Try   | stats values(dest_mac) as MacAddresses by dest_ip   ... View more

Your values(Data) fields shows that the text 'AreaOIC' is either part of a longer string or one of multiple values of that field. If it is a part of a longer string, then wrap it with wildcard characters. If it one of multiple values, then use the syntax | where !isnull(mvfind(Data, "AreaOIC")) after your final search command. TIP: When doing stats values(Data), use a field renaming command also, so you end up with a useful field name after the stats, i.e. | stats values(Data) as Data as is done in your main search body. ... View more

This example search shows you how to use rex to get the values from your data. | makeresults | eval events="!Event 1: <BankID>Bank A</BankID> <value>5</value> <status>pending</status> <BankID>Bank B</BankID> <value>7</value> <status>Success</status> !Event 2: <BankID>Bank A</BankID> <value>5</value> <status>pending</status> <BankID>Bank B</BankID> <value>7</value> <status>Success</status> <BankID>Bank B</BankID> <value>9</value> <status>Success</status>" | makemv delim="!" events | mvexpand events | rex field=events max_match=0 "<BankID>(?<BankID>[^<]*)</BankID> <value>(?<value>[^<]*)</value> <status>(?<status>[^<]*)</status>" | rex field=events "(?<Event>Event \d+)" | rex field=events max_match=0 "<BankID>(?<BankID>[^<]*)</BankID> <value>(?<value>[^<]*)</value> <status>(?<status>[^<]*)</status>" | eval Batch=mvcount(value) | table Event Batch Replace the final line with | table _time Event value status which will then give you the detail. However, you've not indicated _time as part of your data, so this may not be correct for you. If there is a separate time for each of the detail lines, then this will need to be changed, depending on your data.   ... View more

Yes, just use filename in the lookup command. Note that you will not be able to use any of the features provided by the lookup definition abstraction, such as case insensitivity, wildcarding and so on.   ... View more

You could try this | rex field=log "\\\\(?<user>\w+)-(?<issue>.*)\.log$" where your 'issue' field extraction takes _any_ character up to the .log after the user rather than \w. Shown in this example | makeresults | eval log=split("\\\\path\\\\to\\\\my\\\\app\\\\folder\\userx-test-cpuissue.log,\\\\path\\\\to\\\\my\\\\app\\\\folder\\usery-cpuissue.log",",") | mvexpand log | rex field=log "\\\\(?<user>\w+)-(?<issue>.*)\.log$" Hope this helps   ... View more

Been looking at my config with a qualified Splunk architect - there appears to be no problem with my config, so it looks like in my case, there's some underlying permission problem, either at the OS level (Mac) or from some broken Splunk environment. I've duplicated the config on another Splunk instance and it works - not sure if this helps you in any way... ... View more