https://community.splunk.com/t5/Splunk-Search/Get-instance-name-from-source/m-p/541817#M153430 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;That worked great. I ended up with&nbsp;</P><P>index=* "Initiating EnterpriseOne startup"<BR />| rex "targets\\\(?&lt;machine&gt;[^\\\]+)" | table machine _time<BR />| dedup machine<BR />| sort machine</P><P>&nbsp;</P><P>As&nbsp; newbie, I appreciate your input.</P><P>I'm sure there is documentation out there somewhere. Now if I can just find it. ;^o</P><P>&nbsp;</P><P>Bruce</P> Mon, 01 Mar 2021 16:54:19 GMT bcalder 2021-03-01T16:54:19Z https://community.splunk.com/t5/Splunk-Search/Get-instance-name-from-source/m-p/541784#M153411 <P>Hi all,</P><P>I am completely new to Splunk so I apologize if this has been asked/answered. I did review the past discussions but could not find a solution to my question.</P><P>I have incoming logs that look similar to this</P><DIV class="jas MANDATORY"><EM><SPAN class="date">28 Feb 2021 13:53:23,815</SPAN><SPAN class="level">[MANDATORY]</SPAN><SPAN class="comp">[JAS]</SPAN><SPAN class="msg"><STRONG>Initiating EnterpriseOne startup</STRONG> using configuration location (default_path) as 'C:\jde_home\SCFHA\targets\<STRONG>HTML_PD1_82</STRONG>\config'. </SPAN></EM></DIV><DIV class="jas MANDATORY">&nbsp;</DIV><DIV class="jas MANDATORY"><SPAN class="msg">I would like to be able to search for the string "Initiating EnterpriseOne startup " and create a dashboard table showing the date, time and the substring&nbsp;HTML_PD1_82. The idea being, I would like to keep track of when each machine was restarted.</SPAN></DIV><DIV class="jas MANDATORY">&nbsp;</DIV><DIV class="jas MANDATORY"><SPAN class="msg">Can anyone help with the Search pattern? Thanks in advance.&nbsp;</SPAN></DIV><DIV class="jas MANDATORY"><SPAN class="msg">Bruce</SPAN></DIV> Mon, 01 Mar 2021 14:50:19 GMT https://community.splunk.com/t5/Splunk-Search/Get-instance-name-from-source/m-p/541784#M153411 bcalder 2021-03-01T14:50:19Z https://community.splunk.com/t5/Splunk-Search/Get-instance-name-from-source/m-p/541806#M153424 <P>Perhaps this will get you started.</P><LI-CODE lang="markup">index=foo "Initiating EnterpriseOne startup" | rex "targets\\\(?&lt;machine&gt;[^\\\]+)" | table _time machine</LI-CODE> Mon, 01 Mar 2021 15:54:33 GMT https://community.splunk.com/t5/Splunk-Search/Get-instance-name-from-source/m-p/541806#M153424 richgalloway 2021-03-01T15:54:33Z https://community.splunk.com/t5/Splunk-Search/Get-instance-name-from-source/m-p/541817#M153430 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;That worked great. I ended up with&nbsp;</P><P>index=* "Initiating EnterpriseOne startup"<BR />| rex "targets\\\(?&lt;machine&gt;[^\\\]+)" | table machine _time<BR />| dedup machine<BR />| sort machine</P><P>&nbsp;</P><P>As&nbsp; newbie, I appreciate your input.</P><P>I'm sure there is documentation out there somewhere. Now if I can just find it. ;^o</P><P>&nbsp;</P><P>Bruce</P> Mon, 01 Mar 2021 16:54:19 GMT https://community.splunk.com/t5/Splunk-Search/Get-instance-name-from-source/m-p/541817#M153430 bcalder 2021-03-01T16:54:19Z https://community.splunk.com/t5/Splunk-Search/Get-instance-name-from-source/m-p/541836#M153439 <P>For documentation, see&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.1.2/Search/GetstartedwithSearch" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.1.2/Search/GetstartedwithSearch </A>and&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchReference/WhatsInThisManual" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchReference/WhatsInThisManual</A></P> Mon, 01 Mar 2021 18:23:45 GMT https://community.splunk.com/t5/Splunk-Search/Get-instance-name-from-source/m-p/541836#M153439 richgalloway 2021-03-01T18:23:45Z