Are you trying to parse the fields at search time or index time?  If the former, please share the SPL you're using; otherwise, share the relevant props.conf stanza. ... View more

That is the nature of transaction.  Because it sees events in reverse time order, it assumes the first "MST" it sees (the latest one), is the one that it wants.  There is no setting that changes that. You may be able to use other fields to force it into picking another MST event.  Perhaps the number in brackets can be used to pair the endswith with the right startswith. ... View more

It would help if you posted the SPL as text rather than a screen shot so we can test with it. The regex in the replace command doesn't match the data shown.  It's looking for at least 15 letters or digits or any number of digits after the first slash, but the sample data has only 10 characters. ... View more

If you put "index=_internal" in the Find box then you should get a list of reports and dashboards that contain that string.  The last entry should be "Open 'index=_internal' in Search.  Clicking that should be the same as putting "index=_internal" in a search box. Do you have access to the _internal index?  Usually, only admins and (sometimes) power users have access.  Not having access to the index would explain why you get no results from the Search box (no, Splunk won't say "you don't have access").  OTOH, if the Find box turns up a report that runs as  Owner and the owner has access then you will see results. ... View more

Those queries were in the OP.  I still don't know what "its not working" means.  What results do you get?  What results are you expecting? ... View more

Welcome to Splunk! Please help us to help you.  What do you mean by "search area" and "find area"?  What text are you putting into each?  What are you trying to get for output? ... View more

This kind of news should not have been delivered late on a Friday afternoon before a holiday weekend and only a week before it takes effect! It is written several times that disabling of TLS 1.0 and 1.1 will start on 5 June 23.  Does that mean some customers will not be affected on that date?  If so, then how long will the roll-out take?  Or did you really mean it will happen on 5 June 23? ... View more

What exactly do you mean by "i am not able to pass tokens ...in my tstats query"?  What is stopping you? ... View more

Apparently?  Either it works or it does not.  If it doesn't then please say how it fails you. I can see a few reasons why this search may not work as expected. 1) The rex command sets the Account field to the fixed string "Account That Was Locked Out:" rathe than to an account name.  If you want to extract the account name here, try | rex field=_raw "Account That Was Locked Out:\s*(?<Account>\w+)" 2) The query appears to use Account, Account_Name, and acct_name interchangeably.  The account name likely is in only one of those.  If not, additional commands should be used to combine them into one field. 3) where Period="New" won't work with a multivalue field.  Try where mvfind(Period, "New"). 4) If the goal is to find 3 failures in the last 24 hours then use earliest=-24h. ... View more

Please share some sanitized example events for us to test with.  Are you trying to parse the fields at search time or index time?  If the former, please share the SPL you're using; otherwise, share the relevant props.conf stanza. ... View more

The error message is not saying the script exists in the wrong place.  It's saying a .conf file contains the invalid path given. Search your Splunk configs for the file path in the message and correct it. ... View more

I noticed the contradiction in the docs.  I suggest contacting Splunk Support. ... View more

The SPL syntax looks good.  We need to see some sample events to know if the SPL is correct or not. One thing that will result in no output is if either the room_name or room_email field is null.  When that happens, the stats command cannot group results so it returns nothing. ... View more

The inputlookup command will read the entire CSV file in one go with each row becoming a separate event in the results.   As it does with other results, Splunk will process each event one at a time. ... View more