Thanks!  That did it.  I couldn't work out in my head how to make FirstTime part of the second stats output properly.  This is the search now with the corrections: index=dhcp dhcp_type IN (DHCPACK DHCPOFFER) NOT (dest_hostname IN (PC* LP* GIS* MU* iPhone* iPad*)) | stats earliest(_time) AS FirstTime BY dest_mac dest_hostname dest_ip | where FirstTime > relative_time(now(), "-30d@d") | stats latest(FirstTime) AS FirstTime latest(dest_hostname) AS dest_hostname latest(dest_ip) AS dest_ip BY dest_mac | convert ctime(FirstTime) | `LOOKUP_OUI(dest_mac)` ... View more

It's close.  Changing earliest(dest_hostname) and earliest(dest_ip) to latest(dest_hostname) and latest(dest_ip) gave me what I wanted in those fields, but now FirstTime is blank.   ... View more

Okay, I finally got an event on that collector. We're so close.  It looks like I can search by hostname, and I can probably leave it this way.   ... View more

Good catch!  Thank you.  Unfortunately, I'll need a day or two to actually test it out because the events come in so infrequently. ... View more

Okay.  I think I managed to cut out just the relevant stanzas from the big btool outputs props.conf: /opt/splunk/etc/apps/launcher/local/props.conf [source::ansible] /opt/splunk/etc/system/default/props.conf ADD_EXTRA_TIME_FIELDS = True /opt/splunk/etc/system/default/props.conf ANNOTATE_PUNCT = True /opt/splunk/etc/system/default/props.conf AUTO_KV_JSON = true /opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE = /opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE_DATE = True /opt/splunk/etc/system/default/props.conf CHARSET = UTF-8 /opt/splunk/etc/system/default/props.conf DATETIME_CONFIG = /etc/datetime.xml /opt/splunk/etc/system/default/props.conf DEPTH_LIMIT = 1000 /opt/splunk/etc/system/default/props.conf DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME = false /opt/splunk/etc/system/default/props.conf HEADER_MODE = /opt/splunk/etc/system/default/props.conf LB_CHUNK_BREAKER_TRUNCATE = 2000000 /opt/splunk/etc/system/default/props.conf LEARN_MODEL = true /opt/splunk/etc/system/default/props.conf LEARN_SOURCETYPE = true /opt/splunk/etc/system/default/props.conf LINE_BREAKER_LOOKBEHIND = 100 /opt/splunk/etc/system/default/props.conf MATCH_LIMIT = 100000 /opt/splunk/etc/system/default/props.conf MAX_DAYS_AGO = 2000 /opt/splunk/etc/system/default/props.conf MAX_DAYS_HENCE = 2 /opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_AGO = 3600 /opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_HENCE = 604800 /opt/splunk/etc/system/default/props.conf MAX_EVENTS = 256 /opt/splunk/etc/system/default/props.conf MAX_EXPECTED_EVENT_LINES = 7 /opt/splunk/etc/system/default/props.conf MAX_TIMESTAMP_LOOKAHEAD = 128 /opt/splunk/etc/system/default/props.conf MUST_BREAK_AFTER = /opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_AFTER = /opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_BEFORE = /opt/splunk/etc/system/default/props.conf SEGMENTATION = indexing /opt/splunk/etc/system/default/props.conf SEGMENTATION-all = full /opt/splunk/etc/system/default/props.conf SEGMENTATION-inner = inner /opt/splunk/etc/system/default/props.conf SEGMENTATION-outer = outer /opt/splunk/etc/system/default/props.conf SEGMENTATION-raw = none /opt/splunk/etc/system/default/props.conf SEGMENTATION-standard = standard /opt/splunk/etc/system/default/props.conf SHOULD_LINEMERGE = True /opt/splunk/etc/system/default/props.conf TRANSFORMS = /opt/splunk/etc/apps/dw-hf_settings/default/props.conf TRANSFORMS-hf_name = hf_name /opt/splunk/etc/apps/launcher/local/props.conf TRANSFORMS-host_override = ansible_override /opt/splunk/etc/system/default/props.conf TRUNCATE = 10000 /opt/splunk/etc/system/default/props.conf detect_trailing_nulls = false /opt/splunk/etc/system/default/props.conf maxDist = 100 /opt/splunk/etc/system/default/props.conf priority = /opt/splunk/etc/system/default/props.conf sourcetype = /opt/splunk/etc/system/default/props.conf termFrequencyWeightedDist = false /opt/splunk/etc/system/default/props.conf unarchive_cmd_start_mode = shell transforms.conf: /opt/splunk/etc/apps/launcher/local/transforms.conf [ansible_override] /opt/splunk/etc/system/default/transforms.conf CAN_OPTIMIZE = True /opt/splunk/etc/system/default/transforms.conf CLEAN_KEYS = True /opt/splunk/etc/system/default/transforms.conf DEFAULT_VALUE = /opt/splunk/etc/system/default/transforms.conf DEPTH_LIMIT = 1000 /opt/splunk/etc/apps/launcher/local/transforms.conf DEST_KEY = MetaData:Host /opt/splunk/etc/apps/launcher/local/transforms.conf FORMAT = host::$1 /opt/splunk/etc/system/default/transforms.conf KEEP_EMPTY_VALS = False /opt/splunk/etc/system/default/transforms.conf LOOKAHEAD = 4096 /opt/splunk/etc/system/default/transforms.conf MATCH_LIMIT = 100000 /opt/splunk/etc/system/default/transforms.conf MV_ADD = False /opt/splunk/etc/apps/launcher/local/transforms.conf REGEX = \"cluster_host_id\"\:s\"([a-zA-Z.-_]+)\" /opt/splunk/etc/system/default/transforms.conf SOURCE_KEY = _raw /opt/splunk/etc/system/default/transforms.conf WRITE_META = False ... View more

Wow.  I'd forgotten about the question in 2022.  That was a completely different source that comes in via a TA, and I'm assuming it wouldn't interact. Searching in fast mode still shows both hosts in the metadata host field.  I did a search for "ansible" in the field extractions screen and found nothing.  Is there an easy way to tell if I'm doing unintended search-time extractions? This is what I see for props and transforms when I restrict it to the app: [splunk@UPSPLHF01 ~]$ /opt/splunk/bin/splunk btool props list --app=launcher --debug /opt/splunk/etc/apps/launcher/local/props.conf [source::ansible] /opt/splunk/etc/apps/launcher/local/props.conf TRANSFORMS-host_override = ansible_override [splunk@UPSPLHF01 ~]$ /opt/splunk/bin/splunk btool transforms list --app=launcher --debug /opt/splunk/etc/apps/launcher/local/transforms.conf [ansible_override] /opt/splunk/etc/apps/launcher/local/transforms.conf DEST_KEY = MetaData:Host /opt/splunk/etc/apps/launcher/local/transforms.conf FORMAT = host::$1 /opt/splunk/etc/apps/launcher/local/transforms.conf REGEX = \"cluster_host_id\"\:s\"([a-zA-Z.-_]+)\" [splunk@UPSPLHF01 ~]$ If I do not restrict it to the launcher app, it returns too much for me to post. ... View more

I'd rather chown the old version and make it match the new one.  I think I tried that on one of my update tests, and it complained a lot before failing.  That's kinda why I'm thinking of uninstalling the old one and installing it fresh. ... View more

Thanks for the suggestion, but I don't see a magnifying glass on any of the panels on the overview screen like on normal dashboard panels.  I'm logged in as admin. ... View more

Is it possible to see the SPL queries that MC uses for those dashboards? ... View more

I'm looking for application availability and not server uptime. ... View more

Are you saying that the add-on is not worth using? ... View more

Thank you for that suggestion.  Now I'm even more confused.  The events are coming in as sourcetype=cef, and there are a lot more differences than I would have expected, including what's in system/default...  I've got some digging to do. ... View more

I see.  I was thinking it wasn't UF because every other instance of UF I've seen used /opt/splunkforwarder. ... View more

Thanks for your reply.  This is the search I'm running: index=cisco sourcetype=cisco:asa eventtype=cisco_vpn_start host!=shr-vpn-cell-fw01 | lookup vpnlist.csv NetworkAddress AS src_ip OUTPUTNEW isvpn | stats count by src_ip, isvpn, Username I'm definitely not using inputlookup, but I seem to be running into a limit on the number of rows.  Now I've converted the lookup to a KV lookup as @gcusello suggested, but I'm having trouble getting that working. ... View more

Thank you for the links.  I converted my lookup to a KV lookup, and it keeps telling me that my lookup table is invalid.  I thought I could just keep the same .csv file, I'll have to figure out how to fix that. ... View more

Thank you.  I'll need to figure out how to do that. ... View more