Thanks for the new screenshot.  It makes the situation a little clearer.  Try this line breaker LINE_BREAKER = ()<\d+> Is @PickleRick said, make sure the settings are on all indexers and heavy forwarders and that the instances are restarted after configurations are changed.

@ITWhisperer  I don't want to do anything  if none of the events from a particular day have searchmatch yes , I just want the events where searchmatch("ebnc event balanced successfully") is true. But I want when I am selecting last 7 days it should show last 7 events only 1 event per day I want. So if it would be last 7 days it will look something like this:(only 7 events) EBNCStatus                                                                        true ebnc event balanced successfully                      ✔ ebnc event balanced successfully                     ✔ ebnc event balanced successfully                     ✔ ebnc event balanced successfully                    ✔ ebnc event balanced successfully                      ✔ ebnc event balanced successfully                    ✔ ebnc event balanced successfully                   ✔

Which  event do you want to use from each day, the first, the last, only those where searchmatch("ebnc event balanced successfully") is true, what do you want to do if none of the events from a particular day have searchmatch("ebnc event balanced successfully") equating to true? This has been said many times before, you need to be clear what you are trying to achieve.

I'm sorry, but maybe I have the wrong understanding of what a multi-line event is. I expect that any event that has more than one line is a multi-line event. The event that I posted in the OP had more than one line, and what is more important, more than one timestamp. I expected that Splunk must have broken such an event by each "\r\n". P.S: I attached another screenshot with the linecount field.

1. The default ([\r\n]+) includes your (\n+), so you don't have to specify that alternative (I'm not sure how it would behave since LINE_BREAKER is supposed to contain one capture group anyway). 2. How are you getting your events? Sent by syslog? Written to a file and read with a UF? 3. Just to be on the safe side - you're not expecting already ingested events to be re-broken, right?

@ITWhisperer  I have 60 events but I want when I select last 7 days from date drop down It should display only 7 results If I select last 30 days it should display only 30 results. current query index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | eval True=if(searchmatch("ebnc event balanced successfully"),"✔","") | eval EBNCStatus="ebnc event balanced successfully" | table EBNCStatus True @ITWhisperer  can you please guide

Yes, it's possible.  It's just text and text can be manipulated. Please describe what you mean by "it doesn't work".  I need something to work with.  What is the full query you tested?  What results do you get? Other things to try: The replace command | replace "rawjson=" with "" in _raw the replace function | eval _raw=replace(_raw, "rawjson=", "")  

@ITWhisperer  I want two columns only but currently when I am selecting last 7 days its coming more that 7. If I used dedup command its showing only 1 I want when I select last 7 days it should show only last 7 days I am selecting last 7 days its showing 60 statistics . query index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | eval True=if(searchmatch("ebnc event balanced successfully"),"✔","") | eval EBNCStatus="ebnc event balanced successfully" | table EBNCStatus True   PFA attached screenshot.  

Wait a second. /opt/app/splunk/var/lib/splunk/os/db - is this the location of your index data? Why is it not empty on a component not being an indexer? Properly set up environment should forward all logs to indexers, no other components should store events locally. That's first thing. Another thing is that if you want to get rid of old data, the proper way to do so would be to lower the retention limits (retention period or size limit) and let splunk roll out buckets to frozen naturally.

It's a rough estimate. It's just an assumption that 50 clients should not generate such load on the DS that it would interfere with other functionalities. I must say though that combining a HF and DS is a very unusual architecture choice. Also - why do you want to set up a HF here? If you absolutely need an intermediate forwarder (with the traditional remarks about load-balancing or rather lack thereof), why not an UF? Remember that HF will parse your events and send the data as parsed which multiplies the needed bandwidth.