Any chance that there will be a Splunk integration for TRAP? ... View more

You don't blacklist apps, you blacklists hosts from serverclasses. But in your case, you shouldn't need to - a whitelist will do the job. For each configuration of applications, you should create a server class. Black/Whitelists are applied to the serverclass, not the applications within it. In the answer below, I have created two server classes - one for your gensearch (which I guess is Prod), and one for QAsearch Then each server class has a different collections of applications. so: [serverClass:all_gensearch] filterType = whitelist whitelist.0 = spkprtsrch01 restartSplunkd = false issueReload = true [serverClass:all_QAsearch] filterType = whitelist whitelist.0 = spkqatsrch* restartSplunkd = false issueReload = true [serverClass:all_gensearch:app:SA-ldapsearch] [serverClass:all_gensearch:app:splunk_app_windows_infrastructure] [serverClass:all_gensearch:app:Splunk_TA_microsoft_ad] [serverClass:all_gensearch:app:Splunk_TA_microsoft_dns] [serverClass:all_gensearch:app:TA-maclookup] [serverClass:all_gensearch:app:TA-user-agents] [serverClass:all_gensearch:app:TA_cisco_cdr [serverClass:all_gensearch:app:Splunk_TA_nginx] [serverClass:all_gensearch:app:SA-nix] [serverClass:all_gensearch:app:splunk_app_jenkins] [serverClass:all_gensearch:app:NetSkopeAppForSplunk] [serverClass:all_gensearch:app:TA-Zscaler_CIM] [serverClass:all_gensearch:app:duo_splunkapp] [serverClass:all_gensearch:app:zscalersplunkapp] [serverClass:all_gensearch:app:TA-Zscaler_CIM] [serverClass:all_gensearch:app:GSuiteForSplunk] [serverClass:all_QAsearch:app:SA-ldapsearch] [serverClass:all_QAsearch:app:splunk_app_windows_infrastructure] [serverClass:all_QAsearch:app:Splunk_TA_microsoft_ad] [serverClass:all_QAsearch:app:Splunk_TA_microsoft_dns] [serverClass:all_QAsearch:app:TA-maclookup] [serverClass:all_QAsearch:app:TA-user-agents] [serverClass:all_QAsearch:app:TA_cisco_cdr Should do what you want. ... View more

Hi @ylucena, One way to filter out already defined data is to use streamstats combined with evals. First thing to do is sort the table by Host, interface, ip_address and OS. Then you can compare each row with the value of the previous row. If they are the same as the previous line, then change the value to "". |...previous search here... | sort Host, interface, ip_address, OS | streamstats current=false last(Host) as prev_host, last(interface) as prev_interface, last(ip_address) as prev_ipaddress | eval Host=if(Host==prev_host,"",Host) | eval interface=if(Host=="" AND interface == prev_interface,"",interface) | eval ip_address=if(Host=="" AND interface=="" AND ip_address==prev_ipaddress,"",ip_address) | table Host, interface, ip_address, OS Checks: This search checks the Host to see if it's the same as the last one, and if so sets it to "". Next it looks at the Interface - if the host is already set to "" and the interface is the same as the last one, then it sets the interface to "". Finally, a similar check is done for ip_address. As long as the Host and interface are blank, it will set the ip_address to "" if it's the same as the previous one. In all other cases the fields are left as-is. That results it the following: Cheers, Daniel ... View more

Hey, thanks for the answer! However, I don't believe that should be the solution. Any HF should work the same, moreover, I don't have another one. Any other ideas? ... View more

Problem no longer exists after upgrading to 2.0.0 for me. ... View more

Oh, man... I'm trying everything I can, but no success so far. Very frustrating. Thanks for the quick response! ... View more