It does seem like a bug. Splunk is supposed to calculate length based on number of characters, not bytes (and the same goes for parameters in settings, like TRUNCATE or MAX_TIMESTAMP_LOOKAHEAD; so it might be interesting to see if those are also affected). EDIT: TRUNCATE is actually in bytes. Should get rounded down if it would fall in the middle of a multibyte character. MAX_TIMESTAMP_LOOKAHEAD is in characters however. Confusing.

OK. Processing syslog is not as easy as it seems 1. There is hardly such thing as "standard syslog". Yes, there are some RFCs describing syslog protocol but in practice many solutions send practically anything on port 514 and consider it "syslog". 2. If the data is properly formatted (RFC3164 or RFC5424), the hostname can (and will if using properly configured sourcetypes) be parsed out from the event itself. Too bad many environments have - for example - a ton of routers in various locations, each called "gateway". 3. When you're receiving messages directly on network port with Splunk (either UF or "full" Splunk), you lose most of the metadata about the source (if properly configured, the input can set the host field to source IP or hostname but it can be subsequently overwritten by the value from the event - see previous point). So the recommended options of ingesting syslog data into splunk is to set up an intermediate syslog daemon which either: 1) Forwards to HEC input on Splunk adding proper metadata information (this can be done on rsyslog, syslog-ng or SC4S) or 2) Writes to files from which the UF picks up data and forwards it to Splunk (kinda similar to what you did). But the 2nd option is best done when writing to separate files from each host (for example with dynamic filename generation based on source IP). Then you have source file path  in the source field and you can parse the original IP or hostname from that.

Hello,  @Dietrich.Meier  sorry to bother here -  I'm curios to understand if the Synthetic Monitoring capability available from AppDynamics is capable of checking out of the box the SSL Certificate expiration date (I know ThousandEyes can do it). Are you aware of it? Or did you have to develop an entire extension just for this purpose? Regards

"i understand that there is way to send particular field/value to a nullqueue" You understand wrong, I'm afraid. As @richgalloway pointed out - you can send _whole events_ to nullQueue if they match certain regex (or other criteria in case you use INGEST_EVAL). You can use transforms to cut specific parts of the events with regexes. But in the ingest pipeline Splunk has no knowledge about the search-time fields (the ones created with REPORT or EXTRACT entries as well as calculated fields or field aliases). It only knows the index-time fields (the default metadata ones and custom index-time extractions if any are defined). So if you want to trim your events you'd have to manipulate them with regexes. But since your events are structured, it'd be probably better to process your events before ingesting them into Splunk with something that can interpret XML and can selectively filter it based on XML structure, not plain regexes.

There are no miracles. Something must have been changed by someone. 1. Use btool to see where the settings come from 2. Check the config tracker to see when there were changes made to your environment. https://www.splunk.com/en_us/blog/platform/splunking-your-conf-files-how-to-audit-configuration-changes-like-a-boss.html?locale=en_us

What I mean by "revert certain application objects back to old settings", is that we noticed that 4 applications were reverted to the old version and the objects affected are dashboards, saved searches, search files, porpos.conf and transfroms.conf   For example: We configured alert  to run every 2 minutes, then changed it to run every 5 minutes, and after the issue it was switched back to run every 2 minutes   The last bundle was pushed from the deployer server on November 7th and the issue occurred on November 10th      

Hi What you are actually  meaning with "the objects of specific Apps reverted back to old settings"? Old lookups are in use, old KOs are in use after you apply shcluster-bundle on deployer? It that then yo should read and check these: Choose a deployer push mode [shclustering] r. Ismo

Hi couple of additional comments: When you are indexing data REPORT-didn't executed it's (as EXTRACT) works only on search time. When you have several TRANSFORMS stanzas on own lines then those are applied based on those names ASCII order! If you want apply those in specific order put those in one TRANSFORMS-xyz = a, e, c, b, d or ensure that names are evaluated on correct order (use eg 000x, 001y, 002a etc) One good instructions for index phase https://www.aplura.com/assets/pdf/props_conf_order.pdf. Aplura have some other Cheat Sheets which helps. r. Ismo