Hi. i have a search a show a graphchart for 14 months. If i change the timepicker it still shows 14 months for some reason. As you can see  in the picture, the time picker says 30 days, but the graph still shows 14 months. What gives? Also, is there a way to display a trendline on the graph? If i use the | trendline sma10(Cores) or the like, it changes the graph instead of just showing a linear line ... View more

My regex from the message field looks like this.   | rex field=Message "\W(?<Hostname>\S+)\s\w+\W(?<Build>\S+)\s\w+\W(?<CpuCount>\S+)\s\w+\W(?<CpuTotalMhz>\S+)\s\w+\W(?<CpuUsageMhz>\S+)\s\w+\W(?<MemoryTotalMB>\S+)\s\w+\W(?<MemoryUsageMB>\S+)\s\w+\W(?<Version>\S+)" |   For some reason it matches and pulls out all the fields from this entry:   Message=Hostname=esx-pod1-nprd-112.mad.local Build=20842708 CPUCount=96 CpuTotalMhz=287232 CpuUsageMhz=142 MemoryTotalMB=1048094.5625 MemoryUsageMB=9086 Version=7.0.3   But not from any other entries which could looks like this:   Message=Hostname=10.241.192.46 Build=20842708 CPUCount=96 CpuTotalMhz=287232 CpuUsageMhz=8186 MemoryTotalMB=1048094.55859375 MemoryUsageMB=198624 Version=   or    Message=Hostname=esx-cl6-184.mad.local Build=19195723 CPUCount=20 CpuTotalMhz=49880 CpuUsageMhz=672 MemoryTotalMB=294587.2578125 MemoryUsageMB=52530 Version=   ... View more

Hi all. I have a search that searches a large amount of events. Its run on fast mode, on the statistics page. When i start the search it slow starts populating the fields, but then at one point it just empties all the results and says "No results found", even thought they were there at the beginning of the search running... Any ideas what could be the issue here? Never had anything like this before on other large searches though Some setting in limits.conf or something? All i get is this, which makes no sense since data is there at the start of the search In the beginning it shows data:   ... View more

Hi Guys. I have a distributed setup consisting of 1 search head, 1 deployment/license server, 1 indexer. And a whole bunch of universal forwarders. I am trying to filter out some of the data coming in with transforms.conf:   [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = "name":"System availability" DEST_KEY = queue FORMAT = indexQueue     and a props.conf   [Zabbix-history] SHOULD_LINEMERGE = falde MAX_TIMESTAMP_LOOKAHEAD = 300 detect_trailing_nulls = auto TIME_PREFIX = \"clock\": KV_MODE = json AUTO_KV_JSON = true TRANSFORMS-set = setnull,setparsing     A log example that i would like to index, matching the regex in transforms.conf   {"host":{"host":"xxxxx","name":"xxxx"},"groups":["xxxx Prod","xxxx","Windows servers"],"item_tags":[{"tag":"SAP Basis","value":""},{"tag":"System availability","value":""},{"tag":"SID1","value":""},{"tag":"Product","value":"Web Server"},{"tag":"SID","value":"WSP"}],"itemid":900162,"name":"System availability","clock":1670486400,"count":13,"min":1,"avg":1,"max":1,"type":3}       Currently the props.conf and transforms.conf are on the indexer in the designated app. Its currently filtering out all the logs with the sourcetype Zabbix-history, and not indexing the "name":"System Availability" Does the props/transforms also need to be on the searchhead, or pushed to the universalforwarder with the deployment server? ... View more