You're confusing rex and eval. See this rex line and the stats line, which is what you want | makeresults | eval sourcetype="test" | eval _raw="2020-12-17T01:21:44.690341+00:00 txn1.test-fdb-us-south-004 2020-12-17T01:21:44Z { \"Severity\": \"10\", \"Time\": \"1608168104.425364\", \"Type\": \"MachineMetrics\", \"ID\": \"0000000000000000\", \"Elapsed\": \"5.00001\", \"MbpsSent\": \"2.59981\", \"MbpsReceived\": \"2.3487\", \"OutSegs\": \"12262\", \"RetransSegs\": \"0\", \"CPUSeconds\": \"0.111557\", \"TotalMemory\": \"67510792192\", \"CommittedMemory\": \"4303114240\", \"AvailableMemory\": \"63207677952\", \"ZoneID\": \"txn1\", \"MachineID\": \"txn1\", \"Machine\": \"10.95.111.226:4503\", \"LogGroup\": \"default\", \"Roles\": \"RV\", \"TrackLatestType\": \"Original\" }" | rex "Severity[^\d]*(?<sev>\d+)" | stats count(eval(sev=40)) as ERROR count(eval(sev=20)) as WARN count(eval(sev=10)) as INFO by sourcetype ... View more

This looks like JSON. Use spath ... View more

2020-11-30T23:59:46.101621+00:00 fdb2.fdb-us-south-002 2020-11-30T23:59:45Z { "Severity": "10", "Time": "1606780785.516014", "Type": "SomewhatSlowRunLoopTop", "ID": "0000000000000000", "Elapsed": "0.0734675", "Machine": "10.185.175.43:4501", "LogGroup": "default" }   I want to how Can i extract "severity": "10" in the search from the logs ? ... View more

There's a reason why the Body field is so much bigger than the Subject field in postings and that's so we can put a lot more information into the body to help explain the problem we want to solve. Are you looking for "severity=40" or "I want to extract a string in the format "severity" = "40"" or other variant? Have you tried typing the string you want to find into the search bar? ... View more

like if I have raw data from where I want to pick severity level and create a dash board to see how many times its happening in the month and. details about it like ip address. of Harare etc... in sparkline format etc. ... View more

index=_internal component=LicenseUsage idx="Index Name" | timechart span=1d sum(b) as GB | eval GB=round(GB/1024/1024,2) ... View more

index=_internal sourcetype=splunkd component=LicenseUsage idx="Index Name" | timechart span=1d sum(b) as MB | eval MB=round(MB/1024/1024,2) ... View more

Hi @rajneeshdba trying to do this on Splunk search query may be bit looong route (unless you follow the most easiest route of @Richfez suggested). my first guess would be to query the internal logs with the indexer name and look for some fields which will have the indexers destination ip or source ip.  or some rest queries which will give us the indexers info..    Thanks to @Richfez for the wonderful idea! ... View more

@rajneeshdba , Yes, its searching for the events which do NOT have "/healthCheck" string . Reference : https://docs.splunk.com/Documentation/Splunk/7.2.4/Search/NOTexpressions#Searching_with_NOT ... View more

The # sign represents numeric fields which can be used in stats to calculate an aggregate value whereas the a symbol represents alphanumeric and cannot have its values calculated by a stats command Example: If you have a numeric field called duration , you can do this | stats avg(duration) If its alphanumeric, you will not get a value returned from stats ... View more