Need help on getting rex query. I am getting below two events. I am able to rex for event 1 with NULL field. But I also need to capture the sample event 2 which does not have NULL value. Instead of NULL it just have ",," (no NULL values just two single quotes.). Need the rex command to capture the field in both the case. If event has NULL then need the NULL field and if just two single quote need blank value. sample event1: acd.55,1,NULL,C:\totalview\ftp\switches\customer1\55\020224.1100,PASS,2024-02-02 17:32:30.047 +00:00,2024-02-02 17:36:02.088 +00:00,212 Sample event 2: acd.85,1,,C:\totalview\ftp\switches\customer1\85\020224.1100,PASS,2024-02-02 17:31:30.032 +00:00,2024-02-02 17:32:00.226 +00:00,30   Created the below rex query which is working for event 1. But not recognizing if getting event 2 some time.  ^(?P<ACD>\w+\.\d+)\t(?P<ATTEMPTS>[^\t]+)\t(?P<FAIL_REASON>[^\t]+)\t(?P<INTERVAL_FILE>[^\t]+)\t(?P<STATUS>\w+)\t(?P<START>[^\t]+)\t(?P<FINISH>[^\t]+)\t(?P<INGEST_TIME>.+)

splunkd.log is flooded by following log. WARN AutoLoadBalancedConnectionStrategy [xxxx TcpOutEloop] - Current dest host connection nn.nn.nn.nnn:9997, oneTimeClient=0, _events.size()=41, _refCount=2, _waitingAckQ.size()=5, _supportsACK=1, _lastHBRecvTime=Thu Jun 20 12:07:44 2023 is using 18446603427033668018 bytes. Total tcpout queue size is 26214400. Warningcount=841    

I have an index that contains all the hits for our WAF and an index that contains the subsequent API call details for any of those hits that are an application calling one our APIs behind the WAF. There is a shared identifier that the WAF passes to the API call so we can link them together and see what IP, user agent string, etc. made that API call. I am trying to pull data from both indexes together into a nice table so that our devs and our security folks can see what API calls are being made, who/what is calling them, and the payloads.  API search: index=api source=api_call | rename id as sessionID | fields apiName, payload, sessionID WAF search: index=waf | fields src_ip, requestHost, requestPath, requestUserAgent, sessionID My attempt to join them on the sessionID which is not working. It returns no results. index=api source=api_call | rename message.id as sessionID | fields apiName, message.payload, sessionID | join sessionID [search index=waf | fields src_ip, requestHost, requestPath, requestUserAgent, sessionID] | table apiName, message.payload, sessionID, src_ip, requestHost, requestPath, requestUserAgent I know joins are not very performative, so I'm open to alternatives that don't use it, but I'm not sure what those would be.

Hello, I am attempting to write some regex with a lookahead. My event is pluginText: <plugin_output> Here is the list of packages installed on the remote Red Hat Linux system : libkadm5-1.18.2-26.el8_9|(none) Wed 17 Jan 2024 10:21:40 AM CST sssd-client-2.9.1-4.el8_9|(none) Wed 03 Jan 2024 06:05:06 AM CST plugin_id: 22869 I would like to capture everything before the plugin_id and after the "Here is the list of packages installed on the remote Red Hat Linux system :\n\n". So all of the software data. My plan is to first extract everything into a big field and then pipe it to another rex command and use max_mode=0 to extract the software into a MV field. I am having some trouble implementing this. Help is appreciated Thank you Nate