Pretty simple....    serverClass:All:app:all_outputs] restartSplunkWeb = 0 restartSplunkd = 1 stateOnClient = enabled [serverClass:All] whitelist.0 = * [serverClass:Windows:app:Splunk_TA_windows] restartSplunkWeb = 0 restartSplunkd = 1 stateOnClient = enabled [serverClass:Linux:app:Splunk_TA_nix] restartSplunkWeb = 0 restartSplunkd = 1 stateOnClient = enabled [serverClass:All:app:all_deploymentclient] restartSplunkWeb = 0 restartSplunkd = 1 stateOnClient = enabled [serverClass:Linux] machineTypesFilter = linux-x86_64 whitelist.0 = * [serverClass:Windows] machineTypesFilter = windows-x64 whitelist.0 = *  

Splunk treats "true", "True", "TRUE", and "1" as equivalent to a Boolean True value so all of what you see in the docs is correct.  But the point is well made.  We, however, can do nothing about it.  As @meetmshah suggests, https://ideas.splunk.com is the place to bring this up.

Yes, filtering by OS.  Rebuilt the DS from scratch, set filters (using the OS filter).  All Linux servers receive the Linux TA.  All Windows Servers receive the Linux TA, and confirmed the OS filter, again   

Hi in splunk you can get it like  | makeresults | eval _raw = "Ex:- <abc>WoW</abc> <xyz>SURE</xyz>" ``` above prepare test event ``` | rex "(?ms)<abc>(?<abc>[^<]+)<\\/abc>.*<xyz>(?<xyz>[^<]+)<\\/xyz>" A nice place to test those is regex101.com. Here is link to your case https://regex101.com/r/iBvAPm/1 When you are converting those for Splunk, usually there is need to add some additional escape character as splunk preprocessing that reg ex and remove some \ characters  r. Ismo

Hello @tlmayes, How are you whitelisting the hosts? Do you just want to use this nice feature of filtering everything by the OS type? Screenshot below -      With the above way, you can create 2 separate server classes for Windows and Linux and whitelist all the hosts. Please accept the solution and hit Karma, if this helps!

Oh we will need to add max_match=0 in rex. Example below -  | rex field=_raw "CmdSet=\[(?<CmdSet>[^\]]+)\]" | rex field=CmdSet max_match=0 "CmdArgAV=(?<CmdArgAV>[^\s]+)" Can you please have a check and me know how it goes?

Hello @doeboy where are you firing the command (on which instance)? The command you mentioned "./splunk show cluster-bundle-status" is meant for Cluster Manager and not for Peers. Here is the Splunk Doc for your reference - https://docs.splunk.com/Documentation/Splunk/9.2.0/Indexer/Updatepeerconfigurations#Use_the_CLI_to_view_the_status_of_the_bundle_push  It feels like you are trying to run the command on Indexer Peers. Can you please run on Cluster Manager and see if you are able to view the status as expected?   Please accept the solution and hit Karma, if this helps!

Hello @sushraw, Can you please try below -  | rex field=_raw "CmdSet=\[(?<CmdSet>[^\]]+)\]" | rex field=CmdSet "CmdArgAV=(?<CmdArgAV>[^\s]+)"   Please accept the solution and hit Karma, if this helps! 

Hi @satyaallaparthi, whats the result you're waiting for? do you want to filter the first lookup using the second? in this case try this: | inputlookup unix.csv | eval sys_name = lower(FQDN) | search [ | inputlookup inventory.csv | eval sys_name = lower("*".sys_name."*") | fields sys_name ] | table Status sys_name host-ip "DNS Name" If instead you want to take values between both the lookups, yu can use the lookup command (https://docs.splunk.com/Documentation/SCS/current/SearchReference/LookupCommandOverview) in this way: | inputlookup unix.csv | eval sys_name = lower(FQDN) | lookup inventory.csv sys_name | table Status sys_name host-ip "DNS Name" My only doubt is that in the two lookups the sys_name has different format. In this case, my hint is to elaborate the lookup to have another lookup with the correct sys_name. Ciao. Giuseppe

Hello @meetmshah  i would like to thank you for your reply. but i am looking to extract 'CmdSet' field. i am using 'rex field=CmdSet "CmdAV=(?<Command>[^\s]+)|\sCmdArgAV=(?<Command1>[^\s]+)" ' but it is giving output till 1st CmdArgAV value