I tried with it but no success @isoutamo , Transforms: [sourcetype] SOURCE_KEY=_raw REGEX=(?<fieldNam>[a-zA-Z ]+):(?<value>.+) FORMAT=$1:$2 _raw: "Process Create: Utc Time: 2022-04-28 22:08:22.025 <Ingest_eval_change_fields> INGEST_EVAL = NewField=replace(fieldNam, "\s", "_")   - When we did Ingest_eval_change_fields transforms FORMAT function in earlier transforms has already changed to field names so "fieldNam" no longer exists. ... View more

Website monitoring https://splunkbase.splunk.com/app/1493 Or perhaps the network toolkit https://splunkbase.splunk.com/app/3491/ might help  ... View more

Can you go to apps>Manage Apps> /<Addon that needs to be be in read mode/>  > permissions >  Everyone: Read Admin: Write In my case i did a refresh and it worked, <SplunkURL>/debug/refresh ... View more

Make sure that you have updated the ownership of both drivers to splunk:splunk (assuming that is your Splunk user). If owned by root then dbconnect will ignore them. You also need to cycle the Splunk daemon after installing the new drivers. Afterwards you should see both versions available. ... View more

Yes, these issues really affect indexing. Events may be combined or split or truncated unpredictably. Events without a timestamp will be assigned a timestamp that may not accurately reflect when the event occurred. Your search results may be unreliable. There is a minor performance degradation. Specifying props for a sourcetype means Splunk does not have to guess about what props to use, which improves performance. Every sourcetype you ingest should have props specified. ... View more

I have the same error DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event. looks like splunk is not picking anything from props.conf. MAX_TIMESTAMP_LOOKAHEAD is still 128 which is a default one. I did all these in master server, Do i need to update in deployment server? ... View more

convert from XML to html i believe is a current capability from the create dashboard UI. ... View more

Please provide sample data ... View more

index=c4_akamai | eval newfield = urldecode('reqHdr.referer') | table newfield ... View more

If that is the case, you will need to show us a sample log. ... View more

Thanks @snallam123 !! ... View more

Hi try this regex (?ms).*ServerAuditDetailAssertion:\s+(?<ServerAuditDetailAssertion>[^:]*):\s*.*Applications:\s+(?<Applications>[^:]*):\s*.*paymentRedirects:\s+(?<paymentRedirects>[^:]*):\s*.*Permission:\s+(?<Permission>[^:]*):\s*.*Application:\s+(?<Application>[^:]*):\s*.*assertion:\s+(?<assertion>[^:]*) that you can test at https://regex101.com/r/6Xa7NE/1 So you'll have, e.g. a stat for each Application: index=my_index | rex "(?ms).*ServerAuditDetailAssertion:\s+(?<ServerAuditDetailAssertion>[^:]*):\s*.*Applications:\s+(?<Applications>[^:]*):\s*.*paymentRedirects:\s+(?<paymentRedirects>[^:]*):\s*.*Permission:\s+(?<Permission>[^:]*):\s*.*Application:\s+(?<Application>[^:]*):\s*.*assertion:\s+(?<assertion>[^:]*)" | stats values (ServerAuditDetailAssertion) AS ServerAuditDetailAssertion values(paymentRedirects) AS paymentRedirects values(Permission) AS Permission values (Applications) AS Applications values (assertion) AS assertion BY Application Obviously you can use also other functions as sum, avg, etc... instead values, but I don't know your need. Bye. Giuseppe ... View more

@dmarling Thanks, I got it. This one worked ... View more

I believe you are asking about The use of disabled lookups in searches or other lookups is no longer allowed. My understanding of this is that if you have any saved searches or alerts that use lookups that are now disabled, those searches will throw an error saying as much. Consider this like a security fix because if a lookup is disabled nothing should still be using it. Does that clarify? ... View more

Added Eval IP= (values from index1 , values from index2) it worked. Thanks. ... View more

Thanks, @vnravikumar , This is exactly what i need. ... View more

@somesoni2 thanks, The query you mentioned gives license usage of index, I am looking to figure out how much data i am getting from all servers to that particular index(ex:test) and compare today's data to yesterday's data. And can you please explain difference between index=_internal sourcetype=splunkd component=LicenseUsage idx=test | timechart span=1d sum(b) as usage | eval usageGB=round(usage/1024/1024/1024,2) And | dbinspect index=test | eval GB=sizeOnDiskMB/1024 | stats sum(GB) Thanks. ... View more