Ok, So i would "think" that the intent of the regex is to look at the source of the data, and extract from that either a policy or email value (possibly both) however, the syntax for an inline rex expression is wrong! I am assuming that the source of these logs is something like: e:\logs\policy\MyPolicy\somelog.log or e:\logs\Email\your.name@email\somelog.log (but that is quite a wild shot in the dark) If I am correct (or close) you should update the query to: | rex field=source "Policy\\+(?<policy>.*)\\" | rex field=source "Email\\+(?<email>.*)\\" Which basically says "look for a string beginning with the word "Policy" followed by a single "\" then extract all the characters before the trailing "\", and write them to a field called "policy" If you share you source name, I can validate (or correct) my guess. ... View more

Is it possible now to set multiple crons on a single saved search? ... View more

I believe this is not quite correct, as it will run on days 25-31 AND on Thursdays. There is no way to do that easily that I know of. ... View more

Is this what you are looking for? your base search | xyseries BackupDate Servers Backup_Status Output: ... View more

still the same output Backup_Status BDate TDBs DBBackedup DBexcluded DB_NotBackedup 1 BackupFailed - RunEffBackup 07/30/2016 1581 1566 3 15 2 BackupFailed - RunEffBackup 07/24/2016 1278 1275 3 3 3 BackupFailed - RunEffBackup 07/31/2016 2165 2162 3 3 4 BackupFailed - RunEffBackup 07/23/2016 678 677 1 1 5 BackupFailed - RunEffBackup 07/30/2016 1918 1915 2 3 6 BackupFailed - RunEffBackup 07/23/2016 1272 1268 3 4 7 BackupFailed - RunEffBackup 07/23/2016 11009 11009 0 0 8 BackupFailed - RunEffBackup 07/31/2016 10020 10019 1 1 9 BackupMissed - RunFullBackup NoData NoData NoData NoData NoData as per condition, no1 and no 6 should be success but it is not.. !! ... View more

In the Dashboard screen select Edit -> Edit Panels in the dropdown item select Edit Input and edit the token field in your search, replace the value you want for $ token $. Dropdown Title </ label> Default Item </ default> Item 1 </ choice> Item 2 </ choice> </ Input> </ Label> ... View more

Replace your 2nd last line with this | eval Backup_Status=case(isnull(DB_NotBackedup)l, missed, DB_NotBackedup>3, "Failed", 1=1, "Success") ... View more

If you have control over the process thats writing the logs I would recommend that you have the most recent file be called console.log, and call the rolled files console.log.1 etc. Have a look at the logrotate command. Otherwise, set up your inputs.conf stanza like so: [monitor:///path/to/console.*log] This will ensure that all the console.logs are monitored. Note that if you have a header in the log file you may run into problems with the crc checking - ie Splunk won't know that the files are different. If that happens, and you will never reuse the filenames you could set crcSalt=<SOURCE> Have a look at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf ... View more

HI chandra61446, Depending on the DB technology involved, you might be able to use the Database Connect app for Splunk : https://splunkbase.splunk.com/app/2686/#/overview Otherwise, you'd need some other way (probably a scripted input) to pull data out of the database and index it in Splunk. More info here : http://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ScriptedInputsIntro Please let me know if this helps! ... View more

This one worked | eval epochtime=strptime(Dtime, "%H:%M:%S")| eval DSyncTime=strftime(epochtime, "%I:%M:%S") ... View more

You could use the Timewrap command: https://splunkbase.splunk.com/app/1645/ | timechart count span=1h | timewrap d | It allows you to compare days to days or weeks to weeks very easily ... View more