Hi, As the enrichment you want to do is based on very ephemeral data, you may want to do this at Ingest Time instead of at Search Time. Splunk 8.1 introduced a feature called Ingest-Time Lookups. The idea is to do a lookup based on a given field in the event, get lookup results returned that you then store in an indexed field in the event at index time. Your use case sounds like a proper fit for Ingest-Time Lookups. A way to achieve what you want is the following: Scheduled search that stores the results containing " Container Name / Start Time / End Time / IP address" in a CSV file ip_container_mapping.csv. Set up a INGEST_EVAL in props.conf for your Flow/firewall log sourcetypes using Ingest-Time Lookups (this should be done on the Indexers/Heavy Forwarder)   You may want to synchronize the ip_container_mapping.csv file from the Search Head that generates it to the indexers/or HF to keep your CSV up to date. If you are pulling the flow logs in with a Heavy Forwarder the easiest way to do this would be to let the HF query the Splunk indexers and save the CSV on the HF, then set up the INGEST_EVAL on the HF.   Example for point 2 which will give you an indexed field asset_name being looked up based on the src_ip in the event, returning a column in the CSV file called container_name :   <your_sourcetype_name> INGEST_EVAL = asset_name=json_extract(lookup("ip_container_mapping.csv",json_object("src_ip", src_ip), json_array("container_name")), "container_name")     ... View more

I just submitted a pull request to the original add-on with the changes you highlighted. I am hoping the original author includes it and gets a new version uploaded to Splunkbase. https://github.com/pdoconnell/TA-microsoft-windefender/pull/4 ... View more

After a bit of troubleshooting where we first thought the issue was with missing role permissions in Splunk, it turned out the KV Store was not running due to an expired certificate. We recreated the certificate using the splunk createssl command, restarted and voila, the Create Output Group button reappeared. ... View more

This has been filed as a bug and is slated to be fixed in 8.0.4, according to SPL-183467. Splunk UF should use the python in your PATH. ... View more

Hi, I'm the author of the App. Not sure why you are having issues with the dashboards, but this part indicates you have made local customizations to the App: | lookup dnslookup clientip as src_ip | top clienthost as the original app does not have this query. You may also try to clear any client side caches if you recently upgraded to Splunk 8. ... View more

Add the index name as index=something to the stanza called cisco_ios You will see that one referenced in the other stanzas ... View more

There is a base eventtype you can adapt in the app. I believe it is the first one in eventtypes.conf. Just add your index name to that macro. A different approach would be to change your roles to automatically search that index by default. ... View more