other words on indexers or, if present on intermediate Heavy Forwarders. Ciao. Giuseppe ... View more

Hi @tech_g706 , it isn't possible to optimize accelerated scheduled searches, you can only reduce the execution frequency, if this is compatible with your requisites. E.G. if you schedule acceleration searches every 10 or 15 minutes, instead of 5, you will have avalible data later than now, so you must change the execution time window of your Correlation Searches. In other words, if having a frequency of 5 minutes, you can use a time period from -10m@m to -5m@m  , having a frequency of 15 minutes, you must schedule Correlation Searches from -20m@m to -15m@m, is this acceptable for you? Otherwise, you have to use summariesonly=false, but you lose in performances. Ciao. Giuseppe ... View more

Hi @siv , I don't think so, you could try to upload a file with the additional column, but I'm not sure. ciao. Giuseppe ... View more

Hi @zafar , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

Hi @Treize , because summary index in a main search hasn't limits in the number of results. Ciao. Giuseppe ... View more

Hi @Treize , it could run, but you should add another field to use for the check. But, having the issue of so many rows, why you don't use a summary index, outting it in the main search so you don't have limits? something like this: (<my search>) OR (index=new_summary_index) | eval ip=coalesce(ip,IP) | stats values(index) AS index dc(index) AS index_count BY ip | where index_count=1 AND index=<your_index> | fields ip | outputlookup append=true override_if_empty=false 2.csv Ciao. Giuseppe ... View more

Hi @bhupalbobbadi , if I correctly understood your problem, your second SH doesn't send emails, is it correct? did you checked that the connection between this SH and the mail server (using telnet from the SH to the mail server) is open on the used port? Ciao. Giuseppe ... View more

Hi @Treize , I don't know why your lookup doesn't correctly run, how many lines there are in your lookups? maybe you supered the limit of 10,000 rows. Then, did you changed the name of the "ip" field in the main search or in the lookups? anyway, your search isn't optimized: it should be better to insert the two subsearches in the main search and declare the field to use in the search using the field command: <my search> NOT ([ | inputlookup 1.csv | fields ip ] OR [ | inputlookup 2.csv | fields ip ] | dedup ip | fields ip | outputlookup append=true override_if_empty=false 2.csv Ciao. Giuseppe   ... View more