@kiran_panchavat  These are present on server level on Indexers. [inputs.conf] [default] host = 10.100.5.5 [splunktcp://9997] disabled = 0   [output.conf] [tcpout] forwardedindex.0.whitelist = .* forwardedindex.1.blacklist = _.* forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry|_metrics|_metrics_rollup|_configtracker) forwardedindex.filter.disable = false indexAndForward = false blockOnCloning = true compressed = false disabled = false dropClonedEventsOnQueueFull = 5 dropEventsOnQueueFull = -1 heartbeatFrequency = 30 maxFailuresPerInterval = 2 secsInFailureInterval = 1 maxConnectionsPerIndexer = 2 forceTimebasedAutoLB = false sendCookedData = true connectionTimeout = 20 readTimeout = 300 writeTimeout = 300 tcpSendBufSz = 0 ackTimeoutOnShutdown = 30 useACK = false blockWarnThreshold = 100 sslQuietShutdown = false useClientSSLCompression = true autoLBVolume = 0 maxQueueSize = auto connectionTTL = 0 autoLBFrequency = 30 sslVersions = tls1.2 cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-SHA256 ecdhCurves = prime256v1, secp384r1, secp521r1 [syslog] type = udp priority = <13> maxEventSize = 1024 [rfs] batchTimeout = 30 batchSizeThresholdKB = 2048 dropEventsOnUploadError = false compression = zstd compressionLevel = 3 ... View more

@kiran_panchavat  This explains and confirms the issue that we do have multiple events in index but does not explain the steps to fix this. Let me know if I'm missing something. ... View more

@gcusello  Absolutely it helped. I get what I was looking for. Thank you so much for your patience and quick response. ... View more

Thank you @gcusello   I do get some count now which is quite low than what I expected. I will validate it and let you know how it went. Just so you know , the dc_status gives either 1 or 2 value in the end and a ticket in sourcetype 2 can have as much as 10 hops between assignmentgroups plus sourcetype 1/ lookup can have duplicate entrues as well. I hope that is being handled in your last query. Although we need not have to worry about how many of these 10 hops it goes out ofassignmentgroup which is not present in sourcetype 1 /lookup1. Even if it does goes out once, it can be considered in my final count. Thank you! ... View more

Hi @gcusello  I'm really not sure why have you used manager in your example this time. That is not be used anywhere in logic or for validation. And since nothing comes in  > 1 clause , hence no results. I believe We just need to tweak our query you shared before this. ... View more

Hi @gcusello   "I'm searching for tickets in the index (sourcetype2) that changed assignmentGroup and aren't in the lookup, is this the result you want or a different one? " --> No I would like to find out how many tickets are there in Sourcetype 2 which moved out from assignmentgroups present in Sourcetype 1(lookup)? How I validate is something Im mentioning below::: After using your query result , If I pick up any ticket and search it in sourcetype 2 (since it has all historic data as well ,because hops are made from one assignmentgroup to other) I will see list of changes that happened on that ticket. Ideally few  assignmentGroup should be matching from this list to the lookup(Sourcetype 1) and few should not. But I see cases where none are matching, which is something wrong. I hope I'm clear this time. ... View more

Hi @gcusello , To clear it , sourcetype 1 is in lookup and sourcetype 2 is in index. I tried using your last search and it did return ticketnumber and assignmentgroup this time , however, when I picked assignmentgroup from this table  and searched in sourcetype 1,  it actually has a mix of ticket that has assignmentgroup  moved but there are scenarios where none of the assignmentgroup from this result  are present in sourcetype 1 at all . So something seems to be missing here. ... View more

Hello @gcusello  , Thank you for your response, I think we are very close to the solution here .I have updated the question to clear out the confusion if any And I used the below query :: index=your_index sourcetype=sourcetype2 | stats dc(assignmentgroup) AS dc_assignmentgroup values(assignmentgroup) AS assignmentgroup BY ticketnumber | where dc_assignmentgroup>1 | mvexpand assignmentgroup | search NOT [ search |lookup lookpuname assignmentgroup AS assignmentgroup_raw OUTPUT assignmentgroup manager | dedup assignmentgroup | fields assignmentgroup ] | table ticketnumber assignmentgroup Using this, I do not get anything in the table but the event counts, rest all is blank ... View more

Thank you for the prompt reply, however, we haven't started indexing the data and we do not know the size of the events yet. The estimate license needs to be confirmed beforehand( which sounds odd to me too). I would may be assume each event size as ~10kb ( since each record has around 200 fields) and calculate the size. Thank You. ... View more

hello, Thanks for the response. however, lookup 1 has ticket number and all possible fields related to the ticketing info, while lookup2 has just ticket number(which shall be present in lookup 1 as well but) and a few other columns that shall not be matching with lookup1.Also do note lookup 2 just has UNRESOLVED tickets while Lookup 1 has BOTH resolved and Unresolved. Motive here is to get accurate list of all unresolved and resolved  tickets because lookup2 will have current unresolved tickets in source system while lookup1 will have tickets that has moved out of source but yet not flown into index with updates(and will never , hence they will remain unresolved always on dashboard) ... View more

We had that workaround in pace but client does not wish to navigate to lookup editor , find their entry and then edit it. Makes more sense to do it on the dashboard rather. ... View more

Yes I will keep on learning rather than judging others so soon. Thank you so much for your time and not being helpful at all. One quick suggestion: Do not waste your and my time here, since you are of no help anyways. And let others help in case they have some better solution. ... View more

Does not Work. Try hard next time.  I am shocked how even answering multiple times you fail to implement this scenario. Happy Learning! ... View more

And what makes you think I have not tried that option or try searching before posting my question. Please refrain from commenting if you do not have any answer or can redirect to an accepted answer. You should know that by now being on this community! ... View more