I have been fighting with a regex in my props.conf (Regex-working-on-search-but-not-props-transforms ) and after a lot of testing, I came to the conclusion that my regex is fine. And my props.conf is fine. I had originally failed to see SOME were processing fine, and assumed all were bad. So, I checked to see if there was a cutoff where some were good vs bad, and found one, inside my len(_raw) field. Turns out, my props.conf seems to stop working somewhere after 4096 character count.  So, I made some test data and pulled it into splunk Bash:   #!/bin/bash x="a" count=1 while [ $count -le 5000 ] do echo "$x regex" ((count+=1)) x+="a" done   This just makes a bunch of lines, incrementing with another char each time.   a regex aa regex aaa regex aaaa regex aaaaa regex aaaaaa regex aaaaaaa regex   Then I pull this into Splunk, 1 line per log. Static host field = "x" Props:   [host::x] SHOULD_LINEMERGE = false TRANSFORMS-again = regexExtract   Transforms:   [regexExtract] REGEX = .*(regex) DEST_KEY= _raw FORMAT = $1 WRITE_META = true   My search:      index="delete" sourcetype="output.log" | eval length=len(_raw) | search length<4100 | table length | sort - length     Assuming my KV limits are ok, because this btool snippit:     /opt/splunk/etc/system/default/limits.conf [kv] /opt/splunk/etc/system/default/limits.conf avg_extractor_time = 500 /opt/splunk/etc/system/default/limits.conf indexed_kv_limit = 200 /opt/splunk/etc/system/default/limits.conf limit = 100 /opt/splunk/etc/system/default/limits.conf max_extractor_time = 1000 /opt/splunk/etc/system/default/limits.conf max_mem_usage_mb = 200 /opt/splunk/etc/system/default/limits.conf maxchars = 10240 /opt/splunk/etc/system/default/limits.conf maxcols = 512     ------------------------------------------ Now that we have all the setup, I search my index and see that every field up thought 4097 chars long will process the index time regex. After that, the search time regex works fine, but index time is no longer functional.   How do i get it to continue processing beyond that ~4100 chars?       

Hi,   I have a very basic timechart from the below search. Just counts the number of events=40 (event ID). The issue is we had a logging problem and received no events for a specific time period before we resolved the issue. This means the timechart has a drop to zero then back up to usual levels. Can I remove this from the timechart somehow?     Index=main event_type=40 | timechart count(src_ip) by sensor    

Hi All,  I'm currently trying to configure a alert to trigger when 2 events are NOT present in last 15min.  In short if we have only Event1 but not Event2 then a alert should be triggered, if both events are present in last 15min then no alerts should be triggered.  Use case, the alert is being configured to alert us when a VPN tunnel interface goes down and stays down for more than 15min, generally these VPN connections to terminate briefly but comes back up after a few seconds, hence we would like only alert if Event1 (down) took place in last 15min without Event2 (up) taking place.  Event1 - Search query index=firewall 10.10.10.10 Firewall_Name_XYZ=TEST123 AND "Lost Service" Event2 - Search query  index=firewall 10.10.10.10 Firewall_Name_XYZ=TEST123 AND (inbound "LAN-to-LAN" "created") Search Query to show both events  index=firewall 10.10.10.10 Firewall_Name_XYZ=TEST123 AND ("Lost Service" OR (inbound "LAN-to-LAN" "created")) Any assistance will be greatly appreciated  

Hello Splunk Community! I have a query where im extracting data from different logs and displaying them on the same row in a statistical table. here is my code:   index=main source=/opt/server/*/*userauth* | rex field=_raw "\]\s\S+\s-\s\[(?<caller>\S+)\]\s\S+->(?<function>\S+)\s(?<logs>.+)\:\s\[(?<value>\S+)\]" | where isnotnull(caller) | chart values(value) over caller by logs useother=f   i used the chart command to turn the logs  into column headers with their respective values The result : caller logB logC logD caller_id valueB valueC valueD however, when i narrow down the search by adding "validateSB" which is contained in most log entries,   index=main source=/opt/server/*/*userauth* validateSB | rex field=_raw "\]\s\S+\s-\s\[(?<caller>\S+)\]\s\S+->(?<function>\S+)\s(?<logs>.+)\:\s\[(?<value>\S+)\]" | where isnotnull(caller) | chart values(value) over caller by logs useother=f    The column A now appears as a column header with its respective value. caller logA logB logC logD caller_id valueA valueB valueC valueD When i also search a specific caller, the column A appears with its respective value too. Anybody know why this might be the case? Thanks in advance!

Hi, I have created a dashboard which shows the latest time of synching data between the two systems. Now I am interested to get the date color changed example: green(if sync time and current time difference is less than 1 hour) and red (if sync time and current time difference is more than 2 hour). Is anything like that possible ?  In the format visualization as far as I am seeing it I can change the color only for the single value and not for the datetime format. Please anyone can assist. Below is the how my date format looks      

We have Splunk setup in our firm and our application logs writes TLS connections information that span across multiple lines and splunk treats every line as message. Example of Log: 2022-05-07 20:06:24.712 SSL accepted cipher=ECDHE-RSA-AES256-GCM-SHA384 2022-05-07 20:06:24.712 Connection protocol=TLSv1.2 2022-05-07 20:06:24.716 Dump of user cache: 2022-05-07 20:06:24.716 LDAP Cache: User 'user1' is a member of group(s): 2022-05-07 20:06:24.717 'xxxx-tibems-aaaa-prod-rdr' 2022-05-07 20:06:24.717 LDAP Cache: User 'auser2' is a member of group(s): 2022-05-07 20:06:24.717 'xxxx-tibems-yyyy-prod-wtr' 2022-05-07 20:06:24.717 LDAP Cache: User 'ad_cibgvaprod_rdr' is a member of group(s): 2022-05-07 20:06:24.717 'xxxx-tibems-yyyy-prod-rdr' 2022-05-07 20:06:24.717 LDAP Cache: User 'ad_vcsmonprod_adm' is a member of group(s): 2022-05-07 20:06:24.717 'xxxx-tibems-bbbb-prod' 2022-05-07 20:06:24.717 'xxxx-tibems-aaaa-prod-shutdown' 2022-05-07 20:06:24.717 [user1@server1.svr.us.example.net]: Connected, connection id=21879, client id=<none>, type: queue, UTC offset=2   Here line starts with "SSL accepted cipher=" and ends with "ser1@server1.svr.us.example.net]: Connected,"   I would like timecharts cipher (ECDHE-RSA-AES256-GCM-SHA384), user (user1), Server (server1.svr.us.example.net)  Stats like follows Date Hour       Cipher   User   Server Count 10-10-20 10:00 ECDHE-RSA-AES256-GCM-SHA384) user1 server1 200   Please let me know if there an elegant solution to this, Kannan