I have a csv file where the column header is on the fourth line. Before that are several interesting fields which i would like to extract. So the first few lines would be like this: sep=; StationName;Long;Lat;ModuleName;ModuleType Bahnhofstr1Dach;7.6516696493516;47.583540135635;Aussen;Outdoor Timestamp;"Timezone : Europe/Berlin";Temperature;Humidity 1427649042;"2015/03/29 19:10:42";12.9;69 As you can see there is a first block with meta information followed by a endless block of metrics. I wish to extract the meta information from the header per file and set them as fields added to each record. The last line in the sample is the first data point. I failed to find this in the documentation but imagine it to be possible. Any help would be aprechiated. Even a silly link to the docs (doh!) ... View more

I have some json conforming to XDAS-v2 and, unfortunately, the spath command cannot make much sense of it. Is there a easy way to use this kind of json that I overlooked? I tried to do some of it with props.conf: [xdas-events] KV_MODE = JSON INDEXED_EXTRACTIONS = JSON pulldown_type=1 Sample event: Jun 18 12:28:31 IDM : INFO {"Source" : "IDM","Observer" : {"Entity" : {"SysName" : "chhs-sidm017"}},"Initiator" : {"Entity" : {"SvcName" : "CN=INTG2,OU=SYSTEM,O=SOME","SvcComp" : "\\Driver"}},"Target" : {"Data" : {"DATA" : "<status level=\"success\" type=\"driver-status\">Driver state changed to Running.<application>DirXML</application>\n\t<module>WORKER</module>\n\t<object-dn></object-dn>\n\t<component>Subscriber</component>\n</status>","MIME_HINT" : "3","ORIGINATOR_TYPE" : "1","TARGET_TYPE" : "1","TEXT3" : "Driver state changed to Running.","VALUE1" : "2","VALUE2" : "0","VALUE3" : "0"},"Entity" : {"SvcName" : "CN=WORKER,CN=IDM-INTG,OU=IDM,OU=SYSTEM,O=SOME","SvcComp" : "DirXML-State"}},"Action" : {"Event" : {"Id" : "0.0.3.5","Name" : "Enable Service","SubEvent" : "30022"},"Time" : {"Offset" : 1434623311},"Log" : {"Severity" : 7}}} The schema of the content is as follows: { "id":"XDASv2", "title":"XDAS Version 2 JSON Schema", "description":"A JSON representation of an XDASv2 event record.", "type":"objectr", "properties":{ "Source":{ "description":"The original source of the event, if applicable.", "type":"string", "optional":true }, "Observer":{ "description":"The recorder (ie., the XDASv2 service) of the event.", "type":"object", "optional":false, "properties":{ "Account":{"$ref":"account"}, "Entity":{"$ref":"entity"} } }, "Initiator":{ "description":"The authenticated entity or access token that causes an event.", "type":"object", "optional":false, "properties":{ "Account":{"$ref":"account","optional":true}, "Entity":{"$ref":"entity"}, "Assertions":{ "description":"Attribute/value assertions about an identity.", "type":"object", "optional":true } } }, "Target":{ "description":"The target object, account, data item, etc of the event.", "type":"object", "optional":true, "properties":{ "Account":{"$ref":"account"}, "Entity":{"$ref":"entity"}, "Data":{ "description":"A set attribute/value pairs describing the target object.", * "type":"object", "optional":true } } }, "Action":{ "description":"The action describes the event in a uniform manner.", "type":"object", "optional":false, "properties":{ "Event":{ "description":"The event identifier in standard XDASv2 taxonomy.", "type":"object", "optional":false, "properties":{ "Id":{ "description":"The XDASv2 taxonomy event identifier.", "type":"string", "optional":false, "pattern":"/^[0-9]+(\.[0-9]+)*$/" }, "Name":{ "description":"A short descriptive name for the specific event.", eg. a new replica is added "type":"string", "optional":true }, "CorrelationID":{ "description":"Correlation ID, source#uniqueID#connID", "type":"string", "optional":true } }, "SubEvent":{ "type":object "description": "Describes the actual domain specific event that has occured.", "optional":true, "properties":{ "Name"":{ "description":"A short descriptive name for this event.", "type":"string", "optional":true }, } } } "Log":{ "description":"Client-specified logging attributes.", "optional":true, "properties":{ "Severity":{"type":"integer", "optional":true}, "Priority":{"type":"integer", "optional":true}, "Facility":{"type":"integer", "optional":true} } } "Outcome":{ "description":"The XDASv2 taxonomy outcome identifier.", "type":"string", "optional":false, "pattern":"/^[0-9]+(\.[0-9]+)*$/" } "Time":{ "description":"The time the event occurred.", "type":"object", "optional":false, "properties":{ "Offset":{ "description":"Seconds since Jan 1, 1970.", "type":"integer" }, "Sequence":{ "description":"Milliseconds since last integral second.", "type":"integer", "optional":true }, "Tolerance":{ "description":"A tolerance value in milliseconds.", "type":"integer", "optional":true }, "Certainty":{ "description":"Percentage certainty of tolerance.", "type":"integer", "optional":true, "minimum":0, "maximum":100, "default":100, }, "Source":{ "description":"The time source (eg., ntp://time.nist.gov).", "type":"string", "optional":true }, "Zone":{ "description":"A valid timezone symbol (eg., MST/MDT).", "type":"string", "optional":true } } "ExtendedOutcome":{ "description":"The XDASv2 taxonomy outcome identifier.", "type":"string", "optional":false, "pattern":"/^[0-9]+(\.[0-9]+)*$/" } } } } }, { "id":"account", "description":"A representation of an XDAS account.", "type":"object", "properties":{ "Domain":{ "description":"A (URL) reference to the authority managing this account.", /* lets take it as the partition? "type":"string" }, "Name":{ "description":"A human-readable account name.", - DN "type":"string", "optional":true }, "Id":{ "description":"A machine-readable unique account identifier value.", - EntryID "type":"integer" } } }, { "id":"entity", - Server details for Target, client address details for the initiator "description":"A representation of an addressable entity.", "type":"object", "properties":{ "SysAddr":{"type":"string","optional":true}, "SysName":{"type":"string","optional":true}, "SvcName":{"type":"string","optional":true}, "SvcComp":{"type":"string","optional":true}, } } ... View more

We have a system where at times the engineers running it need to enable debug output. This naturally kills the splunk license easily :-). I currently use something like this on the indexer but it uses lots of resources at times so i would like to do it with a sedcmd on the sending machine. transforms.conf [setnull] REGEX = .+-DBG_.+ DEST_KEY = queue FORMAT = nullQueue So the pattern is rather easy 🙂 but how can i use SEDCMD to skip lines matching the pattern from being sent to the indexer? ... View more

Is there an app or some documented searches that can help identify things like Indexes frequently searched Users who frequently use splunk (searches) score "useful" data by volume of data and amount/frequency of search against the data (probably bubble chart useful to show it) Reason is that our management wants to know how useful a given source/index/sourcetype is as when matching it against the cost is causes. Is there a app that clasifies data in these dimentions? ... View more

How can i send Splunk internal alarms like "indexer queue full, skipping internal indexes" etc to a eMail recipient? ... View more