I'm reverse engineering UF configs from an old deploy server that we're replacing and am running into variables in conf files but I'm not finding where the values are defined.  An example would be an if_ip in an outputs.conf entry... [tcpout:primary_forwarders] server = {{ hf_ip }}:9997 They look like custom variables as they would be used in Observability Cloud but this is in a standard Enterprise deploy. ... View more

I have an index with events containing a src_ip but not a username for the event.   I have another index of VPN auth logs that has the assigned IP and username.  But the VPN IPs are randomly assigned. I need to get the username from the VPN logs where vpn.client_ip matches event.src_ip.  But I need to make sure that the returned username is the one that was assigned during the event.  In short, I need to get the last vpn client_ip assignment to match the event.src_ip BEFORE the event so the vpn.username would be the correct one for event.src_ip. Here's a generic representation of my current query but I get nothing back. index=event ... | join left=event right=vpn where event.src_ip=vpn.client_ip max=1 usetime=true earlier=true [search index=vpn]    ... View more