Since Heff mentioned it, in order to validate private/public IPv4, I made myself an eval-based macro with the following: case( cidrmatch("10.0.0.0/8",$IP$),"False", cidrmatch("172.16.0.0/12",$IP$),"False", cidrmatch("192.168.0.0/16",$IP$),"False", isnull($IP$) OR like($IP$,""), "False", match($IP$,"^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$"),"True") Then, I can use it in any query like: | eval Remote_Address_isExternal = `isExternalIPv4(Remote_Address)`   The last line tests for a valid IPv4 address.  The best regex for validating IPV4 is an ever-evolving conversation on stack overflow.  So, I used the latest from there, but from this highest rated answer, not the accepted one: https://stackoverflow.com/a/36760050/6376311   ... View more

here's what I landed on, in case it's helpful for folks in the future.     | eval isIPV4 = if(match(IP,"^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$"),"True","False")   The best regex for validating IPV4 is an ever-evolving conversation on stack overflow.  So, I used the latest from there, but from this highest rated answer, not the accepted one: https://stackoverflow.com/a/36760050/6376311   Since someone mentioned it, in order to validate private/public IPv4, I made myself an eval-based macro with the following:   case( cidrmatch("10.0.0.0/8",$IP$),"False", cidrmatch("172.16.0.0/12",$IP$),"False", cidrmatch("192.168.0.0/16",$IP$),"False", isnull($IP$) OR like($IP$,""), "False", match($IP$,"^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$"),"True")   Then, I can use it in any query like:   | eval Remote_Address_isExternal = `isExternalIPv4(Remote_Address)`     ... View more

Thanks for this explanation.  It helped me decide to not use the setting / hack.   ... View more

not 100% answering the original question here, but hoping to help someone in the future.  we're on prem, not splunkcloud, but recently had an issue upgrading our Qualys app and were met with: ERROR: No credentials found. Cannot continue.   the following steps resolved the issue:   1. Click Settings> DATA> Data inputs. 2. On the Data inputs screen, click TA-QualysCloudPlatform. 3. On the Qualys screen, disable all the listed data inputs. 4. Open Linux console terminal. 5. Delete passwords.conf file (/opt/Splunk/etc/apps/TAQualysCloudPlatform/local/passwords.conf). 6. Reboot the Splunk instance. 7. Go to the Splunk UI, click Apps > Manage Apps. 8. Click Setup against the Qualys Technology Add-on for Splunk option. 9. On the TA-QualysCloudPlatform screen, enter new credentials under Qualys Credentials. but before saving the credentials again after deleting the password.conf file please clear cache and do a hard reload TA setup page, then enter the credentials again, save and restart the Splunk 10. Click Save. 11. Enabled Data input     ... View more

here's what I came up with.  seems to work pretty well without modifying the data:   | makeresults | eval _raw = "[abc] logline1 [def] logline 2 [ghi] logline 3" | eval raw=_raw | makemv tokenizer="(.*(\r\n|\r|\n|$))" raw | mvexpand raw | rename raw as _raw ... View more

[Shift]+[Enter] for new lines.  this functionality still amazes me... I've entered a feature suggestion for an option to allow the user to switch that functionality here:  https://ideas.splunk.com/ideas/EID-I-537 please go upvote it!!! ... View more

I've been struggling with the sourcetype renaming and tstats for some time now. It doesn't honor the rename like normal searches, and it doesn't offer you a _sourcetype field.  In a normal search, _sourcetype contains the old sourcetype name: index=* sourcetype=wineventlog | eval old_sourcetype = _sourcetype | top sourcetype, old_sourcetype   I finally figured out an elegant way around it, though!   | tstats count where index=* sourcetype=wineventlog* by index, sourcetype ```Update Renamed Sourcetypes``` | join type=left sourcetype [| rest /services/data/props/sourcetype-rename | eval sourcetype = title | eval renamed_sourcetype = value | fields sourcetype, renamed_sourcetype] | eval old_sourcetype = sourcetype | eval sourcetype = coalesce(renamed_sourcetype, sourcetype) | eval sourcetype_renamed_from = if(isnotnull(renamed_sourcetype),old_sourcetype,null()) | table index, sourcetype, count, sourcetype_renamed_from Sometimes, I prefer to lowercase index and sourcetype in the main and joined query.   Also, I'm not sure what rights the rest command requires.  If that's an issue you could always do the same with a lookup.  I don't know if this will help the OP, but I do hope it benefits others that may not use tstats so much because of this issue.   ... View more