Hi @TryingSplunk , I'm not speaking of Replication Factor that's a parameter for Clustered Indexers. On Forwarders' outputs.conf: did you configured autoloadbalancing or not, for more infos see at https://docs.splunk.com/Documentation/Splunk/9.0.4/Forwarding/Setuploadbalancingd Ciao. Giuseppe ... View more

Hi @TryingSplunk, in addition you should check if you configured autoloadbalancing, in this case events are indexed once, otherwise data are indexed more times. Then, are the first three indexed clustered or not? Ciao. Giuseppe ... View more

Hi @AL3Z , at first, check if the Correlation Search is enabled and trigger events, you can test this manually running the search in the same time period you configuresd for you Correlation Search. Then you should check if the action of Notable Creation is correctly configured. Ciao. Giuseppe ... View more

Hi @TryingSplunk , as @inventsekar asked, you should better describe at first why you added a not clustered Indexer and if in this indexer you're sending all the data sources that you're sending also to the cluster or a subset. Maybe you're sending both to cluster and not clustered IDX the same all data, this means that the not clustered IDX occupes much disk space that the cluster and probably this is the reason for the full disk. Ciao. Giuseppe ... View more

Hi @msrama5 , you could schedule a searches (e.g. every 5 minutes) that calculates downtime or slo breaches and saves results in a summary index even because I suppose that these searches aren't so fast. Then you can rus a very quick search on the summary index to calculate the everages and the max values. Ciao. Giuseppe   ... View more

Hi @bt149 , you could try something like this: <your_search> | rex field=src "(?<ip>\d+\.\d+\.\d+\.\d+)" | eval src_nt_host=if(isempty(ip),src,"") | ... Ciao. Giuseppe ... View more

Ciao Ale only you can define if this workaround can be a solution for yoit requirement, but I think that could have sense. Ciao. Giuseppe ... View more

Hi @ze271021, even if you identified a mistake in inputs,conf, repeat the checks I hinted in my previous message, these are the possible issue cause. Ciao. Giuseppe ... View more

Ciao Ale, using a calculated field, you can insert a condition like the ones you described, that you cannot insert in an alias. Ciao. Giuseppe ... View more

Hi @ze271021, there could be two issues to check: at first check if the index was created on indexers, if not you have to control the indexes.conf file in the "master-apps" folder of the Master Node server. if yes, probably the issue is in the app deployed to Universal Fowarders or in the UF configuration. At first check how you configured the UFs' outputs.conf, that's used to address the indexers to send logs. then try againg because until you don't have data, you don't see the index in the Master Node list (in GUI). Al last check, verify if the pointing to the logs in the NTP servers is correct (inputs.conf in the deployed app). Ciao. Giuseppe   ... View more

Hi @bitnapper, get an higher Priority to you use case for the delay in answering: you can justify this action with the information that your project is delaying for their missing answer. About the choose of the OS, the only hint I an give is guide your customer in the choose, explaing the advantages and telling the experiences received in the Community: I'm not the only one that give the same hint in Community! you could also ask help to the Splunk Sales Engineers. Ciao. Giuseppe ... View more

Ciao Ale, did you tried with a calculated field? Ciao. Giuseppe ... View more

Hi @yottanat2021, could you better describe your requirement? are you speaking of data masking at index time or at search time? Ciao. Giuseppe ... View more

Hi @Veeru , you need to extract the earliest and latest values from the first search, so try something like this: index="C" sourcetype="cpu" host="A.local" [ search index="A" sourcetype="B" | rex "\d+\-\S+.(?<JobName>\w+)\," | transaction JobName startswith= start endswith=end | eval earliest=_time, latest=_time+duration | fields earliest latest ] | eval firsttime=strftime(_time, "%d/%m/%Y %H:%M:%S"), secondtime=strftime(_time, "%d/%m/%Y %H:%M:%S") | where (firsttime >= "26/02/2023 03:03:03") AND (secondtime <= "26/02/2023 04:03:03") | eval Total=(pctSystem+pctUser) | table "firsttime" "host" "secondtime" "Total" You could also work in avoiding transaction command that's a very slow command. Ciao. Giuseppe ... View more

Hi @bitnapper, this seems to be a permissions issue not related to the version, but anyway, open a case to Splunk Support, I suppose this is or will be a production system! Anyway, in 12 years that I work on Splunk I never saw any large production architecture based on windows,, only Linux, on Windows I found only little or test architectures, never production infrastructures, especially with a cluster, so I hint to think a little bit more on your choose. Ciao. Giuseppe ... View more

Hi @iwascar , please could you better describe what you mean with "English data" and share some samples of english and not english data? Ciao. Giuseppe ... View more

Hi @aasabatini , Ciao Ale, Could you better describe you requirement? anyway, I think that you could try with a calculated field (in which you can insert a condition) instead a field alias. Ciao. Giuseppe   ... View more

Hi @vishalduttauk, please try this (^\"|\{) that you can test at https://regex101.com/r/VAaTET/1 Ciao. Giuseppe ... View more

Hi @shashilendraman, manually run the subsearch, them manually use the results in the main search and analyze them to understand  if results are compatible with the main search (e.g. format, or message, etc...) and if the search must have results. Ciao. Giuseppe ... View more