Hi, I have created a script input deployed on several servers which creates a lot of hashes from /etc folder and sub folders. ~1300 files with fingerprint With rex I have extracted the fields: _raw=272913026300e7ae9b5e2d51f138e674 /etc/filename valid fields: hash=272913026300e7ae9b5e2d51f138e674 file=/etc/filename host=server1, server2, server3, serverX _time=every 2 minutes My search is scheduled every 3 minutes: index="linux" sourcetype="config_hash" | rex field=_raw "(?<hash>.*)\s\s(?<file>.*)" | diff attribute=file position1=1 position2=2 But I get irrelevant result. The result's file hash is the same. It is possible to display if some of the hash of /etc/ files has changed? ... View more