2a. You are right. In this case Indexers ingesting logs via couple of tcp ports. We have load balancer that smears logs on all indexers. You can advertise me some suggestions for architecture if want. I wiil glad to see some good advises When I was creating our Splunk env I decide that it is the most convenient way in our production. It's allow me to easily route events to indexes only by port. 2b. Yes, I'm talking about applying the bundle. I'm sure configuration was applied because I always use "splunk apply cluster-bundle -auth password --answer-yes" and wait for nodes to reboot if they decide to do it.

Same issue. +0000 ERROR ModularInputs [18816 TcpChannelThread] - Argument validation for scheme=proofpoint_tap_siem: killing process, because executing it took too long (over 30000 msecs). For me , i saw this was an OS issue. On Ubuntu the input works, the Redhat boxes dont so .. 

@ITWhisperer  I tried below query index="600000304_d_gridgain_idx*" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | eval True="✔" | bin _time span=1d | dedup _time | eval EBNCStatus="ebnc event balanced successfully" | table EBNCStatus True When I am selecting last 7 days its showing 8 events instead of 7  

Given the initial search has the same criteria as the searchmatch, True will always be a tick, so you just need to dedup the days index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | eval True="✔" | bin _time span=1d | dedup _time | eval EBNCStatus="ebnc event balanced successfully" | table EBNCStatus True

Are you sure that this line breaker will be good in my situation? As you can see in the last screenshot, the event contains "... High: <0>, Low: <0>" and I suspect that this breaker will cut events in unexpected places.

OK. We're getting somewhere. 2a. You have direct network inputs on indexers? That's not the best idea and calls for some re-architecting. But that shouldn't be the reason for problems with line breaking. 2b. What do you mean by "apply props.conf"? Do you push configuration bundle to the cluster from the CM or just define props.conf on the CM and just let it be? If you're pushing the configs, did you verify the effective configs on the indexer(s) receiving the events?

1. I suggested that for some reasons events don't contain a whole pattern and tried to check only "\r". "\r" works on the regex101. Now I changed this option to the default "([\r\n]+)". 2. I'm getting these events via Syslog. Logs come to the Indexer layer, where I apply props.conf via the Manager node, then I search on the Searchhead layer. 3. Yeah, I understand that I need to wait while indexers apply configuration and then search only events that came to Splunk after.

Hello, Thank you for your help, I appreciate. I m trying to explain what I want  1. We send json logs to a Mysql DB from an application server -> this is the logs format from the application server -->  {"bam":{"facture":{"@idFFFFF":"","@idBBBBB":"","@idCCCCC":"","@idCCCCC":"","@ABCACB":"","@status":""},"Contact":{"@idContact":"","@nom":"","@prenom":"","@adresse":"","@typeContact":""},"service":{"@jobName":"XX_Abcdef_Abccc_Token_V1","@jobVersion":"x.x","@routeName":"","@routeVersion":"","@currentTime":"2023-07-03 13:00:28","@idCorrelation":"545454ssss-abcc-456ss-5454-444455555554444","@serviceDuration":"1140"}}} If I copy this ligne on notepad and manually import it on splunk I get want I want to have (I used the default source type) Each value is extracted so it's perfect   2. To automatiquely get the new logs from the DB server I decided to use Splunk DB connect ( maybe it's not the best choice ? ) So I configured a new input in the Splunk DB connect to get the value from the DB table    But now the data are not indexed on json format as shown below   How can I get these datas on json format as shown on the first and second capture ?  Hope iyou understand better what I m trying to do    Regards,