No one here in the Community can help with that.  Please contact Splunk at education_AMER@splunk.com ... View more

Verify the forwarders are allowed to connect to port 8089 on the DS. Look in splunkd.log on the forwarders for connection/protocol errors.  They'll probably come from the "DC" component. ... View more

See if this helps. <<your search for people events>> | spath ```Loop over the people object and make a list of each name found``` | foreach people.* [ eval name=mvappend(name,if(isnotnull('<<FIELD>>'),"<<MATCHSTR>>", null()))] ```Break the name list into separate events``` | mvexpand name ```Count the names``` | stats count by name ... View more

Yes, indexers do process data before it gets indexed.  That's the primary function of an indexer.  A heavy forwarder is just an indexer that does not store data.  Index-time settings must be deployed on the first one (HF or indexer) that sees the data.  You're right to want to avoid an intermediate layer, IMO. As for how to modify the data, I think SEDCMD is easiest to do.  Put this in the relevant props.conf file: [mysourcetype] SEDCMD-stripFields = s/\[action:"(?<Action>\w+)"|origin:"(?<Origin>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"|layer_name:"(?<Text>\w+)"|dst:"(?<dest>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"|src:"(?<Source>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"/\1,\2,\3,\4,\5/ It will keep only the 5 capture groups, separated by commas. ... View more

Try incorporating the lookup into the base search. index=mydata [ | inputlookup mylookup.csv where list="Splunk Legends" | fields number | format ] | stats value(*) by guid -- because I'm joining some other interesting information in this index ... ... View more

That changes things a bit.  Since the messages don't fit a pattern, coming up with a regex to extract the word of interest is more challenging.  With just a screenshot to work with, it's impossible to test possible solutions. I can say, however, that the answer likely will use timechart instead of stats. ... | timechart count by type   ... View more