Thanks Rick for checking  my request and for your response, I'm after understanding Auditd , As per my understanding Auditd provides more advanced logging  and it actually give you much more data insight in audit log than the standard logging which is enabled by default on the linux systems, not sure if my understand is correct here though? When we are pulling the data from a simple RHEL server using Splunk, we basically install a Splunk UF and push the TA_NIX app , which we use to basically collect everything under /var/log/* , now my understanding here is these logs that are under /var/log/* are the default logging setting on the linux which does not provides much of context on the log . for example who logged in , the username, the source IP address and the outcome which can only be achieved using Auditd rules. is it true ? Hope I was able to explain well this time, Appreciate if anyone can provide more insight on this. ... View more

Thanks so much @yuanliu @bowesmana  both for the great help,   @yuanliu  So after you post the second query with the results there I was to catch the difference from your previous query and the last one, I was not getting results because in the stats command I was giving space between "count and Eval" , if I do that , it does not get execute. :d Anyway, it a perfect query for my use-case, Much Appreciated ! ... View more

Hello Yuanliu, Thanks once again for your efforts, Yes i did add the quotes , basically I copy pasted from here to search directly.  Have you tested this at your end by any chance   Thanks,   ... View more

Thanks for looking into it, however, it did not go through, it still gives an error The argument '(eval(action IN (Not Found,Forbidden)))' is invalid 😞 ... View more

Thanks ITWHisperer , Much Appreciated ! ... View more

Hello gcusello, Thanks for your inputs, However, like  I said the use case is I'm looking for IP that is causing maximum number of http errors(400s,500s) , lets say I'm trying to find a single IP that is causing  over 100 http errors . I think in the query we will have to use eval&case functions too. Please let me know if you need further clarifications on the above. Moh. ... View more

Thanks for your response, the goal is to list the IP's that is causing maximum http errors. Lets say where errors are >100. ... View more

Thanks a billion  @gcusello  it was great explanations from you I got the results I wanted. ... View more

Hello GC, Thanks for your response and help , however, I still have a bit of confusion, where in this search I'm telling my dest_ip value from the indexed field should match my lookup field "blackip" value. And when you say your_key_filed is this the indexed field or the lookup fieldname, Lets take the 1st search you gave as example and please advise if this is any good and will show me the results as src,dst,port where dst should be only the one that are matched from my lookup table. index=fw [ | inputlookup blackip.csv | fields dest_ip ] | stats values(src_ip) values(dest_ip) by port     Thanks,     ... View more