Very helpful  it is set to stream XML so I guess that is the issue and I need to either find a way to deal with it or modify the setting which as you mentioned looks easier said than done.    ... View more

I think an example of your table is required at this point. ... View more

Ah @bowesmana , I may have misunderstood the ask here, as you say. I used streamstats by test_name after sorting by (an assumed sequential) test_id. Although I'm not sure why there being the same test_id for multiple test_name would affect the output here, as I'm not using the test_id in the streamstats? I may have missed something though (and not had coffee yet!) @dolj Please let us know how you are getting on, and if you clarify the requirement I'd be happy to help further and update the previously posted search if required 🙂 Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Further to my last message - this is a great blog post on getting started with UCC so well worth checking out https://www.splunk.com/en_us/blog/customers/managing-splunk-add-ons-with-ucc-framework.html Let us know how you get on and if you have any further questions 🙂 Will ... View more

Yes, it's recommended as a best practice to implement all Magic 8 configs because they establish consistency and reliability in data onboarding. While most TAs start with Magic 6, adding the EVENT_BREAKER configs gives you better control over event distribution and parsing. Think of Magic 6 as the minimum standard, and Magic 8 as the complete package for optimal data handling. The TAs can be updated with the additional configs when needed based on your specific deployment, but having all 8 from the start is generally ideal as it prevents potential data parsing issues down the line. If this Helps, Please Upvote. ... View more

You can't use the total calculated by addcoltotals as it's in a new row at the bottom of the table, however, as @richgalloway the typical way to calculate percentages is to use eventstats to add up all the counts, so that the total is added to _every_ row in your data set, which you can then calculate the percentages with. Then discard that calculated total field if you no longer need it ... View more

Here is the spec doc for the serverclass.conf file. https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Serverclassconf   I have not run into any limits on the number of items.  Especially when I use a csv file to specify 100s of servers for a specific class.  You should be good. ... View more

Escaping with regex may make it hard to read, but luckily there is a smart way around it. You can start and stop in regex with \Q  and \E on what you like to get literal. | makeresults | eval _raw= "C:\Program Files (x86)\Google" | regex "\QC:\Program Files (x86)\Google\E"  This makes regex much more readable. https://www.regular-expressions.info/characters.html ... View more

Hi @dolj, if you want to find the time borders of a search you can use "addinfo" (https://docs.splunk.com/Documentation/Splunk/8.2.6/SearchReference/Addinfo). If instead you want to display the first and the last event, you can use stats and the options "first" and "last", something like this: your_search | stats first(_raw) AS first last(_raw) AS last Ciao. Giuseppe ... View more

not sure why but it wasn't working and it now is. I found this log related to the web UI 05-24-2020 23:12:06.172 -0400 ERROR UiHttpListener - An applicaiton server has exited unexpectedly, web UI cannot be used until it is restarted ... View more

I Installed 6.5.10 and configured all windows event logs locally and see events coming in but nothing in the borwser index and nothing in the dashboar even after a restart. ... View more