@ajayabburi508  Can you please replace the below code in JS? Old: var a = $('<div>').attr({"id":"chk-sourcetype"+cell.value,"value":cell.value}).addClass(checkbox_css).click(function() {   New: var checkbox_css = selected_values_array.includes(cell.value) ? "checkbox checked" : "checkbox"; var a = $('<div>').attr({"id":"chk-sourcetype"+cell.value,"value":cell.value}).addClass(checkbox_css).click(function() {   Thanks KV If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated. ... View more

eventgen's documentation is pathetic. Also: gogen examples skip index names from config files - a basic getting started example is all that was needed! https://github.com/halr9000/gogen-1/blob/master/README/Tutorial.md ... View more

values is what I was searching for. It only shows distinct lists. ... View more

Nevermind you solved . Thank you so much ... View more

I tried with it but no success @isoutamo , Transforms: [sourcetype] SOURCE_KEY=_raw REGEX=(?<fieldNam>[a-zA-Z ]+):(?<value>.+) FORMAT=$1:$2 _raw: "Process Create: Utc Time: 2022-04-28 22:08:22.025 <Ingest_eval_change_fields> INGEST_EVAL = NewField=replace(fieldNam, "\s", "_")   - When we did Ingest_eval_change_fields transforms FORMAT function in earlier transforms has already changed to field names so "fieldNam" no longer exists. ... View more

Just curious. How would this work if in the same example we have ir7utbws001 as an entry as there is no 'period' your code would extract this as null. I wanted to extract the whole field if there is no period So basically what is alternative of | eval temp=split(URL,".") | eval Final=mvindex(temp,0) ... View more

Thank you, it worked successfully.  ... View more

I needed the double quotes too which I learned from your post. Thanks! ... View more

I tried the same that you have. It seems working as expected. | makeresults | eval _raw="{ \"SCMSplunkLog\" : { \"SCMFailureLog\" : { \"appName\" : \"Testing_splunk_alerts_log\", \"eventType\" : \"Testing_splunk_alerts_log\", \"payload\" : { \"level\" : \"ERROR\", \"startTime\" : \"2022-04-12T13:57:49.156Z\", \"successCount\" : 0, \"failureCount\" : 0, \"publishedCount\" : 0, \"errorCode\" : 0, \"errorDescription\" : \"ERROR: relation \"test.testLand\" does not exist\n Position: 8\", \"sourceCount\" : 0, \"endTime\" : \"2022-04-12T13:57:54.483Z\" } } } }"   ... View more

Look at the splunk documentation whats new and fixed issues. https://docs.splunk.com/Documentation/Splunk/8.2.4/ReleaseNotes/MeetSplunk#What.27s_New_in_8.2.4   https://docs.splunk.com/Documentation/Splunk/8.2.6/ReleaseNotes/MeetSplunk#What.27s_New_in_8.2.6   Should not be a major difference. ... View more

you have to try something like this to make it work with lookups    https://community.splunk.com/t5/Splunk-Search/Using-CIDR-in-a-lookup-table/m-p/35787   like/accept if it works for you! ... View more

That worked! ... View more

Ok, that makes sense. More than one time-based field in the event can cause confusion 😉 But this creates a problem. You could - since you're saying that only some subset of your events contains the timezone - do a conditional evaluation like | eval mytime=if(like(match(mytime,".*-[A-Z]+$"),strptime(mytime,"format with timezone"),strptime(mytime,"format without timezone") or even, if you can enumerate hosts or sources with/without timezone, you could make a conditon based on that field. But. I'd strongly advise to reconfigure your sources so that they do include the timezone information within the timestamp. Remember that if you're evaluating your search, it's parsing the time according to your user's configured timezone, which might not be a problem if you assume that none of your users will be far enough to warrant a different timezone. But it might mean that daylight saving comes into play. Without a timezone information within the time string you don't know whether it was in "summer time" or "winter time". So you might get different results depending on when you're calling your search and you'll never know which results are proper ones. And you don't even know if the source is reporting the time properly. ... View more

Thanks Mayur, The query helped. What happen was subsearch computername was returning the value with lower case (pc4555)and main search computername value was returning uppercase (PC455). Converted the main search value to lower case was able to find match the values. Do you have any idea to omit the the data if field values are empty    ... View more

best to use "\s*" instead of "\s" if you are not sure if there will be a space is future events or not. ... View more

Thank you that worked ... View more

Hi is it a multiline event? if yes, could you please put an example of an entire raw event. ... View more

It's not that simple. Splunk counts the licence usage based on raw data that is written to indexes so if the data is in any way modified and/or filtered, the license usage may not be straightforward doubled. ... View more

Based on the sample data and screenshot, I am convinced that the first number is %d and the second is %m. | eval time = strptime(Time, "%d/%m/%Y %H:%M:%S") ... View more

Not sure if this is what you are looking for ?   index=k8s_events namespace=ecom-middleware NOT method=OPTIONS response_code>200 | bin _time span=1d | stats count by path _time | streamstats window=5 sum(count) as total_count avg(count) as avgCount by path | fields _time path total_count avgCount   Say you run that search over the last 30 days, where each row is a unique day with path . And each row has a '_time' field, and an 'avgCount' field. The avgCount field will be the average events per day, during that day and the 4 days preceding it.   ... View more

This worked like a charm. Thank you very much ... View more

Thanks for the reply Mayurr! I thought the same thing. I did find an app  being pushed to all the UF's [and verified it's getting to the workstations] to override default with the following entry from %splunkHome\etc\apps\Splunk_UF\default\outputs.conf: [tcpout] forwardedindex.0.whitelist = .* forwardedindex.1.blacklist = .* forwardedindex.2.whitelist = (_audit | _introspection | _internal | _telemetry) forwardedindex.fileter.disable = false It seems like the 0.whitelist entry is unnecessary but I wonder if that is actually conflicting with gathering audit info. ... View more

I do not think you can change the path explicitly in SPL https://community.splunk.com/t5/Getting-Data-In/How-to-change-the-location-a-saved-search-outputs-a-CSV-file-to/m-p/204917   however, you can write cron jobs to move the file on OS level. ... View more