Hi @Gregski11, As a general best practise, the nodes that have site = site1 in [general] stanza in server.conf  , should have Site1 indexers in their outputs.conf  . And vice versa.  This will prevent log traffic across sites. If you want a failover capability for forwarding logs you can check the indexer discovery on link below; Use indexer discovery in a multisite cluster   ... View more

Hi @shruti14, Your regex is not capturing anything because it expects a two digits number. Please try below; | rex mode=sed field=sourcetype "s/oracle:audit:(.*)(?:\d\d)?/\1/g"   ... View more

Hi @cbiraris , You can just use    index= abc sourcetype = ZXY "Error500" |table _time, _raw   in your alert query and set a trigger condition if the result count is greater than zero. If the query returns something you will get the results. ... View more

You can filter using two methods,  index=index_name source=sourcetype | regex _raw="DESCRIPTION=\".{5}(?:M|H)" | table JOID,JOB_NAME,DESCRIPTION,JOB_GROUP,STATUS,LAST_START,LAST_END,NEXT_START,RUNTIME | sort -time Or, index=index_name source=sourcetype | rex "DESCRIPTION=\".{5}(?<sixth_char>.)" | table JOID,JOB_NAME,sixth_char,DESCRIPTION,JOB_GROUP,STATUS,LAST_START,LAST_END,NEXT_START,RUNTIME | search sixth_char IN ("H","M") | sort -time ... View more

Hi @sekhar463, I thought that you wanted to extract the sixth char, please try below to filter, | regex _raw="DESCRIPTION=\".{5}(?:M|H)"   ... View more

Hi @igor04653, HEC inputs expect valid JSON events Please check if you have malformed JSON events from Kubernetes. Sometimes there may be double quotes or { chars that should be escaped. ... View more

Hi @sekhar463, You use below to extract 6th char in events; | rex "^.{5}(?<sixth_char>.)" ... View more

Hi @munang, Could you please check if Splunk DBConnect app permissions? Can you try changing app permissions to global?  ... View more

Hi @kumaranv, Could you please show us your Heavy Forwarder outputs.conf setting (pass4SymmKey masked) ? Maybe there is something wrong with the settings.   ... View more

Hi @JNgoho, Did you restart the container after deleting the daemon.json file?   ... View more

Hi @surens, Ad-hoc search refers to the process of searching for data using a simple search query, without first creating a saved search or report.   ... View more

Hi @splunkis0927, According to the below log, your UF cannot reach at least one of your indexers.  WARN AutoLoadBalancedConnectionStrategy [1xxxx TcpOutEloop] - Cooked connection to ip=xxx.xx.xx.xx:9997 timed out 30 seconds is the default load balance timer for UF. Whenever this UF tries connecting particular indexers or indexers, it waits for the timeout. During this period UF may not be able to send logs, after connecting to another indexer you see the logs but delayed. Please check the connectivity, routing, firewall, etc between this UF and indexers. ... View more

Hi @Stephan_BP, Can you please try writing output without an array? I mean each result will be a single JSON that contains only one account. ... View more

Hi @igor04653, It seems Splunk is using your Linux server sendmail to send an email. It may work if you are sending only internal company mail addresses.  ... View more

Hi @aprice_q, Your on-prem instance may have a missing setting for the "some_field" indexed field. That is why lispy and results may be different. Please check if your on-prem instance has INDEXED=true for "some_field" field in your fields.conf like below; fields.conf [some_field] INDEXED = true ... View more

Hi @chteh , nice to hear your issue resolved. ... View more

Hi @Yadukrishnan, Splunk automatic key value extraction stops ad spaces. That is why you may not see the full value in some fields. If you post a few sample events, I can suggest you an EXTRACT setting that you can add to your TrendmicroDDI sourcetype.   ... View more

Hi @chteh, Based on your picture, you can try below search; eval check=coalesce('filter-discard',alert_id) | stats values(*) as * by check | where NOT alert_id='filter-discard' AND isnotnull(alert_id) | fields - check ... View more

Hi @chteh, Can you try search without subsearch. I assumed your "Filter action" and "abnormal Protocol" are in filter-discard field.  index="security_device" sourcetype=security_log ("Filter action" OR "abnormal Protocol" | stats values(filter-discard) as filter-discard by alert_id | where isnotnull(mvfind('filter-discard',"Filter action")) | table filter-discard   ... View more