Hi @seemanshu ,    Thanks for your response!     Can you help me here with using condition, there are some existing query which is defined for single value input radio button, I would like to use the same <condition match="$tok1$==&quot;v1&quot;> <set token="value1">true</set> <condition match==&quot;v2&quot;> <set token="value2">true</set> but this is not working , if i use 2 values <condition match="$tok1$==&quot;v1&quot;  AND $tok1$==&quot;v2&quot; > <set token="value1">value1 OR value2</set> Thanks in Advance! ... View more

That has me much closer, thanks! ... View more

Thank you that worked.  ... View more

Adding my two cents here, not for ingesting but rather visualize it or create an alert, outputlookup.... you can use the followig : https://splunkbase.splunk.com/app/4146  ... View more

@seemanshu  Sorry for the late reply.  Your answer make so much sense helped my understanding better. Thank you again! ... View more

The question doesn't seem to be related to dates - unless you can show two different raw events, one for which your regex works as desired, one for which not.  Additionally, unless you can demonstrate your regex, there is no way to diagnose. But ultimately, what is the significance of this string preceding the bracketed date, namely "Brew Bar John Doe_123456_UE"?  According to your description, the value you want is "Brew Bar John Doe".  If your description is accurate, this is the value of CN attribute in that embedded LDAP node, except that embedded message contains a nonstandard delimiter ("+" instead of space), and some inconvenient spacing, both can be fixed easily. Instead of trying to reinvent regex, I suggest that you use Splunk supported extractions when applicable.  They are more robust.  In your case, the log contains a segment that is NCSA/Apache access log.  Splunk comes with access-request and access-extractions for such.  For example,   | rex mode=sed "s/\+/,/g s/= */=/g" ``` handle little quirks in data ``` | extract access-request ``` but this is robust ```   This will give you C CN O OU file ink method root uri uri_domain uri_path uri_query version us Brew Bar John Doe Brew Bar Joint 123456 BROk305031.xml 202305031525554263206 GET rest /rest/BROk305031.xml?ink=202305031525554263206   /rest/BROk305031.xml ink=202305031525554263206 HTTP/1.1 Alternatively, you can use   | rex mode=sed "s/\+/,/g s/= */=/g" | extract access-extractions   C CN O OU ink us Brew Bar John Doe Brew Bar Joint 123456 202305031525554263206   ... View more

Hi @jotne , The following setting in the web.conf will help in specifying the dashboard name,   [settings] enable_risky_command_check_dashboard = false splunk_dashboard_app_name = <string> Here, splunk_dashboard_app_name will help in disabling the warning to the required app only. Kindly upvote, if found helpful.  ... View more

Here is the spec doc for the serverclass.conf file. https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Serverclassconf   I have not run into any limits on the number of items.  Especially when I use a csv file to specify 100s of servers for a specific class.  You should be good. ... View more

The solution gave a partial answer, my components got combined but in my ageing column data is missing this output should be these combination   but i have got this few values are reversed also like the values of age of basket 3 is exhanged with basket 4 ... View more

Hi @Nraj87 , You could use one of the following methods for excluding the data from a specific IP in your infrastructure, Modifying syslog-ng.conf filter f_all { not (<ip_address_to_be_excluded>);}; Modifying transforms.conf and props.conf in transforms.conf                    [setnull] REGEX = <regex for the ip to be excluded> DEST_KEY = queue FORMAT = nullQueue     in props.conf    [sourcetype_name] TRANSFORMS-null = setnull   Kindly support the answer, if find it useful. Happy Splunking! ... View more

I tried the above mentioned solution, but it doesn't seem to work. Is there any other method? ... View more