Hey, this regex should match those kind of events pretty well: \s?([^\s,]+)\s([^\s,]+)(?:,|$) regex101.com link You could then create a stanza in props.conf for your sourcetype/host/source to match, and have it include: REPORT-ntpevents = ntpevents Then have transforms.conf like [ntpevents] REGEX = \s?([^\s,]+)\s([^\s,]+)(?:,|$) MV_ADD = true FORMAT = $1::$2 Hope that helps! ... View more

The issue was it was stuck in ingestion queue. I changed how it acted when the file was in use in my inputs and props and it appears to be working now. ... View more

Try this: index="YouShouldAlwaysSpecifyIndex" AND sourcetype="my_source_type" | dedup message.userId | rex field=message.time "(?<_time>\d+)" | timechart span=1month count ... View more

You might be able to figure something out by writing those bad IPs to a lookup (using |outputlookup append=true) including a timestamp, and also call the REST API to block them. You could then regularly search through that lookup, filter on entries older than 15 minutes, and have another alert action on those to have the REST API unblock them, and also drop them from the lookup. Not exactly a complete solution, but you should be able to figure something out using those idea 😉 Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂 ... View more

Based on comments, I think this should work: SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]*)\<p\> ... View more