Hi @JGP  You can use the license API to collect this information if you want to present it or record it elsewhere - check out https://docs.appdynamics.com/appd/24.x/latest/en/extend-splunk-appdynamics/splunk-appdynamics-apis/license-api 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Hello @Xiangning_Mao , is it possible to add Status column as well? ... View more

source="testing.csv" host="so1" index="test_csv" sourcetype="test_csv" | rex "(?<Test_ID>\d+),(?<name>.*)" max_match=0 | table Test_ID,name   1. source="testing.csv" host="so1" index="test_csv" sourcetype="test_csv" - This is just searching for a particular index, source, sourcetype. 2. | rex "(?<Test_ID>\d+),(?<name>.*)" max_match=0 -  rex - It extracts fields inline from the events. The field extraction is not permanent. https://docs.splunk.com/Documentation/SplunkCloud/9.0.2305/SearchReference/Rex "(?<Test_ID>\d+),(?<name>.*)" - It is regular expression as per my sample data. Try https://regex101.com/ for building the regex as per your data. max_match=0 - It will allow rex command to match all matching field-values. Otherwise rex will only match the first occurrence. ... View more

probably this would be a solution ... View more

Hi @JGP, if you need the list of each index containing logs from an host, you could run something like this: | metasearch index=* | stats values(index) AS index count BY host Ciao. Giuseppe ... View more

Any instance where a .conf file is edited from the CLI needs to be restarted so it will read the changes. ... View more

@woodcock , forwarder service was running and after service restart only data started flowing ... View more

Hi @JGP  It's a little ugly but since the message field looks to be valid JSON, you could do this...   ... ``` backup event then rename message field to _raw ``` | eval raw=_raw | rename message AS _raw | extract ``` extract the json from _raw - n.b. it only works on _raw field ``` ``` rename _raw back to message, reset _raw event back to original and remove copy ``` | rename _raw AS message | eval _raw=raw | fields - raw   Not sure how well it scales on big data sets. Anyway, hope it helps ... View more

using the same consistent url in the drill down but still getting the pop up message. just for information this is coming after we had upgrade to 9.0.1 version from 8.2 ... View more

Hi @JGP, I suppose that you're speaking of a Search Head Cluster, check if there are two alerts that generate email, you can see using this simple search. | rest /servicesNS/-/-/saved/searches splunk_server=local | search action.email=1 in this way you have a list of all active alerts and reports that are sending emails and you can check if there are two alerts that generate email. If you're sure of not, open a case to Splunk Support. Ciao. Giuseppe ... View more

To be fully honest, I've never done that myself (and I don't see how those settings would get inherited across different roles). I suppose it's one of those things that you're supposed to use UI for. ... View more

https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Propsconf#:~:text=Default%3A%20not%20set-,MAX_DAYS_AGO,-%3D%20%3Cinteger%3E%0A*%20The%20maximum ... View more