Looking for help with this rex command. I want to capture the continuous string after "invalid user" whether it has special characters or not. Here are some examples from my data set (abc is just an example, it could be any word or character)  invalid user abc invalid user abc@def invalid user $abc invalid user abc\def invalid user abc-def If I run the below, I am able to successfully extract the invaliduser if it is a word. But this does not work if there is a special character base search | rex "invalid user (?<invaliduser>\w+) " I have figured out how to extract if there is a leading special character (W+\w+) or a special character in the middle (w+\W+\w+) but those aren't exactly what I'm looking for. Is there a single rex command I can use to capture all possible results?  ... View more

Here is the sample data set: ENTITY_NAME REPLICATION_OF VALUE server1 BackupA 59 server2 BackupB 28 server3 backup_noenc_h1 54 server3 backup_utility_h1 96 server4 backup_noenc_h2 40 server4 backup_utility_h2 700   I want to be able to use the number display visualization to display entity_name, replication_of, and latest value for each record. I've tried these: | stats latest(VALUE) by REPLICATION_OF ENTITY_NAME | chart latest(VALUE) by REPLICATION_OF ENTITY_NAME | chart latest(VALUE) over REPLICATION_OF by ENTITY_NAME Ultimately I want something that looks like this, but not sure if you can display three data series in a number display. If this isn't possible, what would be the best way to visualize a data set like this?       ... View more

In this scenario, each HOST_NAME has many HOME_LOCATIONS. Each HOME_LOCATION has unique info - in this case, the RDBMS_VERSION and the DATABASE_RELEASE. I am trying to produce a simple statistics table that shows each unique HOME_LOCATION (and accompanying info) for each HOST_NAME.  -------------------- When I run the below (1st screen shot) the data is aligned as I'd expect it to | stats values(HOME_LOCATION) values(RDBMS_VERSION) by HOST_NAME When I run the below (2nd screen shot) and add the third values field in red, the data becomes misaligned for some rows | stats values(HOME_LOCATION) values(RDBMS_VERSION) values(DATABASE_RELEASE) by HOST_NAME What am I missing or doing incorrectly? ... View more

New to splunk and been struggling manipulating search results into a final result that I am looking for. In powershell where I'm familiar, I would just use a series of variables and return a final result set. I am trying to accomplish the below. (each target_name has multiple disk_group) 1) i need to find the latest Usable_Free_GB for each disk_group in each target_name and sum them 2) i need to find the latest Usable_Total_GB for each disk_group in each target_name and sum them I can get #1 and #2 in different searches, but am struggling to get them together to return a result set like this: Target_Name UsableSpaceFree TotalUsableSpace Target_Name1 123 456 Target_Name2 234 567   This is the closest I can get. But I need to only have 2 rows returned with all three fields populated    Once I can get the result set grouped by Target_Name, I then need to use eval to create a new field like the below using the values from #1 and #2   eval percent_free=round((UsableSpaceFree/TotalUsableSpace)*100,2)   Target_Name UsableSpaceFree TotalUsableSpace percent_free Target_Name1 123 456 ? Target_Name2 234 567 ?   ... View more