I have a Splunk dashboard, wherein I can see there are multiple nodes down under multiple FQDN,
I opened the search for the nodes which are down and it showed below query -
host=smon* "nagios: HOST_PROBLEM:" "DOWN" | rex field=_raw "nagios: HOST_PROBLEM: (?.😞 (?.😞 DOWN: (?.*)" | dedup hostname host
The above query resulted in multiple nodes down but the result shows aggregated results for all the FQDNs.
I want to also see since when the nodes are down.
Is there any way we can check it?
![alt text] ![alt text]
: /storage/temp/252199-2.jpg // showing the actual total number of nodes down.
: /storage/temp/252198-1.jpg // showing the nodes which are under for the perticular FQDN
When Tried the above query, it is giving the error -
"Error in 'rex' command: Encountered the following error while compiling the regex 'nagios: HOST_PROBLEM: (?.): (?.): DOWN: (?.*)': Regex: unrecognized character after (? or (?-"
"The search job has failed due to an error. You may be able view the job in the Job Inspector."