Hello Team, Splunkers,    I am working on a correlation search and need to use a regex expression to strip all text before a column ":". Following the suggestion presented in:  https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regex-to-remove-all-text-before-an-optional/m-p/259105   I managed to strip the text using this expression which was derived from the topic above:    | rex field=my_host "(?<my_host>[^\:]+)$"   and apply it to the following line:  Microsoft.Windows.Server.10.0.LogicalDisk:my_host.server;D  it will work and I will receive: my_host.server;D However if I apply the above expression to the same line but with column at the end of the string looking like this:  Microsoft.Windows.Server.10.0.LogicalDisk:my_host.server;D: this will not be matched. Could you please assist me with editing my expression to cover both cases and still get my_host.server;D as a result.   Regards Nikolay  

Hi. I'm rather fresh to Splunk and all it's magic. I was wondering if there is a place where I can find the information regarding servers responding to DMC connections. as in the monitoring console has ServerA and ServerB to monitor. how do i force ServerA to use static port X and ServerB to use static port Y when sending data to the monitoring console I'd believe it would be as simple as  [specific_stanza_name] DMC_uri:port_of_choice but i have not managed to find any info regarding the servers response to DMC queries

I did a partial upgrade of one of my environments (upgraded all components except for indexers at the moment due to time constraints). And suddenly the status is showing IOWait as red. Similar to https://community.splunk.com/t5/Splunk-Enterprise/Why-is-the-health-status-of-IOWait-red/m-p/565902#M9870 Anyone knows if it's any known issue/bug? Or shall I tell the customer to fill a case with the support? The servers in question are really doing... not much. One of the servers in question is a master node. Supposedly getting killed by IOWait whereas top shows... top - 13:12:37 up 210 days, 1:04, 1 user, load average: 0.35, 0.29, 0.28 Tasks: 255 total, 1 running, 254 sleeping, 0 stopped, 0 zombie %Cpu0 : 4.0 us, 1.3 sy, 0.3 ni, 94.4 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu1 : 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu2 : 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu3 : 0.3 us, 0.3 sy, 0.0 ni, 99.3 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu4 : 0.0 us, 0.3 sy, 0.0 ni, 99.7 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu5 : 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu6 : 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu7 : 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu8 : 0.3 us, 0.3 sy, 0.0 ni, 99.3 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu9 : 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu10 : 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu11 : 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu12 : 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu13 : 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu14 : 0.3 us, 0.3 sy, 0.0 ni, 99.3 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu15 : 0.7 us, 0.0 sy, 0.0 ni, 99.3 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st KiB Mem: 65958320 total, 4973352 used, 60984968 free, 48540 buffers KiB Swap: 4194300 total, 0 used, 4194300 free. 2479532 cached Mem Other two are search-heads. Again - top output: top - 13:13:08 up 174 days, 23:12, 1 user, load average: 5.91, 6.91, 5.82 Tasks: 456 total, 2 running, 454 sleeping, 0 stopped, 0 zombie %Cpu0 : 19.3 us, 5.0 sy, 0.0 ni, 73.7 id, 0.0 wa, 0.0 hi, 2.0 si, 0.0 st %Cpu1 : 4.4 us, 7.7 sy, 0.0 ni, 87.9 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu2 : 5.1 us, 6.8 sy, 0.0 ni, 88.2 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu3 : 5.8 us, 5.8 sy, 0.0 ni, 88.5 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu4 : 6.9 us, 3.4 sy, 0.0 ni, 89.7 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu5 : 4.6 us, 6.0 sy, 0.0 ni, 86.4 id, 0.0 wa, 0.0 hi, 3.0 si, 0.0 st %Cpu6 : 3.8 us, 3.8 sy, 0.0 ni, 92.4 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu7 : 10.6 us, 3.8 sy, 0.0 ni, 85.6 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu8 : 6.1 us, 5.8 sy, 0.0 ni, 88.1 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu9 : 4.7 us, 4.4 sy, 0.0 ni, 90.8 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu10 : 3.9 us, 4.6 sy, 0.0 ni, 88.8 id, 0.0 wa, 0.0 hi, 2.6 si, 0.0 st %Cpu11 : 4.4 us, 5.1 sy, 0.0 ni, 90.5 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu12 : 6.4 us, 5.4 sy, 0.0 ni, 87.0 id, 0.0 wa, 0.0 hi, 1.3 si, 0.0 st %Cpu13 : 9.5 us, 2.7 sy, 0.0 ni, 86.8 id, 0.0 wa, 0.0 hi, 1.0 si, 0.0 st %Cpu14 : 4.7 us, 5.4 sy, 0.0 ni, 89.9 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu15 : 9.4 us, 4.0 sy, 0.0 ni, 86.6 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu16 : 5.1 us, 5.8 sy, 0.0 ni, 89.1 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu17 : 3.8 us, 6.2 sy, 0.0 ni, 90.1 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu18 : 7.2 us, 3.9 sy, 0.0 ni, 85.2 id, 0.0 wa, 0.0 hi, 3.6 si, 0.0 st %Cpu19 : 3.1 us, 4.8 sy, 0.0 ni, 92.1 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu20 : 5.5 us, 5.9 sy, 0.0 ni, 88.6 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu21 : 7.6 us, 5.5 sy, 0.0 ni, 86.9 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu22 : 5.5 us, 5.9 sy, 0.0 ni, 88.6 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu23 : 5.7 us, 6.4 sy, 0.0 ni, 87.8 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu24 : 5.8 us, 4.8 sy, 0.0 ni, 89.4 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu25 : 4.5 us, 5.9 sy, 0.0 ni, 89.7 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu26 : 5.0 us, 7.4 sy, 0.0 ni, 87.6 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu27 : 4.7 us, 4.7 sy, 0.0 ni, 90.5 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu28 : 6.1 us, 5.1 sy, 0.0 ni, 88.9 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu29 : 5.7 us, 6.4 sy, 0.0 ni, 87.9 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu30 : 8.8 us, 5.4 sy, 0.0 ni, 85.7 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu31 : 8.9 us, 4.4 sy, 0.0 ni, 86.7 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st KiB Mem: 65938200 total, 9247920 used, 56690280 free, 15468 buffers KiB Swap: 4194300 total, 0 used, 4194300 free. 1184380 cached Mem  As you can see - the servers are mostly idling, the search heads do some work, but not much. To make things even more interesting, three other SHs dedicated to ES stressed way more than this SH-cluster, don't report IOWait problems. All I did was migrate kvstore to WiredTiger and upgraded splunk from 8.1.2 to 8.2.6. That's all.

Hi All, I want to understand if there is a way to perform an action to the server through Splunk. For e.g. to run ls -lrt command for a path to kill/terminate a process to run a script on the server etc. Your kind help will be highly appreciated. Thank you..!!

Hi Splunk Community! I have a line chart of some values over time grouped by fieldA and so by default there is a legend that indicates the unique values from fieldA by color. May i know how i can just have the line chart without the legend? How should i hide the legend? Thanks in advance!

hi need to calculate count and percentage of fields. orginal post here, the main issue is fields contain space or balnk (2 single quotation i have spl like below,      | eventstats count as namecount by name | eventstats count as colorcount by color | eventstats count as statuscount by status | eventstats count(name) as nametotal | eventstats count(color) as colortotal | eventstats count(status) as statustotal | eval name=printf("%04u %s %d", 10000-namecount, name, nametotal) | eval color=printf("%04u %s %d", 10000-colorcount, color, colortotal) | eval status=printf("%04u %s %d", 10000-statuscount, status, statustotal) | stats values(name) as name values(color) as color values(status) as status | eval cname=mvmap(name,10000-tonumber(mvindex(split(name," "),0))) | eval ccolor=mvmap(color,10000-tonumber(mvindex(split(color," "),0))) | eval cstatus=mvmap(status,10000-tonumber(mvindex(split(status," "),0))) | eval pname=mvmap(name,100*(10000-tonumber(mvindex(split(name," "),0)))/tonumber(mvindex(split(name," "),2))) | eval pcolor=mvmap(color,100*(10000-tonumber(mvindex(split(color," "),0)))/tonumber(mvindex(split(color," "),2))) | eval pstatus=mvmap(status,100*(10000-tonumber(mvindex(split(status," "),0)))/tonumber(mvindex(split(status," "),2))) | eval name=mvmap(name,mvindex(split(name," "),1)) | eval color=mvmap(color,mvindex(split(color," "),1)) | eval status=mvmap(status,mvindex(split(status," "),1)) | fields name cname pname color ccolor pcolor status cstatus pstatus     i have some "date" or "color" like this: 'Mon May 30 00:00:00 USDT 2022' or '' FYI: some of them contain space between Single quotation like this 'Mon May 30 00:00:00 USDT 2022', some of them are empty just has Single quotation like this '' not show them correcty and won't calculate percentage of them.   current output: Date cDate %Date Color cColor %Color 'Mon         2                              ''           1 'Today'    1           33.0     'red'        2         66.0   expected output: Date                                                                           cDate %Date           Color cColor %Color 'Mon May 30 00:00:00 USDT 2022'         2         66.66                ''           1            33.3 'Today'                                                                            1           33.0               'red'        2         66.0

index="SOMETHING"  earliest=-30d@d | stats earliest(_time) as action_StartTime latest(_time) as action_EndTime | eval elapsed_Time= action_EndTime - action_StartTime | convert ctime(action_StartTime) ctime(action_EndTime) ctime(elapsed_Time) | fields + action_StartTime action_EndTime elapsed_Time  | sort by action_StartTime The elapsed_Time is wrong, how can i make it correct?

hello I use the cron below in order to run the search “At minute 10 past every hour from 7 through 19.”   10 7-19 * * *    Instead doing this, I would like to run the search every 15 minutes always between 7h and 19h  could you help please?