All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello Guys, Can you please share the steps on how to create diag file for **Splunk Cloud**? I found some posts saying that we can run "Splunk diag" from the command line, However there's no command... See more...
Hello Guys, Can you please share the steps on how to create diag file for **Splunk Cloud**? I found some posts saying that we can run "Splunk diag" from the command line, However there's no command line for Splunk cloud, then how can I get a diag file as asked by support. Thanks much in advance! Regards, Iris
1) I would like to say thank you for your advice, I think I overlooked the main index.  2) The main reason what I want to split from one source type say test, into index=bank, index=card, index=erro... See more...
1) I would like to say thank you for your advice, I think I overlooked the main index.  2) The main reason what I want to split from one source type say test, into index=bank, index=card, index=error is because I need to different access permissions.   
Hi, We have already done that - deleted the smart agent on the host itself, but it's still there. The agent got wiped about 3 weeks ago when we were done testing. We are using: AppDynamics Contro... See more...
Hi, We have already done that - deleted the smart agent on the host itself, but it's still there. The agent got wiped about 3 weeks ago when we were done testing. We are using: AppDynamics Controller build 24.2.6-1114
You can change the field name with the "rename" method, but what I wanted was for the desired field name to be searched when I searched with just    index=botsv2 sourcetype="stream:smtp"   ----... See more...
You can change the field name with the "rename" method, but what I wanted was for the desired field name to be searched when I searched with just    index=botsv2 sourcetype="stream:smtp"   --------------------------------------------------------------------------------------------------------------------------------------------- index=botsv2 sourcetype="stream:smtp" attach_filename{}="*" (Before,, In order to extraact file_name, I had to search for  that..) I took a hint from your words and solved it in a different way. Taking a hint that attach_filename{} was already extracted from splunk, I created a lookup-file using "spath" and made it "Auto-Lookup". Then, the field is now extracted and displayed with just index=botsv2 sourcetype="stream:smtp". I really appreciate your help. Thank You
Thank you for the quick reply , ok but few days back PDF option was not there and now it is . how is that possible?
Hi @Siddharthnegi , for my knowledge, it isn't possible to remove it. Ciao. Giuseppe
can we edit this format option ? like to remove or add PDF format . Because few days back PDF option was not showing here and now it is . Is there a way to edit it or add pdf format
There are general recommendations in form of so called SVAs - Splunk Validated Architectures https://docs.splunk.com/Documentation/SVA/current/Architectures/About Of course those are guidelines and... See more...
There are general recommendations in form of so called SVAs - Splunk Validated Architectures https://docs.splunk.com/Documentation/SVA/current/Architectures/About Of course those are guidelines and are based on typical needs and can be adjusted in some border cases - for example when you have a relatively isolated environment you can (and often will) use intermediate forwarder(s) to route events from sources inside to the indexers on the outside. But the intermediate forwarder can (and often will) be a UF - it doesn't have to be a HF. While I like the (non-SVA) general concept of additional HF layer in front of indexers (it has its pros and cons so it's not a solution I'll preach indiscriminently to everyone), adding multiple HFs in a single "branched" processing chain introduces a whole lot of inconsistency and can be a huge pain to troubleshoot in case of problems with ingestion.
  Then, how do I change the field name from attach_filename{} to file_name? rename is your friend. | rename attach_filename{} as filename  
Maybe transaction?  Something like   index=index source="D:\\Temp\\logs\\Logpath\\examplelog.log" | transaction startswith="Saved messages to DB" endswith="Done bulk saving messages" keepevicted=t ... See more...
Maybe transaction?  Something like   index=index source="D:\\Temp\\logs\\Logpath\\examplelog.log" | transaction startswith="Saved messages to DB" endswith="Done bulk saving messages" keepevicted=t | eval no_msg_wait_time = mvcount(noMessageHandleCounter) * 1000 | fillnull no_msg_wait_time | rename duration as processing_time | eval _raw = mvindex(split(_raw, " "), -1) | rex "Done Bulk saving .+ used (?<db_bulk_write_time>\w+)" | table _time processing_time Count db_bulk_write_time no_msg_wait_time _raw   Your sample event will give _time processing_time Count db_bulk_write_time no_msg_wait_time _raw 2024-08-07 21:13:16.637 3.797 1 12 3000 2024-08-07 21:13:20,434 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 12 ms 2024-08-07 21:13:12.841 3.781 1 11 3000 2024-08-07 21:13:16,622 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 11 ms 2024-08-07 21:13:12.054 0.771 1 24 0 2024-08-07 21:13:12,825 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 24 ms 2024-08-07 21:13:07.710 4.297 1 113 4000 2024-08-07 21:13:12,007 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 113 ms I didn't break _time into separate fields but that can easily be done. Here is an emulation for you to play with and compare with real data.   | makeresults | eval data = split("2024-08-07 21:13:07,710 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:07,710 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=4), retry in 1000 ms 2024-08-07 21:13:08,742 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:08,742 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=5), retry in 1000 ms 2024-08-07 21:13:09,757 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:09,757 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=6), retry in 1000 ms 2024-08-07 21:13:10,773 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:10,773 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=7), retry in 1000 ms 2024-08-07 21:13:11,007 [15] INFO DistributorCommon.WMQClient [(null)] - Message Read from Queue, Message Length:4504 2024-08-07 21:13:11,132 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=1), retry in 10 ms. 2024-08-07 21:13:11,257 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=2), retry in 10 ms. 2024-08-07 21:13:11,382 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=3), retry in 10 ms. 2024-08-07 21:13:11,507 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=4), retry in 10 ms. 2024-08-07 21:13:11,632 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=5), retry in 10 ms. 2024-08-07 21:13:11,757 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=6), retry in 10 ms. 2024-08-07 21:13:11,882 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=7), retry in 10 ms. 2024-08-07 21:13:11,882 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 1 2024-08-07 21:13:11,882 [39] INFO DistributorCommon.WMQClient [(null)] - Processing messages, Count=1 2024-08-07 21:13:11,882 [39] INFO DistributorCommon.WMQClient [(null)] - Done Processing messages, Count=1, IsBufferedEvent=True 2024-08-07 21:13:11,882 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Bulk saving messages, Count=1 2024-08-07 21:13:12,007 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 113 ms 2024-08-07 21:13:12,007 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=8), retry in 10 ms. 2024-08-07 21:13:12,054 [39] INFO DistributorCommon.WMQClient [(null)] - Saved messages to DB, Q Manager to Commit (Remove messages from Queue) 2024-08-07 21:13:12,132 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=9), retry in 10 ms. 2024-08-07 21:13:12,179 [39] INFO DistributorCommon.WMQClient [(null)] - Clear Write Buffer 2024-08-07 21:13:12,257 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:12,398 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:12,528 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:12,778 [33] INFO DistributorCommon.WMQClient [(null)] - Message Read from Queue, Message Length:4668 2024-08-07 21:13:12,809 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 1 2024-08-07 21:13:12,809 [39] INFO DistributorCommon.WMQClient [(null)] - Processing messages, Count=1 2024-08-07 21:13:12,809 [39] INFO DistributorCommon.WMQClient [(null)] - Done Processing messages, Count=1, IsBufferedEvent=True 2024-08-07 21:13:12,809 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Bulk saving messages, Count=1 2024-08-07 21:13:12,825 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 24 ms 2024-08-07 21:13:12,841 [39] INFO DistributorCommon.WMQClient [(null)] - Saved messages to DB, Q Manager to Commit (Remove messages from Queue) 2024-08-07 21:13:12,934 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=1), retry in 10 ms. 2024-08-07 21:13:12,966 [39] INFO DistributorCommon.WMQClient [(null)] - Clear Write Buffer 2024-08-07 21:13:13,059 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=2), retry in 10 ms. 2024-08-07 21:13:13,059 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:13,184 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=3), retry in 10 ms. 2024-08-07 21:13:13,200 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:13,325 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=4), retry in 10 ms. 2024-08-07 21:13:13,341 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:13,466 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=5), retry in 10 ms. 2024-08-07 21:13:13,466 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:13,466 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=4), retry in 1000 ms 2024-08-07 21:13:13,591 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=6), retry in 10 ms. 2024-08-07 21:13:13,716 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=7), retry in 10 ms. 2024-08-07 21:13:13,841 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=8), retry in 10 ms. 2024-08-07 21:13:13,966 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=9), retry in 10 ms. 2024-08-07 21:13:14,481 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:14,481 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=5), retry in 1000 ms 2024-08-07 21:13:15,497 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:15,497 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=6), retry in 1000 ms 2024-08-07 21:13:15,731 [20] INFO DistributorCommon.WMQClient [(null)] - Message Read from Queue, Message Length:7648 2024-08-07 21:13:15,856 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=1), retry in 10 ms. 2024-08-07 21:13:15,981 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=2), retry in 10 ms. 2024-08-07 21:13:16,106 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=3), retry in 10 ms. 2024-08-07 21:13:16,231 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=4), retry in 10 ms. 2024-08-07 21:13:16,356 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=5), retry in 10 ms. 2024-08-07 21:13:16,481 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=6), retry in 10 ms. 2024-08-07 21:13:16,606 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=7), retry in 10 ms. 2024-08-07 21:13:16,606 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 1 2024-08-07 21:13:16,606 [39] INFO DistributorCommon.WMQClient [(null)] - Processing messages, Count=1 2024-08-07 21:13:16,606 [39] INFO DistributorCommon.WMQClient [(null)] - Done Processing messages, Count=1, IsBufferedEvent=True 2024-08-07 21:13:16,606 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Bulk saving messages, Count=1 2024-08-07 21:13:16,622 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 11 ms 2024-08-07 21:13:16,637 [39] INFO DistributorCommon.WMQClient [(null)] - Saved messages to DB, Q Manager to Commit (Remove messages from Queue) 2024-08-07 21:13:16,731 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=8), retry in 10 ms. 2024-08-07 21:13:16,762 [39] INFO DistributorCommon.WMQClient [(null)] - Clear Write Buffer 2024-08-07 21:13:16,856 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=9), retry in 10 ms. 2024-08-07 21:13:16,856 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:16,997 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:17,137 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:17,278 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:17,278 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=4), retry in 1000 ms 2024-08-07 21:13:18,294 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:18,294 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=5), retry in 1000 ms 2024-08-07 21:13:19,309 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:19,309 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=6), retry in 1000 ms 2024-08-07 21:13:19,544 [28] INFO DistributorCommon.WMQClient [(null)] - Message Read from Queue, Message Length:13568 2024-08-07 21:13:19,669 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=1), retry in 10 ms. 2024-08-07 21:13:19,794 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=2), retry in 10 ms. 2024-08-07 21:13:19,919 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=3), retry in 10 ms. 2024-08-07 21:13:20,044 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=4), retry in 10 ms. 2024-08-07 21:13:20,169 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=5), retry in 10 ms. 2024-08-07 21:13:20,294 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=6), retry in 10 ms. 2024-08-07 21:13:20,419 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=7), retry in 10 ms. 2024-08-07 21:13:20,419 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 1 2024-08-07 21:13:20,419 [39] INFO DistributorCommon.WMQClient [(null)] - Processing messages, Count=1 2024-08-07 21:13:20,419 [39] INFO DistributorCommon.WMQClient [(null)] - Done Processing messages, Count=1, IsBufferedEvent=True 2024-08-07 21:13:20,419 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Bulk saving messages, Count=1 2024-08-07 21:13:20,434 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 12 ms", " ") | mvexpand data | rename data as _raw | extract | eval _time = strptime(replace(_raw, "^(?<_time>\S+ \S+).+", "\1"), "%F %T,%3N") | sort - _time ``` the above emulates index=index source="D:\\Temp\\logs\\Logpath\\examplelog.log" ```  
Hi @Twagner79 , as also @richgalloway and @isoutamo said, there's no utility to use an intermediate Forwarder as concentrator, it's better to directly send logs to the Indexers. The only applicatio... See more...
Hi @Twagner79 , as also @richgalloway and @isoutamo said, there's no utility to use an intermediate Forwarder as concentrator, it's better to directly send logs to the Indexers. The only application I know (and I applied) of this solution is when you have forwarders in a restricted network and you don't want to open many firewall routes between all the forwarders and the Indexers, but it shouldn't be your case. In addition, adding an additional layer doesn't reduce latency but increases it and at the same time doesn't give any improvement to integrity, that's guaranteed by the use of Forwarders that have a local cache. Ciao. Giuseppe
Hi @curiouspuppet , if one of the downloadbale versions isn't usable, you can ask an older version only to Splunk Support. Ciao. Giuseppe
Hi @jjohn149 , please try something like this: index=osp source=xxx EVENT_TYPE=xxx EVENT_SUBTYPE=xxx PLNF=* REN=INT OKELS="" | eval example=case( HTSZ="R" AND NOT EHUH="FIERY", "example 3", HTSZ=... See more...
Hi @jjohn149 , please try something like this: index=osp source=xxx EVENT_TYPE=xxx EVENT_SUBTYPE=xxx PLNF=* REN=INT OKELS="" | eval example=case( HTSZ="R" AND NOT EHUH="FIERY", "example 3", HTSZ="R", "example 2", true(), "example 1" ) | eval DATE = strftime(strptime(BADAT, "%Y%m%d"), "%Y-%m-%d") | stats count(eval(example="example 1")) AS example1_count count(eval(example="example 2")) AS example2_count count(eval(example="example 3")) AS example3_count BY FNHB FNPO DATE | stats sum(example1_count) AS "example 1" sum(example3_count) AS "example 2" sum(example3_count) AS "example 3" BY DATE Ciao. Giuseppe  
1. You should not use underscores in names for your indexes. Underscores denote Splunk's internal indexes. As _metrics is - that's Splunk's internal metrics index. 2. Retention period is one thing b... See more...
1. You should not use underscores in names for your indexes. Underscores denote Splunk's internal indexes. As _metrics is - that's Splunk's internal metrics index. 2. Retention period is one thing but if you exceed index size limits oldest bucket will get rolled to frozen (by default it will be deleted). As typically firewall logs (assuming you're logging network sessions) are very "noisy", that's what I'd suspect If you have an all-in-one setup the easiest way to check the index size would be to go to Settings->Indexes
Then @KendallW ‘s answer should work with minor change on outputs.conf. You should just use default group and put all those indexers there and no index definitions into it. 
Hi @JJE , one additional information: did you received logs until the 31st of July and logs stopped at the 1st of August? if this is true, the issue is that you're receiving logs from your firewall... See more...
Hi @JJE , one additional information: did you received logs until the 31st of July and logs stopped at the 1st of August? if this is true, the issue is that you're receiving logs from your firewalls with an European date format (dd/mm/yyyy) and you didn't declared the date format, in this case Splunk tries to recognize timestamp and did it until the 31st of July using the standard america format (mm/dd/yyyy), so101/08/2024 is read as the 8th of January. Force the time format in props.conf for that sourcetype: TIME_FORMAT = %d/%m/%Y %H:%M:%S If you didn't solved, could you share a sample of your logs and props.conf? The indexes.conf isn't relevant for the time format. Only for your information: indexes in Splunk are only a recipient for the logs, but there isn't any information about logs, infact you can store different logs in the same index: an index isn't a database table where you have to define every data information . Ciao. Giuseppe
Hi there,   It should work with IP addresses, if your data is going through an HF before reaching an indexer then the config should be applied on the HF.   Let me know if it works for you!   Ch... See more...
Hi there,   It should work with IP addresses, if your data is going through an HF before reaching an indexer then the config should be applied on the HF.   Let me know if it works for you!   Cheers, David
Then, how do I change the field name from attach_filename{} to file_name?
OK. Apart from the fact that you're routing to servers (which - if these are clustered indexers should replicate the buckets), not redirecting to indexes (indexer is not the same as index), let me po... See more...
OK. Apart from the fact that you're routing to servers (which - if these are clustered indexers should replicate the buckets), not redirecting to indexes (indexer is not the same as index), let me point out two things 1) You should not use the main index. It comes configured by default so that something is created in the environment but you should rather have properly configured indexes created according to your needs 2) Do you _need_ to split the data into indexes? (Two main reasons for splitting data into indexes are access rights and retention periods). That's not the same as using two different sourcetypes for two different kinds of data (which you should definitely do if the data formats do indeed differ).
So, you already have attach_filename{} extracted by Splunk.  No need for extra work.  Is this correct? To answer your question about two searches, when you add an additional filter, you SHOULD expec... See more...
So, you already have attach_filename{} extracted by Splunk.  No need for extra work.  Is this correct? To answer your question about two searches, when you add an additional filter, you SHOULD expect the result to change.  It is obvious that not all events have that attach_filename{} field populated.  If you do index="botsv2" sourcetype="stream:smtp" attach_filename{}="*" you only select those events with this field.  Without attach_filename{}="*", you pick up every event, including those that do not have attach_filename{}.