@richgalloway  thanks for replay the | rex is working as it should the problem start when I'm trying to save the Regex. and this is cause by the fact i need to save the regex from the "source" field and no from the "_raw" field. The main goal is to add another field in all searches without using the | rex command every time. 

You can parse this event with rex https://regex101.com/r/eUputR/1 However, this assumes you have an empty / not required field for the 4th bracket pair, and that you don't have further nesting of bracketed sub-strings in the Thread ID

Your final command will only give you one result event - depending on how you have set up the trigger for your alert, you could remove this and then trigger on the number of results being less than 2 i.e. let Splunk do the counting for you.

Hi @Tron-spectron47, here you can find all the Splunk courses: https://www.splunk.com/en_us/training/course-catalog.html  in details you should see these courses: Splunk Enterprise System Administration chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://www.splunk.com/en_us/pdfs/training/splunk-enterprise-system-administration-course-description.pdf Splunk Enterprise Data Administration chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://www.splunk.com/en_us/pdfs/training/splunk-enterprise-data-administration-course-description.pdf Data Models chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://www.splunk.com/en_us/pdfs/training/data-models-course-description.pdf You can find the page to register in the first url. Ciao. Giuseppe

Hi @Splunk-Star, you have to check at first your infrastructure: have you the minimal resources required by Splunk? if yes, you should analyze your  situation and eventually redesign your infrastructure for the new requirements: e.g. if you have many users or you're using many scheduled searches or you're using too real time searches, you have to use more resources (CPUs). then you have to analyze your configurations, e.g. some time ago I had this issue on Splunk Cloud, but the solution was to redistribute the schedule of the scheduled searches and the percentage of resources for scheduled searches. In both cases I hint to engare a Splunk Professional Service or a Splunk Architect: this issue requires a good experience in Splunk infrastructures. Ciao. Giuseppe

Hi @Splunk-Star , this message means that the h_vms lookup, that you're using in a search, isn't present. You should check if the name is correct: maybe you missed .csv extention or the name has some char in uppercase (lookup name is case sensitive). If instead this lookup isn't present in your search, in the add-ons you're using there's this automatic lookup, but the lookup isn't present. You could solve the issue adding a lookup with this name, but put again attention to the lookup name. Ciao. Giuseppe

@rickymckenzie10 I think that you should read at https://docs.splunk.com/Documentation/Splunk/9.2.0/Admin/Indexesconf https://conf.splunk.com/files/2017/slides/splunk-data-life-cycle-determining-when-and-where-to-roll-data.pdf  frozenTimePeriodInSecs = <nonnegative integer> * The number of seconds after which indexed data rolls to frozen. * If you do not specify a 'coldToFrozenScript', data is deleted when rolled to frozen. * NOTE: Every event in a bucket must be older than 'frozenTimePeriodInSecs' seconds before the bucket rolls to frozen. * The highest legal value is 4294967295. * Default: 188697600 (6 years) maxTotalDataSizeMB = <nonnegative integer> * The maximum size of an index, in megabytes. * If an index grows larger than the maximum size, splunkd freezes the oldest data in the index. * This setting applies only to hot, warm, and cold buckets. It does not apply to thawed buckets. * CAUTION: The 'maxTotalDataSizeMB' size limit can be reached before the time limit defined in 'frozenTimePeriodInSecs' due to the way bucket time spans are calculated. When the 'maxTotalDataSizeMB' limit is reached, the buckets are rolled to frozen. As the default policy for frozen data is deletion, unintended data loss could occur. * Splunkd ignores this setting on remote storage enabled indexes. * Highest legal value is 4294967295 * Default: 500000  

@power12  The best place to start is by analyzing https://docs.splunk.com/Documentation/Splunk/latest/Search/ViewsearchjobpropertieswiththeJobInspector  Use the https://docs.splunk.com/Documentation/Splunk/latest/DMC/DMCoverview  to check the health of Splunk. Also use other OS related tools to troubleshoot system performance; vmstat, iostat, top, lsof to look for any processes hogging CPU, memory or any high iowait times on your disk array. Here is a good explanation of calculating limits: https://answers.splunk.com/answers/270544/how-to-calculate-splunk-search-concurrency-limit-f.html  Also check out these apps: https://splunkbase.splunk.com/app/2632/  Check the efficiency of your users searches. The following will show you the longest running searches (by user - run it for 24hrs) index="_audit" action="search" (id=* OR search_id=*) | eval user=if(user=="n/a",null(),user) | stats max(total_run_time) as total_run_time first(user) as user by search_id | stats count perc95(total_run_time) median(total_run_time) by user |sort - perc95(total_run_time)  

That's the job for tostring. | appendpipe [stats sum(*) as * by Number | foreach * [eval <<FIELD>> = tostring(<<FIELD>>, "commas")] | eval UserName="Total By Number: "] I'm not sure why you group by "Number" but evals "UserName".