My indexer server is 2016 and splunk 7 is installed there , but somehow OS got crashed , so we have to re-install the OS and after that we will re-install the splunk 7 instance there, and the old Data is present in F Drive as it was configured as such. so my question is that if i re-install the splunk 7 there and configure it as old version, will the data get reflected in splunk instance?

1. Splunk 7 is and has been unsupported for quite some time already so if anything goes wrong you might have problems getting help. This upgrade is several years overdue. 2. See the https://docs.splunk.com/Documentation/Splunk/9.1.1/Installation/HowtoupgradeSplunk document for requirements for specific versions (you can change the version of the document in the top right corner). You can upgrade to 9.x from 8.2 or any lower 9.x. So your first "stop" needs to be 8.2. If you see the document version for a 8.2 release, you see that you firstly have to upgrade to 8.0 or 8.1 So your upgrade path should be 7.x -> 8.0.x or 8.1.x -> 8.2.x -> 9.x

Hello richgalloway, thank you for your answer. I did the extraction in props.conf and transforms.conf. However, I cannot find or access the extracted field in the Splunk interface. Here's what I wrote in transforms.conf: [extract_host] REGEX = ^(?:[^ \n]* ){9}\w+\d+\s+(?P<newhostname>\w+) FORMAT = newhostname::$1 The following in props.conf [sourcetype::Datacollection] TRANSFORMS-extract_host = extract_host Did I do something wrong here? Thanks for your answer in advance. Sharon

@gcusello , Error in 'SearchOperator:regex': The regex '(?:ParentProcessName).+(?:C:\Program Files\Windows Defender Advanced Threat Protection\)' is invalid. Regex: unknown property after \P or \p.    

Hi @Lavender , in this case, you have to add an additional condition: index=xyz component=gateway appid=12345 message="*|osv|*" | rex "trace-id.(?<RequestID>\d+)" | search RequestID=* | eval env=main_search | table _time Country Environment appID LogMessage env | append [search index=xyz appid=12345 message="*|osv|*" level="error" `mymacrocompo` | rex "trace-id.(?<RequestID>\d+)" | search RequestID=* | eval env=sub_search | table RequestID LogMessage1 env ] | stats earliest(_time) AS _time values(Country) AS Country values(Environment) AS Environment values(appID) AS appID values(LogMessage) AS LogMessage values(eval(if(level="error",LogMessage1, "NULL"))) AS Errorlogs dc(env) AS env_count BY RequestID | where env_count=2 Ciao. Giuseppe

Hi @AL3Z , run a search on the index where are stored the logs you filtered and, if your filter is applied on one or more hosts, eventually adding a filter on hosts. In the search use the same regex using the regex command (https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Regex). Something like this: index=windows host=<your_host> | regex "(?:ParentProcessName).+(?:C:\\Program Files\\Windows Defender Advanced Threat Protection\\)" Check the results and see if they arrive from the hosts you're waiting or not. Ciao. Giuseppe 

@mad_splunker  index=someindex cluster=api uuid=api_uuid [ search index=someindex cluster=gw uuid=gw98037234c6e51a48816016172b8a3c56 | eval uuid="gw"+reqid | table uuid ]   Can you please try this? I have used different approach.    thanks KV