Just in the case that anyone is out there in my predicament, This is what I have done that seems to make it work. Although I am not sure if I am correct, please not I am very new to splunk, splunk for nagios and limited knowledge with regex please do not slam me.
I have got this expression which I have just tested against my dater that works but I do not want it to be limited any input will highly appreciated.
index=nagios sourcetype="nagiosevent" | head 10000 | rex ".+HOST NOTIFICATION:[^;]+;[^;]+;(?P [^;])(?=;)" | rex ".+\w NOTIFICATION:[^;]+;(?P [^;] )(?=;)" | top 1000 hostnotification hostnotificationstatus
So I went to modify the saved saved search by going to manager / searched & report and copy my generated pattern reges and paste.
... View more