Apologies, this was difficult to try to explain via text. I have a MV field and am iterating through it and using a regex to create multiple capture groups, then create a new field using some those capture groups.  That new field is colon separated. Currently, I noticed that within my 3rd capture group, the values within the MV field can sometimes have non-alphanumeric characters which is causing the regex to not match (due to the regex being [\w\s]). So... modify the regex to capture everything!  But... what about when the special character is a colon ( : )?  In that scenario, it will then add an additional colon in my new colon separated field which will make that entry invalid due to nonconformity to the pattern. I thought, why not just get rid of every non-alphanumeric character that will be in the 3rd capture group before I create the new field so there aren't issues.  Which then brought me here as I cannot seem to find a way to do that. Instead, I am now thinking it may be better to simply capture all then clean up the new field instead as that will not be a MV field.  Maybe I can use regex and sed  to eliminate any special characters in the new field, just need to figure out how to account for the case when that character is a colon.  Since its the 3rd capture group, I would need the pattern to have 4 colons before that part of the field and 7 colons after it. cpe:2.3:a:\2:\3:\5:*:*:*:*:*:*:* - \1 - \4  

Hi @yogeshgs , My splunk cloud instance does not have Data manager app and as per my understanding it ships with instance and cant be installed seperately. Can you guide what to do in this case if I need this Data Manager for my instance. Any response will be appreciated and thanks in advance. 

Hi @burwell ,  Yes, this did fix my issue. I adjusted the default 2p to represent 5 days worth of time in seconds. Now when I check job manager when the alert is triggered, I see the expire time is 5 days away now.  Thanks

My data model is searching for all windows logins.  index=* EventCode=4624 OR (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771 OR EventCode=4776) status="failure")) NOT (user=*$) NOT (user=system) NOT (user=*-*) with this search i get a field called dest_nt_domain.  This field will have results as - Test Test.local other My above search has the rex command to remove everything after the period.  I finally have a kvlookup called Domain with a field of name.  It contains one value - Test.  Im wanting to evaluate the above data vs the one value in my kvlookup.  

Ok. Honestly, you lost me here. What does have filtering characters have to do with extracting fields? Either you filter characters and parse resulting event or parse out fields than filter each field on its own. Or do I miss something?

Because I need to create the new field for every entry.  If I were to implement that, then it would simply not match that entry and move on, effectively ignoring it.  So I'm trying to find a way to clean this portion of the data such that I can capture every entry.  Right now I'm only matching on entries that contain [\w\s] but I'm missing a bunch.  True, [\X] would ignore less, but I'm trying to ignore none and capture all, but avoid problems by cleaning/manipulating the text before capturing it within the capture group.

Generally speaking the 403 error is on the server side.  You say you are trying to download a trial, and that you "Managed to register it. "  I don't know what that latter means?  If it's a trial, you download it, install it and it just works.  They're *all* trials until you put in a real license key (or connect it to your license master).[1] You could try a) just logging into a different place in Splunk, like docs.splunk.com.  I think once you are logged in there you can then go back to splunk.com and see if it all still works. b) Have you tried just creating a new account and seeing if you can download it then?  I'm not aware of any actual process to this, you just "create new account" and fill in a few pieces of information then off to the downloads you go. Anyway, hope one of these gets you working again!     [1] LOL, this has actually been a complaint of mine for a decade now.  I don't want to download a trial and convert it, I want to feel like I'm downloading the actual paid-for version that $company owned.  But it's just words, so 'whatever'.   

Well, tstats works with more than just time fields.  The limitation is that it only works with fields that are created *at* the time the events are indexed. https://docs.splunk.com/Documentation/Splunk/9.1.3/Indexer/Indextimeversussearchtime I honestly think some of that information about performance or whatever is outdated, but most of that's all still fine documentation. Index time fields are those created when the data's indexed.  By default it's just the built-in fields, like _time, sourcetype, and so on. In some cases it's all the fields, for instance with INDEXED_EXTRACTIONS=<json/csv/whatever>. But otherwise Splunk generally relies on search time fields - fields that are built "on the fly" as you run your search.  It's more flexible and doesn't go 'out of date' as events change or your needed fields change around. The docs above should have links off them to explain more, but that's the gist of it.