Hello, I have below query.  Getting data from dc_nfast index and putting it in test index and using this test index in dashboard.  we are not using test dc_nfast index anywhere. I want to refine the query so that it gets data from same index and putting in it same index. Can one advice on this `comment("Get latest NFAST data")` index=dc_nfast source=MIDDLEWARE_NFAST_DETECTION NOT "Nfast Version" IN ("NA","[no results]") [ | tstats latest(_time) as latest earliest(_time) as earliest count where index=dc_nfast source=MIDDLEWARE_NFAST_DETECTION host=nfast* earliest=-30d by _time , source , host span=2m | stats values(count) as count values(earliest) as earliest values(latest) as latest by _time , source , host | eventstats median(count) as median p5(count) as p5 p95(count) as p95 by source , host | eval range=(p95-p5) | eval lower_count=(median-range*3) , upper_count=(median+range*3) | where count >=lower_count AND count<=upper_count | eval earliest = earliest - 1 , latest = latest + 1 | dedup source , host sortby - latest | return 10 earliest latest host source ] `comment("Get lifecyclestate, country and ipaddress from master asset lists")` | lookup dc_app_dcmaster_master_asset_ul.csv hostname OUTPUT master_ipaddress as ul_master_ipaddress master_lifeCycleState as ul_master_lifeCycleState master_country as ul_master_country | lookup dc_app_dcmaster_master_asset_win.csv hostname OUTPUT master_ipaddress as win_master_ipaddress master_lifeCycleState as win_master_lifeCycleState master_country as win_master_country | lookup dc_app_unicorn_lookup.csv hostName as hostname OUTPUT locationCode | eval ipaddress=coalesce(ul_master_ipaddress, win_master_ipaddress) , lifeCycleState=coalesce(ul_master_lifeCycleState,win_master_lifeCycleState) , country=coalesce(ul_master_country,win_master_country) | fillnull value="UNKNOWN" ipaddress lifeCycleState country locationCode `comment("Join on serial number data from HSMC CSV import")` | rename "Serial Number" as HSMSerialNumber | makemv HSMSerialNumber `comment("Count the number of serial numbers per host")` | eval HSM_count=mvcount(HSMSerialNumber) | fillnull value=0 HSM_count | mvexpand HSMSerialNumber | join type=left HSMSerialNumber [ search `get_latest_source_in_range(test , /opt/splunk/etc/apps/dc_ta_nfast_inputs/git/master/HSMSplunkFeed/SPLUNK_HSM_Import_Listing.csv)` ] | rename Country as HSM_country "HSM *" as HSM_* "HSM * *" as HSM_*_ | foreach HSM* [ fillnull value="No_HSM_data" <<FIELD>> ] `comment("Add EIM service data - creating")` | lookup app_eim_lookup_eim_basic_extract.csv hostname OUTPUT PLADA_CRITICALITY SERVICE_IT_ORG6 SERVICE_IT_ORG7 IT_SERVICE SERVICE_OWNER SERVICE_OWNER_EMAIL | fillnull value="UNKNOWN" IT_SERVICE SERVICE_OWNER SERVICE_OWNER_EMAIL PLADA_CRITICALITY SERVICE_IT_ORG6 SERVICE_IT_ORG7 | eval servicedata=mvzip(IT_SERVICE ,SERVICE_OWNER ,"##") | eval servicedata=mvzip(servicedata,SERVICE_OWNER_EMAIL ,"##") | eval servicedata=mvzip(servicedata,PLADA_CRITICALITY ,"##") | eval servicedata=mvzip(servicedata,SERVICE_IT_ORG6 ,"##") | eval servicedata=mvzip(servicedata,SERVICE_IT_ORG7 ,"##") | eval servicedata=mvdedup(servicedata) | fields - PLADA_CRITICALITY SERVICE_IT_ORG6 ISERVICE_IT_ORG7 T_SERVICE SERVICE_OWNER SERVICE_OWNER_EMAIL | eval servicedata=mvdedup(servicedata) `comment("Now expand each servicedata into multiple lines where the is multiple values ")` | mvexpand servicedata `comment("Recreate the service values")` | rex field=servicedata "(?<IT_SERVICE>.*?)##(?<SERVICE_OWNER>.*?)##(?<SERVICE_OWNER_EMAIL>.*?)##(?<PLADA_CRITICALITY>.*?)##(?<SERVICE_IT_ORG6>.*?)##(?<SERVICE_IT_ORG7>.*)" `comment("Run addinfo command to capture info_search_time field")` | addinfo `comment("Write out to index")` | eval _time=now() | table hostname Combined Nfast* ipaddress lifeCycleState HSM_count country locationCode IT_SERVICE SERVICE_OWNER SERVICE_OWNER_EMAIL PLADA_CRITICALITY SERVICE_IT_ORG6 SERVICE_IT_ORG7 HSMSerialNumber HSM* | collect index=test source=stash   Thanks  

Dear Splunkers,   I am trying to forward a specific sourcetype (let's call it "mySourcetype") to a third party software with a Heavy Forwarder. The Heavy Forwarder receives the data on a udp port with a splunk input: [udp://xxxxx:514] connection_host = dns sourcetype = mySourcetype _SYSLOG_ROUTING = mySyslogRouting   We added the _SYSLOG_ROUTING line to also send it to the third party software as described in outputs.conf: [syslog:mySyslogRouting] type = udp priority = NO_PRI syslogSourceType = sourcetype::mySourcetype server = yyyyyy:3000   Unfortunately, the destination "yyyyyy:3000" receive all data (not just this sourcetype) from the HF. So that means all the other sourcetype and internal Splunk logs...   We tried to use the props.conf and transforms.conf to route it: props.conf [mySourcetype] TRANSFORMS-changehost = routeSourcetype   transforms.conf [routeSourcetype] DEST_KEY=_SYSLOG_ROUTING REGEX=(.) FORMAT=mySyslogRouting   The result is the same : the destination receive too much data.   Any idea to limit the Syslog forwarding to just one sourcetype?   Thanks   EDIT: I found an old post that seems to be talking about the same issue but with no answers... https://community.splunk.com/t5/Getting-Data-In/Route-syslog-from-heavy-forwarder-to-3rd-party-but-only/m-p/535722

Hello all, I haven't used rex many times. I have a URL like this, http;s://ab-abcd.in.xyz.com/abcd_xyz/job/example_name/" . Here ab-abcd.in.xyz.com is server name, abcd_xyz is project name and example_name is task name. I have to extract these using regex. I have tried using this query, |rex field=URL "https:\//(?<server_name>\w*)/\(?<project_name>\w*)\/job\/(?<task_name>\w*)\/"| table server_name project_name task_name I know that this query is wrong.But confused on how to correct it.  Can anyone help me to correct this query.