I am trying to join two searches together to table the combined results by host. First search below is showing number of events in the last hour by host, index, and sourcetype: | tstats count where index=* by host, index, sourcetype | addtotals | sort -Total | fields - Total | rename count as events_latest_hour Second search is showing the ingest per hour in GB by host.  (index=_internal host=splunk_shc source=*license_usage.log* type=Usage) | stats sum(b) as Usage by h | eval Usage=round(Usage/1024/1024/1024,2) | rename h as host, Usage as usage_lastest_hour | addtotals | sort -Total | fields - Total Can you please help with how i would join these two searches together to display the host, index, sourcetype, events_latest_hour,  usage_lastest_hour Basically i want to table the results of the first search and also include the results "usage_lastest_hour"from the second search into the table.    ... View more

I am trying to create a search that will generate a report showing host by event count in the last hour and also the average 7 day hourly event count per host. So far i have the below search that shows host by event count over the last hour - but i am struggling to get a column added showing the weekly hourly average?   | tstats count where index=* by host, index, sourcetype | addtotals | sort -Total | fields - Total | rename count as events_latest_hour   Any help on how i get a column added showing the 7 day hourly average for event count ? ... View more

I am trying to write a rex command that extracts the field "registrar" from the below four event examples. The below values in bold are what i am looking for to be the value for "registrar".  I am using the following regex to extract the field and values, but i seem to be capturing the \r\n after the bold values as well.  How can i modify my regex to capture just the company name in bold leading up to \r\n Registrar IANA Current regex being used:   Registrar:\s(?<registrar>.*?) Registrar IANA   Expiry Date: 2026-12-09T15:18:58Z\r\n Registrar: ABC Holdings, Inc.\r\n Registrar IANA ID: 972 Expiry Date: 2026-12-09T15:18:58Z\r\n Registrar: Gamer.com, LLC\r\n Registrar IANA ID: 837 Expiry Date: 2026-12-09T15:18:59Z\r\n Registrar: NoCo MFR Ltd.\r\n Registrar IANA ID: 756 Expiry Date: 2026-12-09T15:18:59Z\r\n Registrar: Onetrust Group, INC\r\n Registrar IANA ID: 478 ... View more

I am trying to write a regex to extract a field called "registrar" from some data like i have below. Can you please help how i could write this regex to be used in a rex command to extract the field? Below are three example events: Registry Date: 2025-10-08T15:18:58Z   Registrar: ABC Holdings, Inc.   Registrar ID: 291  Server Name: AD12 Registry Date: 2025-11-08T15:11:58Z   Registrar: OneTeam, Inc.   Registrar ID: 235  Server Name: AD17 Registry Date: 2025-12-08T15:10:58Z   Registrar: appit.com, LLC   Registrar ID: 257  Server Name: AD14   I need the regex to use to extract the field called "registrar"  which in the above example would have the following three value matches:   ABC Holdings, Inc.  OneTeam, Inc appit.com, LLC     ... View more

Looking to create an alert if a host on a lookup stops sending data to Splunk index=abc. I have created a lookup called hosts.csv with all the hosts expected to be logging for a data source. Now i need to create a search/alert that notifies me if a host on this lookup stops sending data to index=abc I was trying something like this  search below, but now having much luck: | tstats count where index=abc host NOT [| inputlookup hosts.csv] by host   The lookup called hosts.csv is formatted with the column name being host, for example like:   host hostname101 hostname102 hostname103 hostname104   ... View more