how do we omit one of the search results this is the extraction we are using but it shows one of the unwanted results
PROCESSSTATUS - (?P\D+)
we just want Pro APPROVED but it is also giving us PREP APPROVED 11/15/25 3:00:00 PM ........
Splunk version 6.0.7
Field Extractor App (UFX)
In the pick a source field we are not able to not able to see the new log paths we configured on our windows forwarder.
monitor stanza is only configured on the forwarder only not on the indexer.
I have not actually used the app, so I can't offer any insight. Hopefully the information you have now provided will enable other community members to answer. There is a built-in interactive field extraction feature in Splunk Enterprise 6, see Extract fields interactively with IFX and Use the Field Extractions page in Splunk Web in the Knowledge Manager Manual for information about that.
Please provide additional details so the community can help you. What version of Splunk Enterprise are you using, what is the app you refer to, what steps are you taking, can you provide any sample searches and results...?