We were facing the same issue and I stumbled over this thread in search for possible causes. As I did not find one but eventually found the cause for the different locations of IPs depending on where iplocation is used in the search, I wanted to share it. The given and accepted answer above is misleading / incomplete (it does not explain the different results depending on where in the search iplocation is used) We experienced the behaviour when using iplocation in conjunction with eventstats. When iplocation was used before eventstats, the location was correct, when used after eventstats, it was wrong. Cause: Eventstats (as well as stats) is a data processing / non-streaming command (-> it runs on the search head). Iplocation is a distributable streaming command (-> it can run on the indexer). So using IP location BEFORE eventstats (and right after the base search) makes it run on the indexers. When using iplocation AFTER eventstats it runs on the search head. The reason for yielding different location results was due to different iplocation database versions (GeoLite2..) on search head and indexers. So make sure, your geo location db is up-to-date and identical on all your Splunk components then iplocation yields the same results regardless where it is used in the search. Where you place it depends on your search. Usually it is advisable to enrich AFTER transforming/aggregations commands like stats or eventstats. But as iplocation is a distributable streaming command it might perform better when it can run on the indexers instead of the search head. ... View more

As the child of a librarian, this analogy makes great sense to me! The librarian, who fills out the catalog entry for a given item, is the indexer. This analogy also accounts for cross-references. The patron is the search head. ... View more

Hey there yes we are specifying the index _internal when we query. ... View more

The token looks like it's populating correctly based on the dashboard URL. I also tried removing the quotes, but it still doesn't provide any results. ... View more

Hello bccocek, Do you have the Windows TA installed? Also, you may want to consider the inputs specified in this previous Answers response. https://answers.splunk.com/answers/134501/applocker-monitoring.html Good luck! ... View more

Check the host index/sourcetype.If it is internal data,then that host is not the reason for violation. And if you still want not to index,then you have an option to send data from 127..... host to null queue: http://docs.splunk.com/Documentation/Splunk/7.1.1/Forwarding/Routeandfilterdatad And regarding delete command,if the indexed data is internal for that host then no affect of deleting events.Find the doc for delete command https://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Delete ... View more

Nope, I've just moved on from Splunk and I'm currently looking at Elasticsearch. ... View more