I have a list of chrome extensions that are installed that is returned in a multivalue field. One of the results looks like this:  All I really care about is the extension name so I was able to run this query to use rex to extract the names of all the extensions:  index=jamf source=jss_inventory "extensionAttribute.name"="Installed Chrome Extensions & Versions" | fields extensionAttribute.name, computer_meta.assignedUser | rex field=extensionAttribute.value max_match=0 "Name: (?<extensions>.*)\n" | table extensions This returns:  How can I further extract these extensions in this multi-value field.  I can't get mvexpand to work because it says that the new extensions field I created doesn't exist in the data. I can't figure out how to extract each line as a separate result so that I can dedup and get a full list of all installed extensions. 

Query doesnt bring up anything. Try to pull RDP connections in my environment:      event_simpleName=UserLogon LogonType_decimal=10 | stats values(UserName) dc(UserName) AS "User Count" count(UserName) AS "Logon Count" by aid, ComputerName | sort - "Logon Count"  

Hello everyone,  I have a question for you, and I need your help please I have some logs, but the parsing isn't done.  In a same log, I have a lot of indicators and I need to extract the fields : -cpu_model - device_type: -distinguished_name: - entity:  - last_boot_duration:  - last_ip_address:  - last_logon_duration:  - last_logon_time:  -   last_system_boot:     -  mac_addresses: [ 00:42:38:CA:81:72 00:42:38:CA:81:7300:42:38:CA:81:76          02:42:38:CA:81:72          74:78:27:91:41:BB          B0:9F:80:55:40:44         ]       - name: PCW-TOU-76566        -number_of_days_since_last_boot:       - number_of_days_since_last_logon:       -  number_of_monitors: 3        - os_version_and_architecture: Windows 10 Pro 21H2 (64 bits)       - platform: windows       - score:Device performance/Boot speed: null        -system_drive_capacity: 506333229056      -  system_drive_usage: 0.19       - total_nonsystem_drive_capacity: 0        -total_nonsystem_drive_usage: null        -total_ram: 8589934592   The log is like this : What can I do to have the fields extracted to develop my indicators ?  The regex method is not possible in this case, can I use rex command ? and how I can do for this example ?  I need your help, thank you so much 

Good Morning, I have been working on a task to gather the free disk space of servers we have Splunk Universal Forwarder on. I am down to getting data from all servers through the perfmon data. I have it for all servers but two. One of these is the Splunk deployment server (we're on Splunk Cloud). I have checked all the apps which might have inputs.conf with stanzas referring to "source="Perfmon:Free Disk Space" and I've looked in /etc/system/local on the Deployment Server. All the stanzas are at 0 and I've restarted Splunk after each change, I'm at a loss! Thank you in advance. Scott

I'm creating an alert that will search for two separate string values with the OR condition inside the search. Is there a way to setup the alert condition to fire for 'If the second event is not found within 5 minutes of the first event, fire the alert.'?  The events happen anytime within a 6 hour window, so having it search every 5 minutes for a count under 2 would fire alerts constantly.