Hi @okumar1 , this means that there's something in the middle between UD and IDX that block the connection. probably an intermediate firewall or a local firewall on the IDX. Ciao. Giuseppe ... View more

Hi @nithys , what are the results of your search? what is your issue? You shared a search that seems to be correct, does it give you results? Ciao. Giuseppe ... View more

Hi @okumar1 , what about telnet test? Ciao. Giuseppe ... View more

Hi @LizAndy123 , is there a common field to use for grouping, e.h. host or transaction_id? if yes, use it in this way: <your_search> | stats values(totalCapacity) AS totalCapacity values(usedCapacity ) AS usedCapacity BY common_key | eval CapLeft = totalCapacity - usedCapacity if for the same common_key you can gave more values, use max or min or avg instead of values as function. Ciao. giuseppe ... View more

Hi @okumar1 , at first, did you checked if the connection (firewall route) is open between UF and IDX on the 9997 port? you can check this on UF using telnet. Then, is the 9997 port open on the IDX local firewall? Ciao. Giuseppe ... View more

Hi @MrLR_02 , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

Hi @Praz_123 , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

Hi @MrLR_02 , if your problem is the disk space, you cannot use the delete command because it only logically deletes  events not physically. you should use the clean command that deletes all events from the index and deletes also physically. You can solve the space issue, applying a very short retention policy on that index (e.g. 12 hours or less), in this way you physically delete buckets. Ciao. Giuseppe ... View more

Hi @MrLR_02 , what's the issue to have the same data stored in the index with different timestamps? Forget your database approach Splunk isn't a database, An index isn't a database table where you store only the data you're using; you can read only the last hour data from your index having the last situation, the same of your appproach deleting events. then, in addition, if you need you can have the situation at a defined time changing the timepicker of your your search. Ciao. Giuseppe ... View more

Hi @Praz_123 , you can use the correct searches of @livehybrid or a simple: index=_internal host IN (indexer1,indexer2) | stats count BY host | append [ | makeresults | eval host=indexer1, count=0 | fields host count ] | append [ | makeresults | eval host=indexer2, count=0 | fields host count ] | stats sum(count) AS total BY host | where total=0 eventually you can replace the append commands with a lookup containing the list of servers to monitor index=_internal host IN (indexer1,indexer2) | stats count BY host | append [ | inputlookup perimeter.csv | eval count=0 | fields host count ] | stats sum(count) AS total BY host | where total=0 Ciao. Giuseppe ... View more

Hi @MrLR_02 , I use kv-Store only if I have to manage records (e.g. case management), for the other situations I prefer using indexes. Anyway, you can store data in kv-store running a scheduled search with outputlookup command at the end. Ciao. Giuseppe ... View more

Hi @dzhangw7 , why are you using a subsearch? you can put all the conditions in the main search: index=my_index "Check something" (("Extracted entities" AND "'date': None") OR extracted_entities.date=null) | timechart count by classification eventually adding a condition on identity_id index=my_index "Check something" (("Extracted entities" AND "'date': None") OR extracted_entities.date=null) identity_id=* | timechart count by classification Ciao. Giuseppe ... View more

Hi @SN1 , in addition to the perfect answer of @kiran_panchavat , you could install the Splunk_TA_nix add-on ( https://splunkbase.splunk.com/app/833 ) and extract additional information from the linux system you're using. Ciao. Giuseppe ... View more

Hi @pedropiin , the stats command automatically dedups values, so you don't need to use the dedup command before the stats command. Ciao. Giuseppe ... View more

Hi @pedropiin , there isn't any reason for your behavior: after a stats command you have only the fields present in the command. Could you share the full search? Ciao. Giuseppe ... View more

Hi @L_Petch , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

Hi @dataisbeautiful , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

Hi @pedropiin , this search hasn't sense, you could run: index=main source=... ... ... | stats count BY name Ciao. Giuseppe ... View more

Hi @avi123 , could you share the search and the field names you're using ? Ciao. Giuseppe ... View more

Hi @Poojitha , there is no reason for this behavior. If you can, open a ticket to Splunk Support. Ciao. Giuseppe ... View more

Hi @dataisbeautiful , ok, please try this: index=transactionlog sourcetype=transaction earliest=-1h@h latest=@h | join type=left Item [ search index=transactionlog sourcetype=transaction earliest=-1h@h latest=@h | stats count BY Item | eval counter=1 | accum counter AS ID | table Item ID ] | table _time Item Count ID Ciao. Giuseppe ... View more

Hi @dataisbeautiful , in other words, you need to add a progressive number to your results, is it correct? if this is your requirement, please try this: index=transactionlog sourcetype=transaction earliest=-1h@h latest=@h | eval counter=1 | accum counter AS ID | fields - counter | table _time Item Count ID Ciao, Giuseppe ... View more

Hi @dataisbeautiful , could you share your search and a sample of your data (both using "Add/Edit Code Sample" button not a screenshot)? Ciao. Giuseppe ... View more

Hi @Poojitha , try to click on the value you want for lv1 using the interesting fields panel and see how it displays this filter. Ciao. Giuseppe ... View more