I know this is going back a few years.... But did you ever find a solution to this?  Having the same problem ... View more

Hi @stcrispan , Did you have a chance to check out @HiroshiSatoh answer? If it worked, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help you. Thanks for posting! ... View more

Thank you! ... View more

Nobody wants to take a crack at this? ... View more

strange, its not showing as answered...but thats fine lol, we don't need 2 answers! 😛 ... View more

Paydirt! I modified your search, thus: index=uws_esm "1719" AND "0572" | rex "(?<job_start>[^|]+)\s\(1719" | rex "(?<job_end>\d\d\d\d\s\d\d\d\d\d\d\s\(0572\)\s\d\s)" | eval job_start_epoch = strptime(job_start, "%m%d %H%M%S") | eval job_end_epoch = strptime(job_end, "%m%d %H%M%S") | eval job_dur_in_sec = job_end_epoch - job_start_epoch | timechart count by job_dur_in_sec So now the inevitable questions: what was the purpose of field=data , and max_match=0 ? Also, you may notice that I replace my original rex for 0572 with a convoluted string...the consarned thing simply would NOT pull data as the original rex, not until I put that whole nonsense in there...it only pulled like four or five, and and the rest were "null". Weird, huh? ... View more

According to deploymentclient.conf The syntax is - [deployment-client] clientName = deploymentClient * Defaults to deploymentClient. * A name that the deployment server can filter on. * Takes precedence over DNS names. So, shouldn't it read? - [deployment-client] clientName = SLATE-$HOSTNAME Interestingly, splunk cmd btool check didn't complain about just SLATE-$HOSTNAME ... ... View more

Fantastic. Thank you! ... View more

So it turn out that NO, you cannot use Regex in the serverclass.conf file, and in fact, you can't use the DOS wildcard expressions either. So if you have LAPTOP100-BR549.jr.samples.autosales.com LAPTOP101A.jr.samples.autosales.com LAPTOPL42D.Jr.samples.autosales.com LAPTOP8701-BR5.jr.samples.autosales.com LAPTOP549-JSAS.jr.samples.autosales.com You can't use [serverClass:JUNIORS_LAPTOPS] whitelist.0 = ^LAPTOP(\d+\S+\S)-(\S\S\S)$ blacklist.0 = ^LAPTOP(\d+\S)$ You can't even use a LAPTOP???-???49.jr.samples.autosales.com To sort out specific, I had to use LAPTOP*-*.jr.samples.autosales.com just to get the ones which had a dash in them. ... View more

Interesting...I only recently added a time picker to the dashboard, will removing the _time still allow the search to use the time specified by the time picker? ... View more

Update: Fixing the Java environment variable didn't break anything else. Eventually, what did break it were the developers changing the password on the instance. So now I'm back in the same boat. sigh ... View more

I had to ask. You are even more of a hero in my book, in that you bothered to post the full story for others even though it ended up not being of any benefit to yourself. BRAVO! ... View more