Need help cleaning up my rex command line with data delineated by (,) then extracting the value after the (=) character from fields: Location=, Computer=, User=, Date= Sample index data:         Index = computerlogs         Field name: CompLog Field values:          Loc=Warehouse, Comp=WH-SOC01, User= username1, Date=2025-03-18         Loc=Warehouse, Comp=WH-SOC02, User= username2, Date=2025-03-20         Loc=Warehouse, Comp=WH-SOC03, User= username1, Date=2025-03-24 Created a dashboard showing all logins with only computer name, user and date as below Working query         index= computerlogs        | rex field=CompLog"([^,]+,){1}(?<LogComp>[^,]+)"        | rex field=LogComp "\=(?<Computer>[^,]+)"        | rex field=CompLog"([^,]+,){2}(?<LogUser>[^,]+)"        | rex field=LogUser"\=(?<User>[^,]+)"        | rex field=CompLog"([^,]+,){3}(?<LogDate>[^,]+)"        | rex field=LogDate "\=(?<Date>[^,]+)"        | table Computer User Date        Computer          User                  Date        WH-SOC01       username1    2025-03-18        WH-SOC02       username2    2025-03-20        WH-SOC03       username1    2025-03-24 My ask is to clean up the above rex commands, so I only have one rex command line for each data field I am trying to capture if it is possible.  I tried to combine the two rex command lines into one.  I know I need to add the "\=" argument to get everything after the "=" character but get an error with my below try's.       | rex field=CompLog"([^,]+,){1}\=(?<Computer>[^,]+)"       | rex field=CompLog"([^,]+,){1}"\=(?<Computer>"[^,]+)"       | rex field=CompLog"([^,]+,){1}"\=(?<Computer>[^",]+)" Any help would be greatly appreciated.  Thanks. ... View more

Hello, I am trying to join two indexes to display data from our local printers.  I have an index getting data from our printer server that contains the following data:    index=prntserver _time,                                   prnt_name     username   location 2024-11-04 11:05:32    Printer1           jon.doe         Office 2024-11-04 12:20:56    Printer2           tim.allen       FrontDesk   I have an index getting data from our DLP software that contains the following data:    index=printlogs _time                                    usersname     directory                          file 2024-11-04 11:05:33    jon.doe             c:/desktop/prints/     document1.doc 2024-11-04 12:20:58    tim.allen  c:/documents/files/   document2.xlsx   I am trying to join the two indexes to give me time, printer name, user name and location from the Print Server Index and then give me directory and file name that was recorded from my Print Log Index.  I am wanting to use time to join the two indexes but my issues is that the timestamp is off by 1 if not 2 seconds between the two index records.  I was trying to use the transaction command with a maxspan=3s to be safe but cannot get it to work.  Here is what I have been trying to work with   index=printserver | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(_time) AS servtime    | join type=inner _time       [ search index=printlogs         | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(_time) AS logtime       ] | transaction startswith=eval(src="<servtime>") endswith=eval(src="<logtime>") maxspan=3s | table servtime prnt_name username location directory file   Thanks for any assistance given on this one.  ... View more

Need help passing a token value from a Single Value Panel using the ( | stats count) in conjuction to the ( | rex field= _raw) command to a Stats Table panel.  I created a dashboard showing various "winevent" logs for user accounts (created, enabled, disabled, deleted, etc...)  Current search I have for my various Single Value panel using the stats command in my search is seen below. (for this example, I used the win event code 4720 to count of "User Account Created" on the network) and extracted the EventCode. Acct Enable: index="wineventlog " EventCode=4720 | dedup user | _rex=field _raw "(?m)EventCode=(?<eventcode>[\S]*)" | stats count Output gives me a Single Value Count for window event codes that = 4720 ignoring duplicate user records.    I am now trying to capture the extracted "eventcode" using a drilldown in a token for each respective count panel.  I have setup the token as: (Set $token_eventcode$ = $click.value$) in my drill down editor in my second query table.  Using that token, I want to display the respective records in a second query panel to display the record(s) info in a table as seen below:    Acct Enable: index="wineventlog " EventCode=$token_eventcode$ | table _time, user, src_user, EventCodeDescription As I am still learning how to use the rex command, having problems in this instance in capturing the EventCode from the _raw logs, setting it to the ($token_eventcode$) token in the Single Value County query and passing that value down through a token to the table while maintaining the stats count value.  Any assistance with be greatly appreciated. ... View more

Looking to see if Splunk has the ability to highlight a row in an output table based on a value in that row in a dashboard using dashboard studio.    Created a dashboard to show printers using a lookup and number of print logs associated to a printer that is pulled from indexed print logs. I know how to highly a single row value based on a condition but wanted to know if the whole row can be highlighted using the output in the row: I used the color and style option to set conditions of the jobs field to highlight if print count = 0 Printer Jobs Prints Pntr_01 149 285 Pntr_02 25 78 Pntr_03 0   Pntr_04 75 528 Pntr_05 85 149 Pntr_06 0     Would like to highlight the printer name in red as well if the value = 0 Printer Jobs Prints Pntr_01 149 285 Pntr_02 25 78 Pntr_03 0   Pntr_04 75 528 Pntr_05 85 149 Pntr_06 0     I searched Splunk community as well as other areas of the Splunk matrix with no luck.   If someone has some insight or reference if this can be done, it would be greatly appreciated.  Thanks   ... View more

Looking for help running a stats count and stats count sum referencing a lookup using print logs.  Looking to output all printers from a lookup to give "total job" count counting each record in the query for a single printer and giving a "total page" count for all pages that was printed for each printer listed in lookup.    Logs from my index  date                      printer_name           user            pages_printed 2024_10_09    prnt_01                        user1            10 2024_10_09    prnt_02                        user4            15 2024_10_09    prnt_01                        user6            50 2024_10_09    prnt_04                        user9            25 2024_10_09    prnt_01                        user2            20 Data from my lookup file name: printers.cvs printer_name        printer_location prnt_01                      main office prnt_02                      front desk prnt_03                      breakroom prnt_04                      hallway Looking for an output to give me results similar to what I provided below Printer Name      Location            Print Jobs                Pages Printed prnt_01                  main office       3                                   80 prnt_02                  front desk         1                                   15 prnt_03                  breakroom       0                                   25 prnt_04                  hallway              1                                   25 I have two separate queries for both respectively and having issues merging them together.  My individual queries are: Working query that gives me job count with sum of total jobs and total pages   index=printer sourcetype=printer:logs | stats count sum(pages_printed) AS pages_printed by printer_name, | lookup printers.csv printer_name AS printer_name OUTPUT printer_location | table printer_name, printer_location, count, pages_printed | rename printer_name AS "Printer Name", printer_location AS "Location", count AS "Print Job", pages_printed AS "Pages Printed", Results Printer Name      Location            Print Jobs                Pages Printed prnt_01                  main office       3                                   80 prnt_02                  front desk         1                                   15 prnt_04                  hallway              1                                    25 Working query that gives me list of all printers and job count index=printer sourcetype=printer:logs | eval printer_name=lower(printer_name) | stats count BY printer_name | append [| inputlookup printers.csv | eval printer_name=lower(printer_name), count=0 | fields printer_name count] | stats sum(count) AS print_jobs by printer_name | table printer_name, total | rename printer_name AS "Printer Name", print_jobs AS "Print Job" Results Printer Name      Print Jobs                 prnt_01                 3                                   prnt_02                 1                                    prnt_04                 1                                Again, trying to merge the two to give me Printer Name, Location, # of print jobs and total pages printed.  Any assistance will be greatly appreciated. ... View more

Trying to monitor a separate print server folder outside where Splunk is hosted with print logs that has a UNC path.  Folder only has .log files in it.  I have the following index created: index = printlogs When I try to add the folder path in Splunk through the add data feature: "add data" - "Monitor" -"Files & Directories" I get to submit and then get an error: "Parameter name:  Path must be absolute". So I added the following stanza to my inputs.conf file in the systems/local/folder: [monitor://\\cpn-prt01\c$\Program Files\Printer\server\logs\print-logs\*.log] index = printlogs host = cpn-prt01 disabled = 0 renderXml = 1 I created a second stanza with a index = printlogs2 with respective index to monitor the following path to see if I can pull straight from the path and ignore the file type inside. [monitor://\\cpn-prt01\c$\Program Files\Printer\server\logs\print-logs\] I do see the full path to both in the "Files & Director" list under the Data Inputs.  However, I am not getting any event counts when I look at the respective indexes seen in the Splunk Indexes page.   I did a Splunk refresh and even restarted the Splunk server with now luck.   Thought maybe someone has run into similar issue or has a possible solution.   Thanks in advance. ... View more