Hello team,   I am trying to ignore the value "Total" if its concurrent Os_type matches "Linux"   Below is what I tried. |search DataType=Executive_Summary | search OS_Type=Linux AND OS_SubType!=Total | chart values(Servers_Skipped_Patching) as Skipped values(Servers_Failed_Patching) as Failed values(Servers_Successfully_Patching) as Successful by "OS_Type" "OS_SubType"   However, as I am also getting the value OS_SubType=Total from OS_Type=Windows.   Please let me know how I may ignore the "Total" only from Linux and not from any other OS_Type. ... View more

Hello all, blacklist   blackout_end               blackout_start 1              1616756907                  1616756427 1              1616756907                  1616756427   I am trying to add the value for blacklist, where if the _time > blackout_start AND < blackout_end then blacklist=1 else 0.   Please help in getting the right answer.   Thanks. ... View more

Hello all,   I am working on getting specific entries deleted once the search runs and holds true. Below is the detailed outline of what I am trying to achieve.   The recovery_flag in the kv store that contains the data of source is set to 1 and 0 based on the requirement. However, I am trying to delete the entries with recovery_flag = 0 on the next run of the  search, this way the unwanted entries are removed. Can you guide me through this.   Thank you. ... View more

Hello all,   I am facing an issue in appending an query. Here my objective is to update the kv store with the list of servers, alert_flag(if the alert has been raised) and count(number of times the server has created an event). Below is the query that I have used.   index= index | lookup source_host_kvstore_001 source_host OUTPUT source_host as temp_source_host count alert_flag| dedup source_host | eval count=if(isnull(count),0,count)| eval count = count+1 | eval alert_flag = if(isnull(alert_flag),0,if((alert_flag=1),1,0)) | eval _time=now() | table _time source_host alert_flag count | sort -_time | outputlookup source_host_kvstore_001 append=true When the above is ran everytime the same host is updated and also added in the new row, however, I need a single update of the count and alert_flag for a host. The data is pushed to the kv store as below by a new increase in the count.   _time             alert_flag            count           source_host 2021-03-05 13:01:50      0         1          Server 1 2021-03-05 13:01:50      0         1          Server 2 2021-03-05 13:01:50      0         1          Server 3 2021-03-05 13:01:53      0         2          Server 1 2021-03-05 13:01:53      0         2          Server 2 2021-03-05 13:01:53      0         2          Server 3   However, I am looking for the data to be updated in the KV store like below. _time             alert_flag            count           source_host 2021-03-05 13:01:53      0         2          Server 1 2021-03-05 13:01:53      0         2          Server 2 2021-03-05 13:01:53      0         2          Server 3   Please guide me through this.   Regards ... View more

Hello all, I am trying to extract the data from the field evtComponent from the below event, and this has a multiple types of data that is coming in as below. 1) ZENOSS-MIB::evtComponent = STRING: "HostSystem_host-1240" ZENOSS-MIB::evtClass = STRING: "/Status/Ping" 2) ZENOSS-MIB::evtComponent = STRING: "\"London\"" ZENOSS-MIB::evtClass = STRING:   The highlighted fields needs to be extracted, however when I use the below extraction this only satisfies the correct extraction on example 1 but fails to just extract the field from example 2. Can you please suggest. Below is the extraction that I am using. ZENOSS-MIB::evtComponent = STRING: \"(?<component>.*)\"\s+ZENOSS-MIB::evtClass\s   Thank you. ... View more

While trying to get the data from UF to indexer, the header is getting indexed as well. Attached the log file and the input.conf and props.conf configured currently   props.conf: [linux_secure] HEADER_FIELD_LINE_NUMBER = 1 FIELD_DELIMITER = ~^~ EVENT_BREAKER = "([\r\n]+)"   inputs.conf [monitor:///tmp/Patch/*.log] disabled = 0 index = main sourcetype = linux_secure crcSalt = <SOURCE>   log below: Application~^~Server~^~Pre_Patching_Status~^~Patching_Status~^~Post_Patching_Status~^~Overall_Status SAP GTS~^~sppgtslapew01~^~Success~^~Success~^~Success~^~Success SAP GTS~^~sppgtslapew02~^~Success~^~Success~^~Success~^~Success SAP GTS~^~sppgtsldbew01~^~Success~^~Failed~^~Skipped~^~Failed     Thank you. ... View more