Thanks for your help. infact there was multiple challenges was there which was like after extracting field some more data was need to be extracted in multiple line.I managed to get it solved by using "rex " and "(?m)" search command. ... View more

Thanks for your efforts and information,for sure i can verify your suggestion. By the way, i am finding some errors printed n splunkd.log in the splunk indexer instance which mentions about the time parsing. After installing splunk app for unix should there be any time parsing configuration need to be done for the inputs received? The errors are printed as follows: 04-26-2017 00:36:01.682 +0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Mon Aug 8 00:13:09 2016). Context: source::ps|host::XXXXXX|ps|24272 04-26-2017 00:37:01.523 +0400 WARN DateParserVerbose - Accepted time (Thu Oct 27 17:33:59 2016) is suspiciously far away from the previous event's time (Tue Apr 25 16:16:42 2017), but still accepted because it was extracted by the same pattern. Context: source::lastlog|host::XXXXXX|lastlog|24275\n 315 similar messages suppressed. First occurred at: Wed Apr 26 00:31:31 2017 04-26-2017 00:37:01.523 +0400 WARN DateParserVerbose - Accepted time (Sun Feb 26 18:20:27 2017) is suspiciously far away from the previous event's time (Mon Sep 28 12:43:48 2015), but still accepted because it was extracted by the same pattern. Context: source::lastlog|host::XXXXXX1|lastlog|24275 can there be any case that the data cannot be pulled and displayed in app dashboard if time parsing is failing? ... View more

inputs.conf part represent as follow Shows stats per CPU (useful for SMP machines) [script://./bin/cpu.sh] sourcetype = cpu source = cpu interval = 30 index = os disabled = 0 Also i found that the cpu.sh is enabled on the forwarder *** Splunk> nix command-line setup > SHOW INPUT STATUS ** Scripted Inputs: 0) /$SPLUNK_HOME/splunkforwarder/etc/apps/Splunk_TA_nix/bin/bandwidth.sh enabled: *** disabled: interval: 60 1) /$SPLUNK_HOME/splunkforwarder/etc/apps/Splunk_TA_nix/bin/cpu.sh enabled: *** disabled: interval: 30 Under the host tab the data is not only showing for cpu.sh but also for other informations like df,vmstat etc....but to my wonder if i query directly ex: index=os and sourcetypr=df or vmstat, under the search tab all data is available to the latest from all of the hosts. Hence i believe the data is received at the indexer but not processed by the app. Can it be the case? ... View more