Easiest is to just have two alerts.  There's practically *zero* downsides to just building a new search (you can start with your existing one!) and then creating an alert out of it once it appears like you've got the search all sorted out. That being said, I think you might just need to change source = "/tmp/unresponsive" sourcetype=cmi:gems_unresponsive to be able to do both at once.  I'm not sure what you need to change that to though. MAYBE - if /tmp/unresponsive is the source for either server, maybe all it needs is source = "/tmp/unresponsive" ( sourcetype=cmi:gems_unresponsive OR sourcetype=<whatever the sourcetype is for the other servers> ) And honestly, I'd go back to that core piece of the search (index=foo, source=bar, sourcetype=baz) and *find the events* first.  It should make it more obvious how to get their data in there too.

What's the actual regex you are using to capture it? And if you are sure you are using the right syntax because you copy pasted it from some working one - you could try to add | eval state = "up" as the last command in the search to force it to be "up" and see if that works.  If it doesn't, then I'd say there's something else wrong with that syntax.

Splunk doesn't apply any inherent extraction for data as you illustrated. (By default, it extracts key-value pairs connected by equal (=) sign, and some structured raw events such as JSON.)  If you see more fields in ASA feeds, it must be the doing of Splunk Add-on for Cisco ASA.  You need to open up that add-on and see what it is doing.  Then, you can copy it if that is within copyrights.  Or you can develop your own extraction strategy to emulate what Splunk Add-on for Cisco ASA does, or more. Given that the two data sources are so close in format, there is also a possibility that Splunk Add-on for Cisco ASA has some configuration you can tweak to include the FTD data type.  Consult its documentation, or contact the developers. This board used to have an app forum that I no longer see.  Maybe it is now Splunk Dev?  You can if Splunk Add-on for Cisco ASA developers are in that forum.

I don't think that's the right app to read those events.  In any case, the app you have installed had its latest release in 2018 and references no Splunk version higher than 7.1, so it looks abandoned. Instead, it looks like the  "Cisco Secure eStreamer Client Add-On for Splunk" (https://splunkbase.splunk.com/app/3662) might extract fields from records with FTD in them.  It seems like it focuses on events 430001, 430002, 430003 and 430005.  Still, it's worth a shot. Indeed, right now you could see if you have those - try a search like index=<your cisco index> FTD (430001 OR 430002 OR 430003 OR 430005) If that returns a few items (or lots), then the app I mention above should turn that into useful fields. If that search does NOT return any events, ... well, widen the time frame.  These seem like they might be less common events, not run of the mill "every tcp session makes 42 zillion of them" so it's possible there's only a few per day or something. In any case, happy splunking and I hope you find what you need! -Rich    

Also, if NAME field is available in raw events at search time, you should include the subsearch in index search to improve performance.  Like index=foo NAME IN ( [| makeresults | eval search="tas1,task2,task3"]) If NAME is populated by some calculation from SPL, you need @richgalloway's full solution.  But I believe you will need format command for the meta keyword search to work.  

I think @thambisetty meant to use sum instead of values.  Also, your seem to desire result be bucketed by hour aligned at the beginning of a calendar hour.  If so, you also need a bin command.   ```Below is the SPL you need potentially``` | spath inboundErrorSummary{} | mvexpand inboundErrorSummary{} | spath input=inboundErrorSummary{} | bin _time span=1h@h | chart sum(value) over _time by name   Now, I recently learned fromjson command introduced in Splunk 9.  It makes SPL somewhat easier to read.   | fromjson _raw | mvexpand inboundErrorSummary | spath input=inboundErrorSummary | timechart span=1h@h sum(value) by name   Here, timechart is equivalent to @thambisetty's chart but you do not have to enter a separate bin command.

"111222 host when the instance is R:" is ambiguous.  You should include an illustration of desired results in a question. 1. The most literal interpretation is to only remove the row with host 111222 AND Instance R:.  In other words, you want Instance host A: 111222 C: 111222 A: 333444 C: 333444 R: 333444 For this, you can do      | where NOT ( host == "111222" AND Instance == "R:")     BTW I don't think you should rename host to Host until everything is done. 2. But your context makes me suspect that you actually mean to remove host 111222 IF Instance R: runs on it and no matter what other instances are there.  In other words, you want Instance R_or_not_R host A: A: C: R: 333444 C: A: C: R: 333444 R: A: C: R: 333444 For this, you need     | eventstats values(Instance) as R_or_not_R by host | where host != "111222" OR R_or_not_R != "R:"​     Which one is it? Here is an emulation   | makeresults format=csv data="host, Instance 111222, A: 111222, C: 111222, R: 333444, A: 333444, C: 333444, R:" ``` data emulation above ```    

This XML allowed me to freeze the first column and column title: <row depends="$never$"> <panel> <html> <style> #myTable div [data-view="views/shared/results_table/ResultsTableMaster"] td:nth-child(1) { position: fixed;; left: 0 !important;; z-index:9 !important;; position: sticky !important; } #myTable div [data-view="views/shared/results_table/ResultsTableMaster"] th:nth-child(1) { position: fixed;; left: 0 !important;; z-index:9 !important;; position: sticky !important; } </style> </html> </panel> </row> Then, use the myTable as the id in the <table> id

Thanks for your reply. I'm not 100% sure my assumptions are correct but the config is pretty simple. I'm the admin and I did give the splunk virtual account full permissions. I am searching all indexes for a specific host. The splunk log do have errors but the only lines associated with the file in question are file is parsed and watched. The UF is collecting eventlogs and UF logs. What are some other factors I can look at?