Can you see the "original_host" field in the events in your Veeam index now? ... View more

The Veeam Backup & Replication Events (VeeamVbrEvents) Data Model requires the "original_host" field to be in events. Looking at your screenshots, it looks like that field is missing from your events - I've come across this issue too. The Veeam app includes a "veeam_vbr_syslog : EXTRACT-original_host" field extraction that wasn't working for me - it used this regex: \d+-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[\+\-]\d{2}:\d{2}\s(?<original_host>\S+) This is expecting the "original_host" to be listed in the raw event after the timestamp and a space. Are you sending syslog direct to Splunk as per the Veeam App documentation, or are you sending it via SC4S or another syslog server? In the scenario I came across this issue, Veeam was sending syslog to SC4S which was stripping the timestamp out of the raw event, therefore breaking the original_host extraction. SC4S was actually setting the "host" value for each event correctly, so I was able to add a Field Alias instead - set to apply to the veeam_vbr_syslog sourcetype and set host = original_host like this:   ... View more

The additionalTooltipFields property and functionality will be available in Splunk Cloud v9.0.2208 and Splunk Enterprise 9.0.1+ upcoming releases. This did appear previously in the docs at https://docs.splunk.com/Documentation/SplunkCloud/latest/DashStudio/chartsMap and https://docs.splunk.com/Documentation/SplunkCloud/latest/DashStudio/objOptRef plus the Splunk Enterprise equivalents but has been removed for now and will be re-added once these versions are released. ... View more