To extract "LoadABCDEF" from /Folder1/Folder2/Folder3/Folder4/Folder5/LoadABCDEF_20160921.log: | rex field=source "(\/\w+){5}\/(?<rexOutput>[A-Za-z0-9]+).*" | table rexOutput To extract "Folder3": | rex field=source "(\/\w+){2}\/(?<rexOutput>[^\/]+).*" | table rexOutput It wil work regardless how many symbol you put in folder3 you can test with "F-old(er)_3$%" ... View more

I tried this way. When status is changed from PENDING to ACCEPTED the cust id still remains in the panel. It will not vanish. ... View more

You can use particular event code or event description in search string, whenever if any violation happens or particular string match in a log file you will get an alert Example: if account is locked out we will get an alert immediately by creating the alert by using below query, index=winsec EventCodeDescription="A user account was locked out" OR E ventCode = 4740|dedup user| stats count by user _time host Example for Crontab schedule: The cron parameters, * * * * *, correspond to minute hour day month day-of-week. */5 * * * * Every 5 minutes. */30 * * * * Every 30 minutes. 0 */12 * * * Every 12 hours, on the hour. */20 * * * 1-5 Every 20 minutes, Monday through Friday. 0 9 1-7 * 1 First Monday of each month, at 9am. Let me know if this is work out. ... View more