You can make volunteers' life easier by listing sample lookup content in table format, and construct mock/sample SQL values according to illustrated lookup table or vice versa. Anyway, there are often different ways to solve the same problem depending on actual data characteristics and nuances in requirements.  If I understand you correctly, you want to catalogue events into some lk_wlc_app_name based on fragments of SQL that may match lk_wlc_app_short.  You mentioned that SQL has no structure (regarding the key strings you are trying to match); your illustrated data suggest that your intended matches do not fall in "natural" word boundaries.  This makes any strategy at risk of being too aggressive as to give false positives. Because of the constraints, one very aggressive strategy is to use wildcard matches.  You need to set "Match type" of lk_wlc_app_short to WILDCARD in "Advanced Options", and your table should contain wildcards before and after the short string, like lk_wlc_app_short lk_wlc_app_name *ART* Attendance Roster Tool *Building_Mailer* Building Mailer *SCBT*  Service Center Billing Tool Once this is set up, all you need is lookup, like   | lookup lookup_weblogic_app lk_wlc_app_short as SQL   Again, this is perhaps not an optimal solution because look-backward match is expensive. ... View more

From your description, it seems like the upgrade of RH from 7 to 9 has disrupted Splunk's assumptions about the full DNS name.  You could try being more specific in the configuration files until Splunk starts sending emails properly. E.g. you could set the from= field in alert_action.conf to be a full email address so that Splunk does not have to figure out the hostname to tack on with the ampersand. NOTE:  alert_actions.conf is plural (alert_actions, not alert_action)  #/opt/splunk/etc/system/local/alert_actions.conf [email] from = yoursplunkemail@yourdomain.com You could also try a direct sendemail command: | sendemail from="youremail@place.com" to="targetemail@place.com" subject="Test Email" If you have different emails per alert, you could edit the alert in the Advanced Settings to explicitly set the from= field to a full email address. ... View more

Hi @alfredoh14, By default, the From: address is splunk. Are you using default Splunk email settings and a local instance of postfix? Because no domain is specified, postfix likely appends the host name to the user name, i.e. splunk@prod, before forwarding the message to either an upstream relay or the recipient's mail server. You can set the From: address in Splunk Web from Settings > Server settings > Email settings in the "Send emails as" setting. This will update $SPLUNK_HOME/etc/system/local/alert_actions.conf. For example, using no-reply@mydomain.com:  [email] from = no-reply@mydomain.com ... View more

<your search> [<your maintenance log search> ``` Use mvrange to duplicate start events ``` | eval range=if(match(event,"start"),mvrange(0,2),null()) | mvexpand range ``` Change duplicated event to 4 hours later ``` | eval _time=if(range=1,_time+(60*60*4),_time) ``` Make duplicated event an end of maintenace event ``` | eval event=if(range=1,"end of maintenance",event) ``` Sort in descending time order (latest first) ``` | sort 0 -_time ``` Set latest to the time of end events ``` | eval latest=if(match(event,"end"),_time,null()) ``` Copy latest time to next event ``` | filldown latest ``` Just keep start events (now with time of next end event) ``` | where match(event,"start") ``` Assuming you want just the latest maintenance period ``` | head 1 | rename _time as earliest ``` Use earliest and latest to filter your main search ``` | fields earliest latest] ... View more

If you are willing to sacrifice performance, you can use transaction - by excluding "transactions". | transaction startswith="start of maintenance" endswith="end of maintenance" | search closed_txn=0   ... View more

@alfredoh14  In your examples, "*" is your search string. To expand it, add search terms to that string: splunk search "* sourcetype=e" -maxout 0 | find /c /v "" To dispense with find and have Splunk report the event count: splunk search "* sourcetype=e | stats count" If you know the index you're searching, you can use tstats for much faster results: splunk search "| tstats count where index=main sourcetype=e" ... View more