Are you saying you get raw events that are fragments of an HTML document.  In any case, even though HTML is not the ideal data format for data structure, treating it as text still carries the usual risks, therefore I advise against.  Use spath to pretend that it is XML. You didn't give enough snippet to show how Environment is actually coded and I don't want to speculate (read tea leaf), so I am going to use Vendor as groupby in my example.  This is what I  would do:   | spath | eval Vendor = mvindex('tr.td', 0) | eval Issues = tonumber(mvindex('tr.td', 2)) | eval Running = tonumber(mvindex('tr.td', 1)) - Issues | stats sum(Running) as Running_count sum(Issues) as Issues_count by Vendor   Here is an emulation you can play with and compare with real data:   | makeresults | eval log = mvappend("</tr> <tr> <td >Apple</td> <td >59</td> <td >7</td>", "</tr> <tr> <td >Samsung</td> <td >61</td> <td >13</td>", "</tr> <tr> <td >Oppo</td> <td >34</td> <td >5</td>", "</tr> <tr> <td >Vivo</td> <td >38</td> <td >11</td>") | mvexpand log | rename log AS _raw ``` data emulation above ```   Output of this emulation is Vendor Running_count Issues_count Apple 52 7 Oppo 29 5 Samsung 48 13 Vivo 27 11

Hi @richgalloway  Can I know what kind of third party software should be available to collect the value and send it to Splunk? Because I need "% Committed Bytes In Use" should be present in Perfmon :Process stanza , means  this "% Committed Bytes In Use" should be present in that counter list. so how can get this added? Thanks

So after looking around in Splunk I found the bucket  Any Ideas what to do with that? Bucket-Status _internal~1260~8D19E36A-C3DF-465D-9B7E-908324F333E5 Aktion _internal does not meet: primacy & rf 3 Tag(e) 20 Stunde(n) 10 Minute(n) Cannot replicate as bucket hasn't rolled yet.

@HarishSamudrala  The error message you provided indicates that search results might be incomplete due to the search process ending prematurely on the peer.  Check Peer Logs: Look into the peer log files, specifically: $SPLUNK_HOME/var/log/splunk/splunkd.log The search.log for the particular search. Examine these logs for any relevant error messages or clues about what caused the premature termination. Memory and Resource Constraints: Ensure that the peer has sufficient resources (CPU, memory, disk space) to handle the search workload. Sometimes, insufficient resources can lead to premature search process termination. Consider monitoring system resource usage during search execution. License Considerations: If you’re using a trial Splunk Enterprise distributed deployment, each instance must use its own self-generated Enterprise Trial license. In contrast, a distributed deployment running a Splunk Enterprise license requires configuring a license master to host all licenses. Check for OOM Killer Events: Review /var/log/messages on the peer for any Out-of-Memory (OOM) Killer events. Insufficient memory can cause processes to terminate unexpectedly. Increase ulimits for Open Files: If you haven’t already, consider increasing the ulimits for open files on the indexers. For example, set the ulimit to the recommended 64000 (initially it might be set to 4096). Review Configuration: Verify that the configuration of your search head, indexers, and forwarders is correct. Ensure that the search head can communicate with the peer properly. Remember to investigate the specific details in the logs to pinpoint the root cause. If you encounter any specific error messages or need further assistance, feel free to share additional details.  Solved: Search results might be incomplete: the search pro... - Splunk Community  https://community.splunk.com/t5/Splunk-Search/Search-results-might-be-incomplete-the-search-process-on-the/m-p/617673 

Hi @man03359, this seems to be Splunk Cloud, in this case you don't need to manage the buckets. Buckets managing and configuration is required only do on-premise installation. For Splunk Cloud, you have only to define how long you want to store data, also because, by default, you have 90 day and if you want a longer period, you have to pay for the additional storage. Ciao. Giuseppe  

Like they say in the olden days, Linux - eh Splunk, can do anything except brew coffee.  Can you qualify your requirement?  Is the time range from a dashboard's data input of type Time?  In that case, starttime and endtime are in the token name that you give the input.  If you want a specific presentation of those values in a search, you just use the likes of strftime to manipulate them. If you want specific help, you need to clearly state your use case including desired output.  If you want to use one selector to set values in other selectors as your mock screenshot seems to suggest, that is doable, too.  But you need to describe the desired behavior in unmistakable detail.

Hi @lbrhyne  You can do one simple idea - just search for a 5 digit numbers in your logs(Pls check the logs and see if there are any other 5 digit numbers) | makeresults | eval log="run.\r\nTimeframe (PT) Success Failed % Failed\r\n\r\n05:15-06:14\r\n\r\n58570\r\n\r\n681\r\n\r\n1.15\r\n\r\nIf you believe you've received this email in error, please see your Splunk\"}" | rex field=log (?P<Successful>\d{5}) | table log Successful