@dv2323 Replace [A-Z_]+ with ".+" or ".*". You can also add an anchor "$" for end of line after the cap group if desired. (?<dap_record>.+)$ ... View more

@AndySplunks  The following search will show you the lookup files within Splunk and the last updated date. | rest splunk_server=local /servicesNS/-/-/data/lookup-table-files | table title updated This search is for when they are actually edited: index=_internal "Lookup edited successfully" |table _time namespace lookup_file user ... View more

Maybe I'm missing your questions point but you could mvzip the system to the count. Or just create a mv of the system if it's more than two fields of information and sort by a certain field in the mv. Streamstats or even just a clever use of top. ... View more