If you're using Ingest Processor and SPL2, you can split the flowTuples into individual events. Here's the pipeline config to do so. I have re-used the field names referenced in the other answers to make the migration easier. Steps: Onboard data like before with the MSCS add-on Create the following pipeline with partitioning set to sourcetype == mscs:nsg:flow2 to avoid conflicting with the INDEXED_EXTRACTIONS in the TA you may have installed already. When creating a pipeline matching a sourcetype Ingest Processor will pull the event out before it's indexed, transform it and send it back into Splunk or your destination of choice:             /* A valid SPL2 statement for a pipeline must start with "$pipeline", and include "from $source" and "into $destination". */ $pipeline = | from $source | flatten _raw | expand records | flatten records | fields - records | flatten properties | rename flows AS f1 | expand f1 | flatten f1 | rename flows AS f2 | expand f2 | flatten f2 | expand flowTuples | eval flow_time=mvindex(split(flowTuples,","),0) | eval src_ip=mvindex(split(flowTuples,","),1) | eval dest_ip=mvindex(split(flowTuples,","),2) | eval src_port=mvindex(split(flowTuples,","),3) | eval dest_port=mvindex(split(flowTuples,","),4) | eval transport=mvindex(split(flowTuples,","),5) | eval traffic_flow=mvindex(split(flowTuples,","),6) | eval traffic_result=mvindex(split(flowTuples,","),7) | eval flow_state=mvindex(split(flowTuples,","),8) | eval packets_in=mvindex(split(flowTuples,","),9) | eval bytes_in=mvindex(split(flowTuples,","),10) | eval packets_out=mvindex(split(flowTuples,","),11) | eval bytes_out=mvindex(split(flowTuples,","),12) // Normalization, which could also be done at search-time | eval action=case(traffic_result == "A", "allowed", traffic_result == "D", "blocked") | eval protocol=if(match(src_ip, /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/), "ip", "unknown") | eval direction=case(traffic_flow == "I", "inbound", traffic_flow == "O", "outbound") | eval transport=case(transport == "T", "tcp", transport == "U", "udp") | eval bytes=(coalesce(bytes_in,0)) + (coalesce(bytes_out,0)) | eval packets=(coalesce(packets_in,0)) + (coalesce(packets_out,0)) | fields - flowTuples | eval _raw=json_object("resourceId", resourceId, "category", category, "macAddress", macAddress, "Version", Version, "systemId", systemId, "operationName", operationName, "mac", mac, "rule", rule, "flow_time", flow_time, "src_ip", src_ip, "dest_ip", dest_ip, "src_port", src_port, "dest_port", dest_port, "traffic_flow", traffic_flow, "traffic_result", traffic_result, "bytes_in", bytes_in, "bytes_out", bytes_out, "bytes", bytes, "packets_in", packets_in, "packets_out", packets_out, "packets", packets, "transport", transport, "protocol", protocol, "direction", direction, "action", action) | eval _time=flow_time | fields - flow_state, f1, time, f2, properties, resourceId, category, macAddress, Version, systemId, operationName, mac, rule, flow_time, src_ip, dest_ip, src_port, dest_port, traffic_flow, traffic_result, bytes_in, bytes_out, bytes, packets_in, packets_out, packets, transport, protocol, direction, action | into $destination;               On a side note, Microsoft will be deprecating NSG Flow Logs and replacing them with Virtual Network Flow Logs which has a similar format. Here's the config for Virtual Network Flow Logs with sourcetype mscs:vnet:flow :             /* A valid SPL2 statement for a pipeline must start with "$pipeline", and include "from $source" and "into $destination". */ $pipeline = | from $source | flatten _raw | expand records | flatten records | fields - records | rename flowRecords AS f1 | expand f1 | flatten f1 | rename flows AS f2 | expand f2 | flatten f2 | expand flowGroups | flatten flowGroups | expand flowTuples | eval flow_time=mvindex(split(flowTuples,","),0) | eval src_ip=mvindex(split(flowTuples,","),1) | eval dest_ip=mvindex(split(flowTuples,","),2) | eval src_port=mvindex(split(flowTuples,","),3) | eval dest_port=mvindex(split(flowTuples,","),4) | eval transport=mvindex(split(flowTuples,","),5) | eval traffic_flow=mvindex(split(flowTuples,","),6) | eval flow_state=mvindex(split(flowTuples,","),7) | eval flow_encryption=mvindex(split(flowTuples,","),8) | eval packets_in=toint(mvindex(split(flowTuples,","),9)) | eval bytes_in=toint(mvindex(split(flowTuples,","),10)) | eval packets_out=toint(mvindex(split(flowTuples,","),11)) | eval bytes_out=toint(mvindex(split(flowTuples,","),12)) // Normalization, which could also be done at search-time | eval action=case(flow_state == "B", "allowed", flow_state == "D", "blocked", flow_state == "E", "teardown", flow_state == "C", "flow") | eval protocol=if(match(src_ip, /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/), "ip", "unknown") | eval direction=case(traffic_flow == "I", "inbound", traffic_flow == "O", "outbound") | eval bytes=(toint(coalesce(bytes_in,0))) + (toint(coalesce(bytes_out,0))) | eval packets=(toint(coalesce(packets_in,0))) + (toint(coalesce(packets_out,0))) | fields - flowGroups | eval _raw=json_object("record_time", time, "flowLogGUID", flowLogGUID, "flowLogResourceID", flowLogResourceID, "targetResourceId", targetResourceID, "category", category, "macAddress", macAddress, "flowLogVersion", flowLogVersion, "operationName", operationName, "aclID", aclID, "flow_encryption", flow_encryption, "src_ip", src_ip, "dest_ip", dest_ip, "src_port", src_port, "dest_port", dest_port, "traffic_flow", traffic_flow, "bytes_in", bytes_in, "bytes_out", bytes_out, "bytes", bytes, "packets_in", packets_in, "packets_out", packets_out, "packets", packets, "transport", transport, "protocol", protocol, "direction", direction, "action", action) | eval _time = flow_time / 1000 | fields - packets_out, bytes_in, rule, f1, f2, packets, src_ip, targetResourceID, protocol, action, dest_port, aclID, flow_encryption, packets_in, operationName, transport, src_port, flow_state, macAddress, bytes_out, bytes, dest_ip, flowLogVersion, flowLogGUID, category, flowLogResourceID, flowTuples, traffic_flow, direction, time, flow_time | into $destination;               ... View more

In case @PickleRick 's suggestion wasn't clear, you can do this: | makeresults count=5 | eval n=(random() % 10) | eval sourcetype="something" . n | fields - n | collect index=your_summary_index output_format=hec  It will respect the sourcetype set, in this case a value between something0 to something9 ... View more

Since it seems to me that this isn't currently available I have created an idea on Splunk Ideas. I would appreciate it if you could give it your votes: https://ideas.splunk.com/ideas/ESSID-I-256 ... View more

INDEXED_EXTRACTIONS = CSV is not supported by modular inputs according to https://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileswithstructureddata Input types that the indexed field extraction feature supports This feature works with the following input types: File-based inputs only (such as monitoring files, directories, or archives.) Inputs that use the oneshot input type (or through the "Upload" feature in Splunk Web.) It does not work with modular inputs, network inputs, or any other type of input.   You should instead use delimited field extractions to achieve the same result. See:  https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/Knowledge/FXSelectMethodstep https://www.splunk.com/en_us/blog/tips-and-tricks/quick-n-dirty-delimited-data-sourcetypes-and-you.html     ... View more

Hi, As the enrichment you want to do is based on very ephemeral data, you may want to do this at Ingest Time instead of at Search Time. Splunk 8.1 introduced a feature called Ingest-Time Lookups. The idea is to do a lookup based on a given field in the event, get lookup results returned that you then store in an indexed field in the event at index time. Your use case sounds like a proper fit for Ingest-Time Lookups. A way to achieve what you want is the following: Scheduled search that stores the results containing "Container Name / Start Time / End Time / IP address" in a CSV file ip_container_mapping.csv. Set up a INGEST_EVAL in props.conf for your Flow/firewall log sourcetypes using Ingest-Time Lookups (this should be done on the Indexers/Heavy Forwarder)   You may want to synchronize the ip_container_mapping.csv file from the Search Head that generates it to the indexers/or HF to keep your CSV up to date. If you are pulling the flow logs in with a Heavy Forwarder the easiest way to do this would be to let the HF query the Splunk indexers and save the CSV on the HF, then set up the INGEST_EVAL on the HF.   Example for point 2 which will give you an indexed field asset_name being looked up based on the src_ip in the event, returning a column in the CSV file called container_name :   <your_sourcetype_name> INGEST_EVAL = asset_name=json_extract(lookup("ip_container_mapping.csv",json_object("src_ip", src_ip), json_array("container_name")), "container_name")     ... View more

I just submitted a pull request to the original add-on with the changes you highlighted. I am hoping the original author includes it and gets a new version uploaded to Splunkbase. https://github.com/pdoconnell/TA-microsoft-windefender/pull/4 ... View more

After a bit of troubleshooting where we first thought the issue was with missing role permissions in Splunk, it turned out the KV Store was not running due to an expired certificate. We recreated the certificate using the splunk createssl command, restarted and voila, the Create Output Group button reappeared. ... View more

This has been filed as a bug and is slated to be fixed in 8.0.4, according to SPL-183467. Splunk UF should use the python in your PATH. ... View more

Hi, I'm the author of the App. Not sure why you are having issues with the dashboards, but this part indicates you have made local customizations to the App: | lookup dnslookup clientip as src_ip | top clienthost as the original app does not have this query. You may also try to clear any client side caches if you recently upgraded to Splunk 8. ... View more

You're welcome. You should be able to filter out users in the base search as well as in the end of the SPL using | search . Can you paste the exact search you are trying as well as a screenshot of your data and possibly also the fields returned? ... View more

Add the index name as index=something to the stanza called cisco_ios You will see that one referenced in the other stanzas ... View more

There is a base eventtype you can adapt in the app. I believe it is the first one in eventtypes.conf. Just add your index name to that macro. A different approach would be to change your roles to automatically search that index by default. ... View more