@svukov please have a look at transaction command after sort if needed on time  here https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction ? | transaction thirdPartyId,hashcode maxspan=? ... View more

@MattKr What is your retention period of logs? Also you can look at _internal logs by sourcetype to get the required data but these internal logs are stored only for 30days by default. ... View more

@splunkreal , the filters are still there but at each individual column level, you can use those to apply filters. ... View more

@AL3Z please check if the source is generating the data in the event viewer with the information that you are looking ? ... View more

@AL3Z  $SPLUNK_HOME$/bin/splunk btool inputs list --debug   ... View more

Looks like below https://community.splunk.com/t5/Getting-Data-In/How-to-get-the-host-value-from-INDEXED-EXTRACTIONS-json/m-p/577392 ... View more

@AL3Z Can you may be run btool to check the full configuration? ... View more

@djoherl all the necessary add-ons for the onboarded logsources are installed? Health check dashboard will give some information to start with... ... View more

@maayan clone the classic dashboard to dashboard studio? ... View more

@maayan Please check multiselect input using Splunk Dashboard Studio https://docs.splunk.com/Documentation/Splunk/latest/DashStudio/inputMulti ... View more

Hi @gcusello , I have noticed the same behaviour, but when i unistalled the app/addon still i see duplicated fields but they are in my raw event as well.  Regards, Bharath Kumar ASN ... View more

Hi @gcusello , Are you referring to the raw events that contains duplicates? If it is in the raw event, then it is nothing to do with the TA or Add-on?  If it is with the raw event itself, may be worth to check the source of the data that is sending the logs to splunk... Only these three fields are having the duplicates or any other fields?   ... View more

Hi, Please run below to get the iowait usage that is being tracked by splunk by default: index=_introspection sourcetype=splunk_resource_usage component=IOWait  Looks like they are taking it from there. Regards, BK ... View more

@damucka , Yes! But these are only displayed when we navigate to inputs, configuration pages that are custom to the add-on's but when we navigate to "search" tab under the Db connect app for example, again the app name disappears from the top left section. same as the case with webtools. ... View more

@rnowitzki , Thanks for taking time in replying. Before writing the question here in the group below are the things that I did: * We are receiving data from three sources on the same port, so that way only one set of data which is not seen extracting from the syslog-ng. * So then, I tried to dump everything irrespective of the host into a different location and i observed that the cyberark logs are stored with the receiver hostname and logs are with the error "error processing log file". * Then i did tcpdump on the host that is receiving the logs and observed that the logs are seen without any error message. * After i realized that this is something related to the syslog-ng configuration then i used lot of rules and templates along with no parse flag, still no luck. Now, again i realized that the no parse flag is not used\set in the way it is supposed to use, then again when i corrected the configuration, i can see the logs are receiving. Thanks a lot for your help, so i would say no parse flag helped me in this case. Regards, BK ... View more

@rnowitzki , Thanks for your inputs, i tried with no parse flag but still no luck.. ... View more

Thanks for your input @anilchaithu , but when we use below it is working without any issues: | eval fieldname2=if(fieldname1="abc","Starting",fieldname2) | eventstats values(fieldname2) as fieldname2 by host | lookup local=true mylookup Key as fieldname2 OUTPUT fieldname3 So placing | eventstats between working fine...and we are using the same cases as it is in the kv store.. ... View more