hi @tscroggins : we don't see all the data being pulled from list123.csv. There is a disperancy in data match from the search index and match with lookup file. Please help with other alternative query. Thanks, Sabari     ... View more

Thanks @isoutamo  ... View more

Hi @isoutamo  Thanks for your response, I have the updated certificates in handy, Im planning to proceed below way, Kindly assist 1)Installing the forwarder credentials on many forwarders using a deployment server From Splunk Cloud Platform instance, go to Apps > Universal Forwarder. Click Download Universal Forwarder Credentials. Note the location where the credentials file was downloaded. The credentials file is named splunkclouduf.spl. Copy the file to your /tmp folder. (optional) Use file management tools to move the splunkclouduf.spl file to the $SPLUNK_HOME/etc/deployment-apps/ directory on the deployment server. In a shell or command prompt, unpack the credentials package by running the following command: tar xvf splunkclouduf.spl Navigate to the /bin subdirectory of the deployment server. Install the credentials package by running the following command: splunk install app <full path to splunkclouduf.spl> -auth <username>:<password> where <full path to splunkclouduf.spl> is the path to the directory where the splunkclouduf.spl file is located and <username>:<password> are the username and password of an existing admin account on the universal forwarder. Restart the deployment server by running the following command: /splunk restart ... View more

Can I have your email Id please @gcusello to send the full logs. Since the file size is huge. ... View more

@gcusello The rex which is provided earlier, doesn't working.  Thanks ... View more

@gcusello  Thanks for your quick response.  The rex which you provided it doesn't work for other data which has MD5. one thing I notice in logs before md5 that starts with "","" and end with "","". Using that can you provide rex.   "",""md5"":""b147fbdbd44374f73a763531c8d1093d"",""sha1"":null,"" ... View more

How do we retrieve those parsed data, Please suggest. ... View more

index=ert "192.34.23.122" earliest=-30d | stats dc(user) as "Distinct users" | where 'Distinct users' < 20   In some condition ip address is not specifically determined, like below index=ert "IPaddress" like this - how do we return the results now? ... View more

thanks ... View more

Hi @gcusello  Let me explain you the scenario in details: when I query below, I get the UPN details with "T" as below.  index=xxx | eval UPN=mvindex('userStates{}.userPrincipalName',0) |search UPN = "*T@mail.eeir" |table UPN xxx.mmm@mail.eeir yyy.Mmmm@mail.eeir zzz.rrrr@mail.eeir cccc.eeeeT@mail.eeir   If you see above data xxx , yyy, cccT UPN data's  coming up. But I need to ignore "T" here and show the rest all UPN data like as below xxx.mmm@mail.eeir yyy.Mmmm@mail.eeir zzz.rrrr@mail.eeir cccc.eeee@mail.eeir   For the same am trying to use below query with regex command. But no luck regex is not working.  index=graphsecurityalert | eval UPN=mvindex('userStates{}.userPrincipalName',0) |rex!=UPN = "*T@mail.eeir" |table UPN if you provide the following rex will be great - |rex!=UPN = "*T@mail.eeir" ... View more

hi @gcusello  Yes did that.! But no luck. There are n no of id's with "T" "t". The regex part will help it out as i believe. ... View more

@gcusello  Thanks for your response.! It doesn't work out well When i use a Not operator like below. The "t" "T" should ignore search NOT (UPN=*t@cloud.eeir) ... View more

sample - UPN=*t@cloud.weir Required to remove above "t" and "T". ... View more