Got you, I was wondering what was the trick. Thank you very much. <BusinessPartnerCode>001999</BusinessPartnerCode> So what would be the regex without all the quotes? The one I posted isn't highlighting the the 6 digit code. ... View more

Thank you. Actually my number does not have any quotes (just had to put them there because the Splunk website wouldn't allow the brackets otherwise). Would this be the correct version without quotes? | rex "\"<\"BusinessPartnerCode>(?[^\"]+)<\"\/BusinessPartnerCode>" ... View more

The number is changing but it's always 6 digits. ... View more

Thank you, I will try that! ... View more

It did not show up however, I am suspecting it has to do with the server.conf file on the cloned server. On the cloned server I have exactly the same server,conf file under system/local with the same generated key. Might this be the problem why it couldn't be recognized on the DS ? ... View more

Thank you, those searches work as well. I don't why but the alert is sending now with the old search as well.. ... View more

Thank you for the fast answer. Yes you are right, that's the setting I used. - I did restart Splunk - Permissions are fine - I did check the actual sizes in the folders and it matches what I see in FB I went ahead and set the retention policy to 5 days frozenTimePeriodInSecs = 432000 since I really don't need the data longer than 5 days and it actually cleared up space. I might have to clarify that the the index was already 25 GB when I set it to 5 GB max, however I was expecting that it would automatically clean it up to 5 GB. ... View more

I changed it to Eastern timzone, since that is the TZ our servers are in. We are using a Universal Forwarder on this app. My props.conf on the forwarder looks like this: [mstris] # A performance tweak is to disable SHOULD_LINEMERGE and then set the # LINE_BREAKER to "line ending characters coming before a new time stamp" # (note the direct link of the TIME_FORMAT to the regex of LINE_BREAKER). LINE_BREAKER = ([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\.\d{3}-\d{2}:\d{2} SHOULD_LINEMERGE = False # 10000 is default, should be set on a case by case basis TRUNCATE = 10000 TIME_PREFIX = ^ TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3NZ MAX_TIMESTAMP_LOOKAHEAD = 29 TZ = US/Eastern Leaving PUNCT enabled can impact indexing performance. Customers can Comment this line if they need to use PUNCT (e.g. security use cases) ANNOTATE_PUNCT = false Inline field extraction EXTRACT-connection_id = (?i)(connectionid|conn_id|callid)\=(?\d{6}) Field extraction using a transforms.conf REPORT-auto_kv_for_all_fields = auto_kv_for_all_fields If the data does not have nice key=value pairs, (or some other readily machine parseable format, like JSON or XML), set KV_MODE = none so that Splunk doesn't spin its wheels on attempting to look for key = value pairs which don't exist. KV_MODE = auto SEDCMD-RemoveComments = s/^#.*$// SEDCMD-RemoveInfoLines = s/.*\[Info\].*// SEDCMD-RemoveBadObject = s/.*The object server is unable to find an object with ID '00000000000000000000000000000000'.*// EXTRACT-pid = (?i)\[PID:(?P[^\]]+) EXTRACT-thread_id = (?i)\[THR:(?P[^\]]+) EXTRACT-service = (?i)^(?:[^\[]*\[){4}(?P[^\]]+) EXTRACT-log_level = (?i)^(?:[^\[]*\[){5}(?P[^\]]+) EXTRACT-message = (?i)(?:Error|Debug|Warning|Info)\]\s*(?P.*) I have US/Eastern now in my forwarder and also see for props.conf on the indexers for this app, however, I am still seeing the same issue with the time stamp in SPLUNK being one our in the future: 10/1/15 9:17:08.899 AM 2015-10-01 08:17:08.899-05:00 [HOST:.corp.rndc-usa.com][PID:61838][THR:1504118528][Kernel][Info] Contract Request Succeeded: Source=MsiWorkingSet::MCMPackBSTR, Handle=42331, Size=85450752, ContractedTotal=1735479296, AvailableTotal=135937250158 Where else could I change props.conf that is related to this index? Sorry but I am very new to Splunk.. ... View more

Thank you for answer. So I would need to change my props.conf on the forwarder where I am getting the data from, correct? Because I did this and put TZ=US/Central in there and I still keep getting the same time. this is from my props.conf on the forwarder where I am getting the data from: TRUNCATE = 10000 TIME_PREFIX = ^ TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3NZ MAX_TIMESTAMP_LOOKAHEAD = 29 TZ = US/Central Oliver ... View more

This is the result to that search: Thank you so much for your help! ... View more

Sorry the first picture should be this: ... View more

Nevermind, I restarted the whole SPLUNK and it works now. Thanks!! ... View more

Thank you, I meant inputs.conf , my bad. I did remove all the host= but now it is not indexing any data any more at all. I do not have a serverclass.conf on my forwarders, which app would I need to deploy to get this. ... View more

Thank you very much for your quick answer, I did what you said and I think the found the issue somewhere else. When I actually look at the outputs, it takes output from app1 but it shows the host as app2: I double checked and verfied that the log files is acutally from app1 but the host is being displayed as app2. Any idea where I can fix this? Oliver ... View more