Hi, I could get the results when I run the command. My observation about the lookup file between SH and ES on SH is , the .CSV extension is missing.once added it's running. I'm trying understand the below query to implement. Firstly, the description provided in the usecase is not clearly understood . I got this usecase from the splunk SF content search. Anyone has idea about this query. https://lantern.splunk.com/Splunk_Platform/UCE/Security/Threat_Hunting/Protecting_a_Salesforce_cloud_deployment/Spike_in_exported_records_from_Salesforce_cloud ROWS_PROCESSED>0 EVENT_TYPE=API OR EVENT_TYPE=BulkAPI OR EVENT_TYPE=RestAPI
|lookup lookup_sfdc_usernames USER_ID
|bucket _time span=1d
|stats sum(ROWS_PROCESSED) AS rows BY _time Username
|stats count AS num_data_samples max(eval(if(_time >= relative_time(maxtime, "-1d@d"), 'rows',null))) AS rows avg(eval(if(_time<relative_time(maxtime,"-1d@d"),'rows',null))) AS avg stdev(eval(if(_time<relative_time(maxtime,"-1d@d"),'rows',null))) AS stdev BY Username
|eval lowerBound=(avg-stdev*2), upperBound=(avg+stdev*2)
|where 'rows' > upperBound AND num_data_samples >=7
... View more