Update savedsearches.conf

gjanders · Aug 25, 2024 · cd93daf · cd93daf
1 parent 6869f87
commit cd93daf
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/default/savedsearches.conf b/default/savedsearches.conf
@@ -49,10 +49,12 @@ index=_internal `splunkenterprisehosts` "stderr from " python* sendemail.py sour
 | dedup message \
 | rex "ssname=(?P<savedsearch>[^\"]+)"\
 | rex "stderr from '[^']+':\s+(?P<error>.*)"\
+| rex field=results_link "/app/(?P<app>[^/]+)" \
 | rex field=results_file ".*/dispatch/[^_]+__(?P<user>[^_]+)"\
+| fillnull value="N/A" app \
 | eval time=strftime(_time, "%+")\
-| stats count, values(time) AS time by error, savedsearch, user\
-| table time, count, error, savedsearch, user
+| stats count, values(time) AS time by error, savedsearch, user, app\
+| table time, count, error, savedsearch, user, app
 disabled = 1
 
 [AllSplunkEnterpriseLevel - Splunk Servers throwing runScript errors]