Hi @lucky, as also @yuanliu asked, you should better desctibe your requirement: did you already ingested data? did you installed the Add-Ons to correctly parse data? are you speaking of Windows or Linux systems, Anyway the answer depends on these information. Supponing that you are speaking of windows systems, that you already installed the requested Add-On (Splunk_TA_Windows) and that you already ingested the requested data (perfmon:CPU and perfmon:Memory), you could run something like this: index=windows sourcetype=WinHostMon Type=Processor $host$ | eval host=upper(host) | dedup host | sort host | table Name NumberOfCores Architecture ClockSpeedMHz Manufacturer | rename name AS CPU Manufacturer AS "CPU Manufacturer" and index=windows sourcetype=WinHostMon Type=OperatingSystem $host$ | eval host=upper(host) | dedup host | sort host | eval FreePhysicalMemoryGB=FreePhysicalMemoryKB/1024/1024, FreeVirtualMemoryGB=FreeVirtualMemoryKB/1024/1024, TotalPhysicalMemoryGB=TotalPhysicalMemoryKB/1024/1024, TotalVirtualMemoryGB=TotalVirtualMemoryKB/1024/1024, Virtual_mem_free_percent=FreeVirtualMemoryKB/TotalVirtualMemoryKB*100 | table FreePhysicalMemoryGB TotalPhysicalMemoryGB mem_free_percent FreeVirtualMemoryGB TotalVirtualMemoryGB Virtual_mem_free_percent | rename FreePhysicalMemoryGB AS "Free Physical Memory" TotalPhysicalMemoryGB AS "Total Physical Memory" mem_free_percent AS "Free Physical Memory%" FreeVirtualMemoryGB AS "Free Virtual Memory" TotalVirtualMemoryGB AS "Total Virtual Memory" Virtual_mem_free_percent AS "Free Virtual Memory%" to adapt to your requirements. Ciao. Giuseppe  

To get help about data analysis, you want to explain what data you have (preferably with text illustration), key characteristics of data, illustrate your desired output, and the logic between data and output. Hope this helps.

As @VatsalJagani said, you are not limited to using delimiters in Splunk field extraction.  I just posted some screenshots from Splunk Web for a nearly identical data format here: https://community.splunk.com/t5/Splunk-Search/Tempory-output-storage/m-p/656753/highlight/true#M226830

As I always tell people, do not treat structured data as plain text, and rex is not the right tool for JSON. Looking at your illustration, I am convinced that your original data is fully compliant; the field message3.TEXT embeds an escaped, fully compliant JSON message with some leading text.  Like thus   {"Field1":"xxx","message1":"{0}","message2":"xxx","message3":{"TEXT":"xxxx: xxx\r\n.xxxxx: {\"xxxxx\":{\"@CDI\":\"@ABC-123G-dhskdd-ghdkshd122@hkfhksdf12-djkshd12-hkdshd12 \",\"@RETURN\":\"xxxx-xxxxxxxxxx-xx-xxxxx\",\"@message4\":\"xxxxxx:xxx\",\"message5\":{\"message6\":null}}}"}}   As such, you can use this to directly access the field RETURN   | eval TEXT = replace('message3.TEXT', "^[^{]+", "") | spath input=TEXT path="xxxxx.@RETURN" output=Field2    The illustrated data will give something like Field1 Field2 message1 message2 message3.TEXT xxx xxxx-xxxxxxxxxx-xx-xxxxx {0} xxx xxxx: xxx .xxxxx: {"xxxxx":{"@CDI":"@ABC-123G-dhskdd-ghdkshd122@hkfhksdf12-djkshd12-hkdshd12 ","@RETURN":"xxxx-xxxxxxxxxx-xx-xxxxx","@message4":"xxxxxx:xxx","message5":{"message6":null}}} Here is an emulation you can play with and compare with raw data   | makeresults | eval _raw = "{\"Field1\":\"xxx\",\"message1\":\"{0}\",\"message2\":\"xxx\",\"message3\":{\"TEXT\":\"xxxx: xxx\\r\\n.xxxxx: {\\\"xxxxx\\\":{\\\"@CDI\\\":\\\"@ABC-123G-dhskdd-ghdkshd122@hkfhksdf12-djkshd12-hkdshd12 \\\",\\\"@RETURN\\\":\\\"xxxx-xxxxxxxxxx-xx-xxxxx\\\",\\\"@message4\\\":\\\"xxxxxx:xxx\\\",\\\"message5\\\":{\\\"message6\\\":null}}}\"}}" | spath ``` data emulation above ```    

@sunnyleofremont - You could use the regex-based field extraction, either REPORT or EXTRACT. And below is the regex you can use for that. For temporary extraction in search, you can also use | rex command with the same regex. \s+(?<Name>[^\n\s\\|]+)\|(?<size>[^\s\n\r]+)\s+(?<value>[^\s\n\r]+)\s+ https://regex101.com/r/AWNK3i/1    I hope this helps!!! Kindly upvote if it does!!!

@stevediaz - This message tells that either: The macro either does not exist. OR the macro is not permissible to execute in the search and in the App it is currently being used.   Any Splunk Admin can go and find the macro and its permission from Splunk UI > Advanced search > macros in the settings.   I hope this helps!!! Kindly upvote if it helps!!!

OK. But on which component did you put this props.conf file? On the UF? Then it's not the proper place for it. UF does not do parsing (except for indexed extractions but it's not the case I suppose) and DATETIME_CONFIG is a setting regarding parsing stage. So put it onto your indexer(s) or intermediate HF(s) if you have them. Also - did you configure DATETIME_CONFIG for the proper sourcetype?

OK. So firstly, you need to make sure you get your logging configured consistently across your whole environment (unless you really want it to be set differently on some servers). Then you need to ingest the files properly. There is an add-on for IIS logs - https://splunkbase.splunk.com/app/3185 Install it, configure inputs as described in the docs (also verify that your IIS logging is configured properly according to the docs), then check if all the files are getting indexed properly.  

Are you sure your value 3 and value 4 do not contain, for example, white space?  I cannot help but notice that you did not quote "value 3" and "value 4".  If the search is illustrative, it should be something like index=test_01 EventCode=4670 NOT ("Field 1" = value1 OR "Field 1" = value2) NOT (Process_Name = "value 3" OR Process_Name = "value 4")

@danielbb - This automatic lookup could be present in any App. You can try to find where it is present by going to Splunk UI > Lookups > Automatic lookups and select All App and Any Owner and filter for HTTP_STATUS and trying to find which App contains this lookup. You should be able to fix it from there as well.   I hope this helps!!!

You can use   \b(?<event_name>[^|]+)\|(?<task_id>\d+) (?<event_id>\d+)   You know you don't have to use delimiter to extract fields.  You can select regex instead.  This is one way to do it: Alternatively, you can use the selector. (Most of the time, Splunk will come up with a good regex.)