My question is how can I save the log events from getting dropped when App_Name IN (*) is in force ?  Like @ITWhisperer said, you didn't explain what you expect to get by saving the dropped events WHEN App_name IN (*) is in force.  Unless you illustrate the desired output - which is an essential part of an answerable question, your question is a simple statement of contradictions. Now I suspect you do not merely want to contradict yourself.  Let me try mind reading: you want a count of events with App_Name, and a separate count for events without. index=msad_hcv NOT ("forwarded") | spath output=role_name path=auth.metadata.role_name | mvexpand role_name | rex field=role_name "(\w+-(?P<App_Name>[^\"]+))" | search Environment=* type=* request.path=* | eval app_name_or_no = if(isnull(App_Name), "no", "yes") | stats count by app_name_or_no  If this is tea leaf is telling, the question has nothing to do with events being dropped. One more thing, I don't see any point of inserting that search command on the 4th line.  It is much more effective if you throw all filters in index search.  What's wrong with this? index=msad_hcv NOT ("forwarded") Environment=* type=* request.path=* | spath output=role_name path=auth.metadata.role_name | mvexpand role_name | rex field=role_name "(\w+-(?P<App_Name>[^\"]+))" | eval app_name_or_no = if(isnull(App_Name), "no", "yes") | stats count by app_name_or_no   ... View more

Hi @Rao_KGY , the code of your dashboard is correct (except the difference I already described), I don't see any reason because two equal searches give different results. Try to manually copy one on the other, maybe there's some char that we don't see. Ciao. Giuseppe ... View more

For anomaly detection, you should  consider using the MLTK. Otherwise, you need to fashion a report which detects anomalies and use that for triggering you alert. In order to do this, you need to be able to define what an anomaly looks like, so that you can instruct Splunk to find them for you. ... View more