App is running on the search head. How do configure that app to look for the logs on the windows forwarders?

how do we omit one of the search results this is the extraction we are using but it shows one of the unwanted results
PROCESSSTATUS - (?P\D+)

we just want Pro APPROVED but it is also giving us PREP APPROVED 11/15/25 3:00:00 PM ........

This app is working for linux based forwarders but I condifugred inputs for windows logs and those windows logs are not coming up in splunk

we can see the linux path in the drop down not the windows paths to the logs

Where are you running the app? Should be on the search head, not forwarders.

@Fatimabegum12 is Splunk's built in field extractor tool not working for you? I can walk you through using that field extractor.

Hi chris,
can you please help here

I have not actually used the app, so I can't offer any insight. Hopefully the information you have now provided will enable other community members to answer. There is a built-in interactive field extraction feature in Splunk Enterprise 6, see Extract fields interactively with IFX and Use the Field Extractions page in Splunk Web in the Knowledge Manager Manual for information about that.

Please provide additional details so the community can help you. What version of Splunk Enterprise are you using, what is the app you refer to, what steps are you taking, can you provide any sample searches and results...?