Hi @jfeitosa_real ,  Do you have all the mentioned values are extracted into fields on both type of logs? Which value will be same in both and which one may vary? We need at least one common value from both the logs to correlate and compare.  Say example if the user ID is same in both, We can correlate both the logs and compare the IP address and fire an alert if IP is different from one to another.  If we need to compare both User ID and IP Address, is there any other common values from both the logs are available? Like, Session ID, Trans ID or something like that? ... View more

Hi @amsagg Try Something like below, index=stream_dns dest_asset_tag=*dns OR dest_asset_tag=A | rex field=fieldB "(?<fieldB>[^\.]+)"  ## To extract first portion to match with your lookup filed value | table fieldB | eval Flag="1" | append [| inputlookup dnslookup.csv | table fieldA | rename fieldA as fieldB | eval Flag="1"] | eventstats sum(Flag) Flag by fieldB | dedup fieldB | where Flag=1 ##If the field value exists in both index & lookup, the flag will be set to 2. Hence filtering to 1 | table fieldB ... View more

Hi @ivana27 , If you want to extract only from the mentioned log, include the unique information from the specific log   | rex field=_raw "country=111111\, licensePlate=(?<LicensePlate>[^ ]+)" ... View more

Can you elaborate your requirement a bit more,  So you want to filter your results with the prefix field values in the csv and again assign a state field value to the results?   If above is your requirement, try the below query.    source="log2.log" host="prod-splunk-indexer" sourcetype="testsource" prefix=* [| inputlookup prefixlookup.csv | table prefix] | lookup prefixlookup.csv prefix OUTPUT state | table prefix state   ... View more

Hi @boromir  Can you try the below,  Go to Lookup definition --> Advanced options --> Match Type, and enter WILDCARD(FieldName)   FieldName - The field which consists of wild card in the lookup file.  Check and let me know if you still come across any issues.  ... View more

Thank you for the immediate response @whrg. This query limiting the numbers to 3. I need it depends on the user input. ... View more

Awesomw @kamlesh_vaghela. This is what I am looking for. ... View more

Thank you @rich7177. It is working fine. ... View more

Thank you @somesoni2, It is working fine. ... View more

@somesoni2 I am getting below error while using this query after the splunk upgrade to 7.0. Any thoughts? Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side. ... View more

Hi @kamlesh_vaghela, I am using this in my dashboard, for earliest and latest time. It is working fine but there is small issue. Whenever I am launching the dashboard, getting invalid earliest time message first and then the data getting loaded. So when I am trying to schedule the dashboard pdf delivery. getting invalid_earliest time message in all the panels. | makeresults | eval H=tonumber(strftime(now(),"%H")), NOW = if(H<5,now()-20000,now()) | eval starttime=strptime(strftime(NOW,"%d/%m/%Y 07:00:00 AM"),"%d/%m/%Y %I:%M:%S %p") , endtime=starttime+79200 ... View more

Wonderful @somesoni2. Thank you very much! ... View more

Hi @deepashri_123 Thanks for your response. It is giving the same result what I have already. ... View more

Again it is listing down the values which are returned from the search query. I need Category and job values from my lookup table to be in the table as static irrespective of the search result. Say example I am having 10 values for job and equivalent category values in my look up file. From the search I am getting the status, StartTime, EndTime fields and its values. There are scenarios, I will only get status, Startime and endtime only for 5 job and category values from my search result. In such cases my output table will have only 5 rows for which the search given results. But I want to create like, My table should always show all the values(10 values) of Category and job, Other fields values should get updated upon the search result. So in the above example, my resulted table should be like. Job Category Status StatTime EndTime 1 -a -RU - 9 -NC 2 -s -SU -5 -11 3 -d -FA -4 NA 4 -f 5 -e 6 -q 7 -v -SU -5 -6 8 -n -RU -4 NC 9 -x 10 -l ... View more

@p_gurav Thanks for your response! In this case, I am getting error like lookup name "job" does not exits. It is considering job as lookup name. ... View more

Hi @kamlesh_vaghela Just wondering what this portion is performing eval H=tonumber(strftime(now(),"%H")), NOW = if(H&lt;5,now()-20000,now()) Could you please explain it. ... View more

You can the Dashboard Monitoring App from Splunk Base for better experience of data. https://splunkbase.splunk.com/app/3350/ And follow the below post, may be fulfill your need https://answers.splunk.com/answers/126036/case-how-to-find-the-dashboard-usage-data.html ... View more

| eval Domain=case( hostname1="host1" AND computername1="host1", "NT1", hostname1="host2" AND computername1="host2", "NT2") Same can achieve via lookup if you have large no of values to be created. ... View more

You can go with a drop down option in your dashboard. Please refer the below question and its answers. https://answers.splunk.com/answers/242704/how-can-i-create-a-drop-down-for-panels-in-a-dashb.html ... View more