if you don't have ip filed in raw data and want use rex to take out IP address , plus want know how much data coming from that ip for a day. index=<YourIDXname>earliest=-1d@d sourcetype =<"if any"> |rex "^[^\t\n]*\t(?P<srcip>[^\t]+)" | eval size=len(_raw) | stats sum(size) as bytes by srcip | eval KB=round(bytes/1024,2) |lookup iptest.csv local=true ManagementIP as srcip OUTPUT SiteIdentifier HostName DeviceManufactorer DeviceType | search HostName=* | dedup srcip | table SiteIdentifier HostName DeviceManufactorer DeviceType srcip KB | rename srcip as "Matched IPAddress" |sort by SiteIdentifier DeviceManufactorer ... View more

i need to do same thing like DavidHourani asked and thank to  lguinn2   index=cg| rex "^\S+\s+(?<cgSYSlogIPAddress>\S+)" | stats count by cgSYSlogIPAddress | eval active_host="T" | append [ inputlookup cgIP | eval active_host="F" ] | dedup cgSYSlogIPAddress |where active_host="F" ... View more

This sounds more like another question than an answer. It also sounds like a question that was answered by the original question because of the links provided. Best practice is to follow the documentation for how to perform an upgrade. It will explain how to upgrade each component. I hope that helps. ... View more

good, if you find the solution, please mark your question as answered. you can up vote helpful comments if you wish ... View more

I had this problem n fix it . looks like you already doing it right but my mistake was type ..\ , should ...\ (3 dots) [monitor://C:\inetpub\logs\LogFiles...*.log] ... View more

what if there is more than one folder? (name will be shorter than all the others) ... View more