Thank you Richgalloway. Will try this and will check the outputed results, will keep you posted then. Appreciate much for you kind assistance. ... View more

Thanks Richgalloway for the updates, appreciate it.  However, I’m not quite sure what is the dest_ip in the sample logs I gathered so far. Can you check and confirm if the dest_ip in the sample internal logs is same as the lastIndexer field as I do not see dest_ip field in my sample SPL query below: Search:  index=_internal source=*metrics.log* group=tcpin_connections os=* uf destPort=9997 Sample Result (IP value masked): 01-27-2022 15:23:05.555 +0000 INFO  Metrics - group=tcpin_connections, ingest_pipe=1, zz.zz.zz.zz:54598:9997, connectionType=cookedSSL, sourcePort=54598, sourceHost=zz.zz.zz.zz, sourceIp=zz.zz.zz.zz, destPort=9997, kb=11.879, _tcp_Bps=391.929, _tcp_KBps=0.383, _tcp_avg_thruput=0.829, _tcp_Kprocessed=30.397, _tcp_eps=0.580, _process_time_ms=0, evt_misc_kBps=0.000, evt_raw_kBps=0.290, evt_fields_kBps=0.032, evt_fn_kBps=0.000, evt_fv_kBps=0.032, evt_fn_str_kBps=0.000, evt_fn_meta_dyn_kBps=0.000, evt_fn_meta_predef_kBps=0.000, evt_fn_meta_str_kBps=0.000, evt_fv_num_kBps=0.000, evt_fv_str_kBps=0.032, evt_fv_predef_kBps=0.000, evt_fv_offlen_kBps=0.000, evt_fv_fp_kBps=0.000, build=06d57c595b80, version=7.2.3, os=Linux, arch=x86_64, hostname=abc.com, guid=B6BDE37F-7F82-465F-9393-88C586D69485, fwdType=uf, ssl=true, lastIndexer="xx.xx.xx.xx:9997,yy.yy.yy.yy:9997", ack=false ... View more

Hi, Much appreciated if someone from Splunk SME or from TA developer provide inputs on the previous query regarding verbose/trivia nullqueue in Splunk TA exsilogs add on for apps for vmware. Thank you! ... View more