Here is my Splunk query,  Output is not good rex max_match=0 ^\w+:\s+\w+\.\w+@\w+\.\w+\s+\w+:\s+\w+\-\w+\-\w+@\w+\.\w+\s+\w+\-\w+:\s+\d+\.\d+\s+\w+\-\w+:\s+\w+\s+\w+:\s+\w+\s+\-\s+(?P<Info>\w+\s+\w+\s+\w+\s+\w+\s+\w+\s+\w+\s+\d+\s+\w+)\s+\-\-\s+(?P<ClusterName>\w+\-\w+\-\w+) |rex "(?ms)^(?:[^>\\n]*>){2}(?P<Svc>\\w+)[^=\\n]*=\\d+>(?P<Maint>[^<]+)" | table Info ClusterName Svc Maint   Info ClusterName Svc Maint Services are in Maintenance Mode over 2 hours AtWork-CIW-E1 Service Maintenance Start Time in MST     oozie Mon Oct 16 07:29:46 MST 2023   In the above output, it is capturing Service and Maintenance Start time in MST in the field extractions

Hi @bmanikya, using your one sample, I can propose to yu this regex: (?ms)\s-\s(?<Service>[^-]*).*oozie(\<[^\>]*\>){2}(?<oozie>[^\<]*) that you can test at https://regex101.com/r/tzacfN/1 If you could share more samples (always in text mode) I could verify the above regex. Ciao. Giuseppe

Hi @quentin_young, I have a dubt of Deployer and Cluster Manager on the same system: probablky this is the reason of the error. The others can live in the same server. I usually put MC and LM in one  server and Deployer and MC in another. Ciao. Giuseppe

MIME-Version: 1.0 Content-Disposition: inline Subject: INFO - Services are in Maintenance Mode over 2 hours -- AtWork-CIW-E1 Content-Type: text/html <font size=3 color=black>Hi Team,</br></br>Please find below servers which are in maintenance mode for more than 2 hours; </br></br></font> <table border=2> <TR bgcolor=#D6EAF8><TH colspan=2>Cluster Name: AtWork-CIW-E1</TH></TR> <TR bgcolor=#D6EAF8><TH colspan=1>Service</TH><TH colspan=1>Maintenance Start Time in MST</TH></TR> <TR bgcolor=#FFB6C1><TH colspan=1>oozie</TH><TH colspan=1>Mon Oct 16 07:29:46 MST 2023</TH></TR> </table> <font size=3 color=black></br> Script Path:/amex/ansible/maintenance_mode_service</font> <font size=3 color=black></br></br>Thank you,</br>BDP Spark Support Team</font>                                                                                                                                                     Need field extractions of the following.   Cluster Name: AtWork-CIW-E1 Service Maintenance Start Time in MST oozie Mon Oct 16 07:29:46 MST 2023  

Output _time Namespace Environment ServiceDenomination MetricName EntityName Count 2023-10-06 22:00   Entity Test TestBoundBatch TestMessageCount TestOrder.Supplier 1 2023-10-07 22:00   Entity Test TestBoundBatch TestMessageCount TestOrder.Supplier 2 2023-10-08 22:00   Entity Test TestBoundBatch TestMessageCount TestOrder.Supplier 3 2023-10-09 09:00   Entity Test TestBoundBatch TestMessageCount TestOrder.Supplier 4 2023-10-09 22:00   Entity Test TestBoundBatch TestMessageCount TestOrder.Supplier 5 2023-10-10 09:00   Entity Test TestBoundBatch TestMessageCount TestOrder.Supplier 6 2023-10-10 22:00   Entity Test TestBoundBatch TestMessageCount TestOrder.Supplier 7 2023-10-11 22:00   Entity Test TestBoundBatch TestMessageCount TestOrder.Supplier 8 2023-10-11 22:00   Entity Test TestBoundBatch TestMessageCount TestOrder.Supplier 9

Hi  @ITWhisperer my expectation is, suppose everyday we have data at 22:00 we need to keep that data and ignore the rest other data. can outlier be the option to ignore the data coming with different timestamp? please note: it is not always 22:00 data it can we any time but we have to ignore the other timestamp data apart from the usual one.   base search: | mstats sum(Entity.InMessageCount.count.Sum) as count span=1h where index=cloudwatch_metrics AND Namespace=Entity AND Environment=prod AND EntityName="Order.SupplierDepot" AND ServiceDenomination=OutboundBatcher by Namespace, Environment, ServiceDenomination, MetricName, EntityName | where count > 0  

Hi @akthota , you could try sometthing like this: <your_search> | rex "\{\"taxGeoCode\":(?<taxGeoCode>[^,]*),\"matchCode":(?<matchCode>[^,]*),"city":(?<city>[^,]*)," | eval cond=if(taxGeoCode="true" OR matchCode="true" OR city="true","true","false") | stats count(eval(taxGeoCode IN ("true","false")) AS taxGeoCode count(eval(matchCode IN ("true","false")) AS matchCode count(eval(city IN ("true","false")) AS city | by cond you could also use the spath command (better), in this case, you have to change the field names in the stats command. Ciao. Giuseppe

Hi @iswiau .. May we know, do you have only a small list of id's.. or a big list of people? if you have only a small list of ids... you can use a if condition and select the email id.  or, you can create a notepad file with the email ids and use map command like this.. ... | outputcsv TempFile.csv | stats values(Email_Address) AS emailToHeader | mvexpand emailToHeader | map search ="|inputcsv TempFile.csv | where Email_Addresss=\"$emailToHeader$\" | fields - Email_Address | sendemail sendresults=true inline=true server=\"Your.Value.Here\" from=\"Your.Value.Here\" to=\"$emailToHeader$\" subject=\"Your Subject here: \$name\$\" message=\"This report alert was generated by \$app\$ Splunk with this search string: \$search\$\"" | where comment="MakeSureNoEventsRemail" | append [|inputcsv TempFile.csv] this above one is from this page

Hi Harshal, I don't know if this response is needed anymore, but from my experience, I noticed that the only capability that grants this view is the "admin_all_objects". A similar thread can be found here confirming this: https://community.splunk.com/t5/All-Apps-and-Add-ons/What-roles-or-capabilities-are-needed-that-Alerts-will-display/m-p/258018