I was asking about metadata concerning source host. The diode itself is not important in this context (apart from the fact that you can't differentiate on source IP). The typical setup that I've seen which involved diode used syslog over UDP since it's easiest "diodeable" form of transport - it's inherently unidirectional. Are you using it or other transport/protocol? Do you really have a Heavy Forwarder inside the diode-separated environment? From my experience I seriously doubt it. If you indeed use syslog/UDP it's easiest to set up some syslog server (sc4s, rsyslog) and write proper rules for it so it adds proper metadata to the events (like index, source, sourcetype, optionally other indexed fields) and sends it to HEC on your HF. That's what I would do. ... View more

Thank you! ... View more

This question is answered at https://community.splunk.com/t5/Alerting/Setting-up-an-Alert-for-Computer-Booting-in-Safe-Mode/m-p/364893   ... View more

It would help to have more information about your use case.  In general, it's like this: read events, count them, filter on the count, trigger an alert. index=windows | stats count by ip | where count > 5 Have the alert trigger when the number of results from this search is not zero. ... View more

@tmontney  how did you catch MSI installs? I am trying to create alerts to track MSI Installations and MSI Removals. Thanks! ... View more