Since host is a metadata index-time extracted field for any sourcetype, you will need to provide a separate field extraction name. Since Splunk is case sensitive for Field names, I am using Host as the extracted field name in following options: Option 1) Use Extract New Fields option from your Search results. Interactive Field Extractor will give you options to use Splunks regular expression or define your own. You can define your own extraction as host\=\"(?P<Host>[^,]+)\"\, Option 2) Use inline rex command to extract host. (PS: rex command should only be used for initial testing, ideally you should use Option 1 or 3 to create a Field Extraction Knowledge Object. rex field=_raw "host\=\"(?P<Host>[^,]+)\"\," Option 3) Modify props.conf to create your own extraction for sourcetype alerts EXTRACT-Host = host\=\"(?P<Host>[^,]+)\"\, PS: Other fields should be automatically extracted by Splunk. If not you can apply above options with respective regular expressions. In order to test your regular expressions you can try regex101 website. ... View more

I have admin password with me but due to bouncer application as soon as i open the web interface it is logging in with my id. I tried sign out and still interface is not giving me to enter the username as admin. Is there anything i can set these permissions from command line. -Ram ... View more

Hurray i got it, thank you very much for your guidance finally i got the output what i am looking for. non-local Volume host="netapp-master9.bkp.bf1.yahoo.com" | rex "Client:\s'(?[^']+).*Volume\s+'(?[^']+)" | dedup volume | table client volume ... View more

Thanks it worked ... View more