Hi I am using something like this: index=_internal AND sourcetype=splunkd
AND TERM(New)
AND TERM(Old)
AND TERM(properties)
AND TERM(are)
| rex field=_raw "Old properties are: \{ip=(?<old_ip>[^\ ,]*)[\ ,]+dns=(?<old_dns>[^\ ,]*)[\ ,]+hostname=(?<old_hostname>[^\ ,]*)[\ ,]+deploymentClientName=(?<old_deploymentclientname>[^\ ,]*)[\ ,]+.*instanceId=(?<old_instanceid>[^\ ,]*)[\ ,]+instanceName=(?<old_instancename>[^\ ,\}]*)"
| rex field=_raw "New properties are: \{ip=(?<new_ip>[^\ ,]*)[\ ,]+dns=(?<new_dns>[^\ ,]*)[\ ,]+hostname=(?<new_hostname>[^\ ,]*)[\ ,]+deploymentClientName=(?<new_deploymentclientname>[^\ ,]*)[\ ,]+.*instanceId=(?<new_instanceid>[^\ ,]*)[\ ,]+instanceName=(?<new_instancename>[^\ ,\}]*)"
| stats latest(_time) AS ltm, count BY new_hostname, old_hostname, new_dns, old_dns, new_instancename, old_instancename, new_instanceid, old_instanceid, new_ip, old_ip
| convert timeformat="%y-%m-%d" ctime(ltm) AS LastDay
| fields - ltm
... View more