We currently have 4 servers that send data to the Splunk indexer. Each server is located in US/Eastern, however each server is used by a different geographical region and all log timestamps are US/Eastern. Using the user timezone setting, Splunk will adjust the time to the user's local timezone. However, for reporting purposes I do not want the times to be displayed in local time, but rather with respect to each reporting region. Currently, I am using the below eval in my reports: | eval _time=case(host="Server-1", _time + (60 * 60), host="Server-2", _time + (210 * 60),host="Server-3", _time + (300 * 60), 1=1, _time)` This works, but is there a better way to do this so reports do not need to be modified during timezone changes and when new geographical regions come online? ... View more

In order to reduce the amount of data being indexed, I am using a sed script to strip away all XML tags and to format the data as key=value . Sometimes there are multiple key-value pairs like in the below sample event. 2013-11-07 03:20:24,637 Outgoing UserId="555555555555" Type="Main" To="user@example.com" Key="1" Text="Value 1" Key="2" Text="Value 2" Key="3" Text="Value 3" SessionId="1000" I want the search to include all occurrences of multiple key-value pairs (i.e. search..| stats count by Key ). Currently, I will only get Key=1 in my results. I have added MV_ADD to transforms.conf but it is not working. Below is my current configuration. props.conf [source::/path/to/test.txt] SHOULD_LINEMERGE = False SEDCMD-trim = s/<([^\s\>]*)[^\>]*\>([^<]*)\<\/\1\>/ \1="\2"/g REPORT-mvfield = mv-field transforms.conf [mv-field] MV_ADD = true What am I missing? Update: Based on this post I was able to determine that I needed to add a transforms for each field. [mv-field-key] REGEX = Key=\"(.+?)\" FORMAT = Key::$1 MV_ADD = true [mv-field-text] REGEX = \bText\b=\"(.+?)\" FORMAT = Text::$1 MV_ADD = true Is it possible to have a single stanza so that I don't have to specify each field that I want to apply MV_ADD? ... View more

I am filtering events in transforms.conf but I cannot seem to get the regex to match. When I test the regex in Search it works as expected and even when tested at http://gskinner.com/RegExr/. I'm trying to match on the MsgType tag. Sample event: 2013-10-28 4:36:38,322 <?xml version="1.0" encoding="UTF-8"?><INTERFACE><MsgType>SendMessage</MsgType><Emailaddress>user@example.com</Emailaddress><Userid>9999999999999</Userid><FolderName>inbox</FolderName><Alerts>false</Alerts><Ack>true</Ack><To>user@example.com</To></INTERFACE> Below are variations that I tried that all seem to work but not when used in transforms.conf ^(.*<MsgType>(SendMessage|ReplyMessage)\b<\/MsgType>).*$ ^(.*<MsgType.(SendMessage|ReplyMessage)\b<\/).*$ ^(.*<MsgType.(SendMessage|ReplyMessage)\b<.MsgType.).*$ ^(.*MsgType.(SendMessage|ReplyMessage)\b..MsgType).*$ ^(.*<[^<]*MsgType[^>]*>(SendMessage|ReplyMessage)\b<\/[^<\/]*MsgType[^>]*>).*$ This works but isn't ideal ^(.*MsgType.(SendMessage|ReplyMessage)\b).*$ What's the proper way to escape the opening/closing tags? ... View more

I've been attempting to create a regex in transforms.conf that will keep events that have Value1 or Value2 and send all others to the nullQueue. My current expression works except that it will also keep the event if Value1 or Value2 occurs later in the event. I only care about the value for the first field value pair. Sample events: Event1 outgoing Field:Value1 username:value text:value Field:Value1 Field:Value2 Event2 outgoing Field:Value2 username:value text:value Field:Value1 Field:Value2 Event3 outgoing Field:Value3 username:value text:value Field:Value1 Field:Value2 Current regex: ^(?!.*?Field.(Value1|Value2)\b).*$ In the above example, I would only want to keep the first two event. Is there a way to make this work? ... View more