@gcusello , I have shared the sample events as well for all the 3 queries and for each Step field i want to get the Success and Failure information so kindly help to achieve the same.   The query you have provided pulls the total count of success and failure but i need a split of each "Step" field and their corresponding "Success" and "Failure" information. So kindly help to check and update on the same.

@ITWhisperer @PickleRick , Thank you for your response. Here are my updates as requested. ================================================================== Query1: index="abc" ("Restart transaction item" NOT "Pending : transaction item:") | rex field=_raw "Restart transaction item: (?<Step>.*?) \(WorkId:"| table Step |stats Count by Step Sample Events: 2024-04-21 03:00:02.6106|INFO|Transaction.Overflow.card.Command.Control|Restart transaction item: Validation (WorkId: 1234567) for RUNTIME: 987654| 2024-04-21 02:00:03.5437|INFO|Transaction.Overflow.card.Command.Control|Restart transaction item: Creation (WorkId: 1234567) for RUNTIME: 987654| 2024-04-18 09:00:10.9426|INFO|Transaction.Overflow.card.Command.Control|Restart transaction item: Compliance Portal Report (WorkId: 1234567) for RUNTIME: 987654| Output in Table Format: Step                                                    Count Validation                                              1 Creation                                                1 Compliance Portal Report            1 Query 2: index="abc" ("Error restart workflow item:") | rex field=_raw "Error restart workflow item: (?<Success>.*?) \(WorkId:"| table Success |stats Count by Success For the 1st and 2nd event it contains 30+ Lines of sample event hence I have took a small portion of it. While the 3rd and 4th event contains 10+ Lines and i have extracted a small amount of data. Sample Events: 2024-04-14 02:00:07.8759|ERROR|Transaction.Overflow.card.Command.Control|Error restart workflow item: Validation (WorkId: 1234567) for RUNTIME: 987654|System.Info.Entra.Solution.UpdateExecution: An error occurred while updating the entries. See the inner exception for details. ---> System.Data.Entity.Core.UpdateException: An error occurred while updating the entries. See the inner exception for details. ---> System.Data.SqlClient.SqlException: Transaction (Process ID 12) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction. 2024-03-26 15:00:05.9123|ERROR|Transaction.Overflow.card.Command.Control|Error restart workflow item: Validation (WorkId: 1234567) for RUNTIME: 987654|System.Data.Entity.Infrastructure.DbUpdateException: An error occurred while updating the entries. See the inner exception for details. ---> System.Data.Entity.Core.UpdateException: An error occurred while updating the entries. See the inner exception for details. ---> System.Data.SqlClient.SqlException: Transaction (Process ID 12) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction. 2024-03-27 03:00:15.3116|ERROR|Transaction.Overflow.card.Command.Control|Error restart workflow item: Creation (WorkId: 1234567) for RUNTIME: 987654|System.NullReferenceException: Object reference not set to an instance of an object. 2024-03-27 01:00:16.3231|ERROR|Transaction.Overflow.card.Command.Control|Error restart workflow item: Compliance Portal Report (WorkId: 1234567) for RUNTIME: 987654|System.NullReferenceException: Object reference not set to an instance of an object. Output in Table Format: Success                                         Count Validation                                           2 Creation                                             1 Compliance Portal Report         1   Query 3: index="abc" "Restart Pending event from command," | rex field=_raw "Restart Pending event from command, (?<Failure>.*?) \Workid"| table Failure |stats Count by Failure =============================================================================================================================================================================================== Sample Events: 2024-04-21 03:01:14.7929|INFO|Transaction.Overflow.card.Command.ValidationCommand|Pending: Restart Pending event from command, Validation Workid (WorkId: 1234567) for RUNTIME: 987654.| 2024-04-18 09:00:11.8332|INFO|Transaction.Overflow.card.Command.CreationCommand|Pending: Restart Pending event from command, Creation Workid (WorkId: 1234567) for RUNTIME: 987654.| 2024-04-17 06:51:16.7544|INFO|Transaction.Overflow.card.Command.CompliancePortalReportCommand|Pending: Restart Pending event from command, Compliance Portal Report Workid (WorkId: 1234567) for RUNTIME: 987654.| 2024-04-16 13:00:34.6238|INFO|Transaction.Overflow.card.Command.PageCountsCommand|Pending: Restart Pending event from command, Page Counts Workid (WorkId: 1234567) for RUNTIME: 987654.| Output in Table Format: Failure                                               Count Validation                                             1 Creation                                                1 Compliance Portal Report            1 Page Counts                                       1  So I need to combine all the 3 queries, i.e. Example For Step "Validation" i need to get how many Step are present for last 24 hours and in which how many success and how many failure.   Hence kindly help to check and update on the same please.

From what your saying, something seems then to be overiding it, if its still taking the old setting, which could be another app. Can you show me the output of this command on the UF NOT deployment server? (Obviously remove your hostname and ip for security reasons) /opt/splunkforwarder/bin/splunk btool deploymentclient list --debug Can you also check the log on the UF  (It may help further as to why - should show connection failures at this stage) cat /opt/splunkforwarder/var/log/splunk/splunkd.log | grep DC:DeploymentClient Can you confirm the UF can communicate to port 8089 which is the Deployment Server (telnet to it if you can ) temporarly disable the firewall if you can.  Check the Deployment Server ports run the below on the Deployment Server netstat -tuplna

For application Name its working .for interface name how to map the application name  Application Name   : Test 1,Test 2 In Test 1 application name have 3 interface name  aa,bb,cc In Test 2 application name have 5 interface name  ww,dd,ff,gg,hh. Already i am getting value from inputlookup .How can i map application name to interface name

Thanks for you response. Your solution is working fine and create below query for search.  index = **** host=***| spath | eval message="{\"message\":".message."}" | spath input=message message{} output=collection | mvexpand collection | spath input=collection | stats sum(TOTAL) as Total, sum(PROCESSED) as Processed sum(SKIPPED) as Skipped by TARGETSYSTEM I am using above query. Below chart is created using above query. Now I want to display inventory with date in chart.  I want display like below    

@NickNguyen Refer the below document.  Resource Usage: CPU Usage - Splunk Documentation  Solved: Example of how to measure server CPU usage? - Splunk Community *** If the above solution helps, an upvote is appreciated. ***

Hello @NickNguyen , On the Enterprise instance itself, you can find the Monitoring Console that ships OOTB with the Splunk Enterprise package. You can navigate to Settings > Monitoring Console > Resource Usage > CPU Usage: Instance dashboard and that'll help you identify the CPU usage of the instance. From the panel also, you can open the search by clicking the magnifying lens icon when you hover through the panel and set an alert as per the required threshold.    Thanks, Tejas. --- If the above solution helps, an upvote is appreciated.

Hey @ShamGowda , What is the concern here? Have you got the data already in the respective index? Also, have you explored Splunkbase already? There are quite lots of apps that helps visualizing the memory and CPU usage.   Thanks, Tejas.

As you are probably aware, the list of overlay fields is a comma-separated list of field name, so that's what you need in your token. You could try something like this | stats values(machine) as avg_processing_time_per_block | eval avg_processing_time_per_block=mvjoin(avg_processing_time_per_block,",") You would then set your token on the done block of the search, using this field from the (first) results row and use it in your display panel settings <option name="charting.chart.overlayFields">$avg_processing_time_per_block$ </option>  

OK. Back up a little. What does your environment look like? Because I think we have some discrepancy in thinking about your server. I think @gcusello thinks you have a search head cluster but want to delete an app from a single instance (presumably initially installed on thie instance only) whereas I assumed we're dealing with a completely stand-alone search head server. One of us has to be wrong here So do you have a search head cluster or are we talking about a stand-alone search head? If this is a stand-alone search-head is it managed by Deployment Server?

Hi @ITWhisperer  Thanks for reply , I understand , But correct me if i'm wrong 1.If i have a seperate hidden panel that gives my token value (avg_processing_time_per_block ) 2.Then how can i assign the token $avg_processing_time_per_block$ value to overlay Fields like these? <option name="charting.chart.overlayFields">$avg_processing_time_per_block$ </option> or  <option name="charting.chart.overlayFields">avg_processing_time_per_block </option> if i gives these a token then line chart have a single line named avg_processing_time_per_block but the requirement is the avg_processing_time_per_block has dynamic value  My need is to how to assign the avg_processing_time_per_block value as token in  charting.chart.overlayFields thanks,