I have a Splunk dashboard, wherein I can see there are multiple nodes down under multiple FQDN,
I opened the search for the nodes which are down and it showed below query -
host=smon* "nagios: HOST_PROBLEM:" "DOWN" | rex field=_raw "nagios: HOST_PROBLEM: (?.😞 (?.😞 DOWN: (?.*)" | dedup hostname host
The above query resulted in multiple nodes down but the result shows aggregated results for all the FQDNs.
I want to also see since when the nodes are down.
Is there any way we can check it?
![alt text] ![alt text]
: /storage/temp/252199-2.jpg // showing the actual total number of nodes down.
: /storage/temp/252198-1.jpg // showing the nodes which are under for the perticular FQDN
Your rex is doing nothing so fix it or drop it. Maybe this?
host=smon* "nagios: HOST_PROBLEM:" "DOWN"
| dedup hostname host
| table _time hostname host
host=smon* "nagios: HOST_PROBLEM:" "DOWN" | rex field=_raw "nagios: HOST_PROBLEM: (?.): (?.): DOWN: (?.*)" |stats latest (_time) as last_seen by host,hostname
When Tried the above query, it is giving the error -
"Error in 'rex' command: Encountered the following error while compiling the regex 'nagios: HOST_PROBLEM: (?.): (?.): DOWN: (?.*)': Regex: unrecognized character after (? or (?-"
"The search job has failed due to an error. You may be able view the job in the Job Inspector."
Your rex seems to be wrong. What you need to extract ? If you only host and hostname , you might not need that. If you need to extract something, post a sample event