https://community.splunk.com/t5/Dashboards-Visualizations/How-to-check-since-when-the-nodes-are-down-under-one-particular/m-p/437654#M41225 <P>Your <CODE>rex</CODE> is doing nothing so fix it or drop it. Maybe this?</P> <PRE><CODE>host=smon* "nagios: HOST_PROBLEM:" "DOWN" | dedup hostname host | table _time hostname host </CODE></PRE> Sun, 15 Jul 2018 17:50:01 GMT woodcock 2018-07-15T17:50:01Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-check-since-when-the-nodes-are-down-under-one-particular/m-p/437652#M41223 <P>Hello, </P> <P>I have a Splunk dashboard, wherein I can see there are multiple nodes down under multiple FQDN, </P> <P>I opened the search for the nodes which are down and it showed below query - </P> <P>host=smon* "nagios: HOST_PROBLEM:" "DOWN" | rex field=_raw "nagios: HOST_PROBLEM: (?.<EM><span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> (?.</EM><span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> DOWN: (?.*)" | dedup hostname host </P> <P>The above query resulted in multiple nodes down but the result shows aggregated results for all the FQDNs. </P> <P>I want to also see since when the nodes are down.</P> <P>Is there any way we can check it?</P> <P>![alt text][1] ![alt text][2]</P> <P>[1]: /storage/temp/252199-2.jpg // showing the actual total number of nodes down.<BR /> [2]: /storage/temp/252198-1.jpg // showing the nodes which are under for the perticular FQDN</P> Tue, 29 Sep 2020 20:26:19 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-check-since-when-the-nodes-are-down-under-one-particular/m-p/437652#M41223 aj2551988 2020-09-29T20:26:19Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-check-since-when-the-nodes-are-down-under-one-particular/m-p/437653#M41224 <P>Hi @aj2551988,</P> <P>Try</P> <PRE><CODE> host=smon* "nagios: HOST_PROBLEM:" "DOWN" | rex field=_raw "nagios: HOST_PROBLEM: (?.): (?.): DOWN: (?.*)" |stats latest (_time) as last_seen by host,hostname </CODE></PRE> Fri, 13 Jul 2018 13:31:02 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-check-since-when-the-nodes-are-down-under-one-particular/m-p/437653#M41224 renjith_nair 2018-07-13T13:31:02Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-check-since-when-the-nodes-are-down-under-one-particular/m-p/437654#M41225 <P>Your <CODE>rex</CODE> is doing nothing so fix it or drop it. Maybe this?</P> <PRE><CODE>host=smon* "nagios: HOST_PROBLEM:" "DOWN" | dedup hostname host | table _time hostname host </CODE></PRE> Sun, 15 Jul 2018 17:50:01 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-check-since-when-the-nodes-are-down-under-one-particular/m-p/437654#M41225 woodcock 2018-07-15T17:50:01Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-check-since-when-the-nodes-are-down-under-one-particular/m-p/437655#M41226 <P>Hello,</P> <P>When Tried the above query, it is giving the error - </P> <P>"Error in 'rex' command: Encountered the following error while compiling the regex 'nagios: HOST_PROBLEM: (?.): (?.): DOWN: (?.*)': Regex: unrecognized character after (? or (?-"</P> <P>And </P> <P>"The search job has failed due to an error. You may be able view the job in the Job Inspector."</P> Mon, 16 Jul 2018 12:20:43 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-check-since-when-the-nodes-are-down-under-one-particular/m-p/437655#M41226 aj2551988 2018-07-16T12:20:43Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-check-since-when-the-nodes-are-down-under-one-particular/m-p/437656#M41227 <P>Your rex seems to be wrong. What you need to extract ? If you only host and hostname , you might not need that. If you need to extract something, post a sample event</P> Mon, 16 Jul 2018 12:38:31 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-check-since-when-the-nodes-are-down-under-one-particular/m-p/437656#M41227 renjith_nair 2018-07-16T12:38:31Z