Hi @ayadav38 , I usually manually modify the regexes extracted with the Field Extractor! so, please, try this: | rex "medicareId\=(?<medicareId>[^,]+)" That you can test at https://regex101.com/r/9Xt6Tx/1 Ciao. Giuseppe ... View more

What have you tried so far and what were the results of each attempt?  When you say "I am getting half of the URL", which part are you getting?  I'm guessing it stops at an =.  Please share the props.conf settings for this sourcetype. ... View more

Hi @aditsss, Sorry but I don't understand your needm let me summarize: you have a search,  when you have results, you want to display them, when you haven't results, you want to display a message. At first the searhdc must be outside the panel, otherwise it isn't possible to check the panle's display. Then, I don't undestand why you inserted a panel's title in the done section, if you want to change the panel's title you can use another token. Could your better describe your need? Another hint, when you want to share code, please use the "Insert/edit Code" (</>) button. Ciao. Giuseppe ... View more

Hi @sun1000, in blacklist and whitelist options, you have to use a regex not only insert your conditions. So please find the correct regex and try something like this: | rex "(?ms)EventCode\=5145.*Message\=Relative Target Name:\s.+Registry\.xml" You can see a similar regex at https://regex101.com/r/7HVoS2/1  Ciao. Giuseppe ... View more

Hi @Itzloi, are you speaking of both Search Heads and Indexers Clusters or only one? Did you already make a Capacity Plan of your needs? Did you designed an architecture for your infrastructure? (for your info  see at https://www.splunk.com/pdfs/technical-briefs/splunk-validated-architectures-it.pdf) if you already did these preliminary steps, you can see at: https://docs.splunk.com/Documentation/Splunk/8.1.3/DistSearch/AboutSHC https://docs.splunk.com/Documentation/Splunk/8.1.3/Indexer/Aboutclusters for configuration steps Ciao. Giuseppe   ... View more

Hi @Harold, as @scelikok said, if you're speaking about hardening, you should see at https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/WhatyoucansecurewithSplunk, in addition in the last .Conf there was an interesting  webinar https://conf.splunk.com/files/2020/slides/TRU1537C.pdf  about Splunk hardening. Anyway, if you want the connections used by Splunk, you should see at https://docs.splunk.com/Documentation/Splunk/8.1.3/InheritedDeployment/Ports Ciao. Giuseppe   ... View more

Hi @chuck_life09, Sorry but I don't understand your requirement: you have a multiselect, the values of this multiselect are   "my name is" "the desktop is mine" "there are many likes", you want to have these values in a lookup to dinamically manage them, and use them to filter events in dashboard's panels. What's the problem, to have these values in the lookup? or what else? As I said, did you tried to put each value in a different row of the lookup, so you can call all the values from the lookup? Ciao. Giuseppe ... View more

Hi @Habanero, yes, the main action you have to do is to rename one of the fields to have the same fieldname in both the partial searches. You have to do this in both the cases: if you have to perform a subsearch or if you have to correlate searches with stats command. So, you have to run something like this:  index=estreamer NOT (src_ip="10.0.0.0/8" OR src_ip="192.168.0.0/24" OR src_ip=172.16.0.0/12) (app_proto="TeamViewer" OR app_proto="FTP" OR app_proto="FTP Data" OR app_proto="Telnet" OR app_proto="RDP" OR app_proto="SSH" OR dest_port="3389" OR dest_port="23" OR dest_port="22") fw_rule_action="Allow" [ search index=wineventlog | rename Source_Address AS src_ip | fields src_ip ] | ... Only two little final notes: you forgot one OR in the parenthesis conditions and it's better to have a NOT = condition than a != condition. Ciao. Giuseppe ... View more

Hi @Adevill, I'm sorry to be not able to help you more: it's really strange I did many of these condifugrations without any problem. Check again every step and surely there's a little particular the will solve the problem. Ciao. Giuseppe ... View more

Hi @rahul2gupta, using a unix system, the restore plan is easy: stop the new Splunk instance, copy the backupped splunk forder on the installation folder, restart Splunk. Anyway, it's correct to have always a roll-back plain but this is a quiet upgrade if you have all the apps for the new environment and surely you'll now have any problem. Ciao. Giuseppe. ... View more