Aha! Yes, you're definitely on the right track. I didn't consider that UsePct actually is a string with a %-sign at the end. When I check under the statistics-tab, I can see that latest(UsePct) on its own shows the values with a %-sign. If I also include max(UsePct), the sign is dropped from both values. Odd behaviour, perhaps, but whether it's a bug might be debatable. Your solutions is probably the simplest. Thanks! ... View more

Since sundareshr was first to answer (in a comment), I'm demoting my answer to a comment. The solution is indeed correct, but you can shorten it a bit: index=main [|inputlookup test.csv |rename devicetype AS type | fields type] (oh, and I had a typo in my answer... Fixed now.) ... View more

It could be a permission issue. What is the owner of the splunkforwarder directory? Can you post an example line from your hosts line to ensure it contains the user name of the account you're trying to use? ... View more

Hi, I believe you're looking for the wrong file. The file name should be deploymentclient.conf . Try searching for that and see if it's correctly set up: $ find /opt/splunkforwarder/etc -name deploymentclient.conf /opt/splunkforwarder/etc/system/local/deploymentclient.conf HTH ... View more

Thanks. It is not directly a problem that files will be read only once and not look for updates. The files are generated once-only and never touched again. My real worry would be that someone shuts down the forwarder for longer than the retention period. Hower, this is not a true problem any more. ... View more

I should add that a non-destructive solution would be ideal. Splunk has read-only access to these files. ... View more

Hi. Duly noted. Thanks! ... View more

Hi and thanks for the reply! The reason why I'm looking into using datetime.xml is that Splunk uses an incorrect format by default. Therefore, I want to change the order in which Splunk makes its educated guess. So the edit is really minor. We never use the format month-day-year and for us it's an illogical order, since it breaks the order of magnitude. It's either year-month-day, day-month-year or day-month ( - signifying any separator). We run a plethora of custom applications and we try to enforce the year-month-day standard. Unfortunately, new installations do not always adhere and in some cases, the format has (alas) been hard-coded. Therefore, we unfortunately have sourcetypes with mixed date formats. We have currently 118 sourcetypes, from several projects, products, owners and admins. Setting the timestamp recognition for each and every one is simply too overwhelming a task. So, the only reliable solution is to instruct Splunk not to make the illogical choice as a first guess. I also want to point out that some admins have been surprised at the behaviour, when they previously have seen date like 20-30 September correctly identified for a sourcetype, but suddenly 1 October becomes 10 January. Thanks for the reply, though! You answered my question and this isn't quite clear in the documentation. Disclaimer: Yes, I know month-day-year is the preferred choice and makes sense for US citizens, but for us it's as confusing as Fahrenheit. ... View more

I'm glad it worked for you! rex is used as the sed -command, familiar from UNIX-like operating systems. Looking at the the expression, you'll see it consists of two parts, separated by slashes. (Disregard the slashes with a backslash in front). The first part "(\d\d)(\d\d)(\d\d\d\d)" contains three capture groups, each surrounded by parentheses. The \d signifies a digit. So, we are first capturing two digits, then another two digits and finally four digits. The capture groups save the matched strings for future reference. The second part replaces the string matched in the first part. The special notation of a backslash followed by a number references a string saved by the capture groups in the first part. So, \1 references the first two digits, the \2 references the next two digits, and so on. Since the slash character / is used by rex to limit the expression, the slash needs to be escaped by a backslash, \ . So reading out the second part it means "insert the first string you captured, then a slash, then the second captured string, then a slash, then the third captured string" ... View more

Hi Lucas K, AFAIK, the gains have been mostly achieved through improved usage of multiple cores. If you check the release notes, you'll see that it mentiones optimized CPU utilization both for indexing and searching. http://docs.splunk.com/Documentation/Splunk/6.3.0/ReleaseNotes/MeetSplunk ... View more

Hi Chris, Oh, you have dates before 1970... Unfortunately, this is going to cause problems for time-related functions, as the timestamp is represented as number of seconds since 1 January 1970 00:00. You could play around with first adding something like a thousand years and later subtracting it. I suppose your easiest option is to use rex in sed-mode. ... View more

Hi, Can you post some sample lines? It is not completely clear from the context what sort of regex would do the trick. ... View more

Hi Chris, Nope, the precursor should not make a difference. Perhaps you can post some sample values of cidDOB? Because, with my samples it does work. Perhaps it's clearer with two evals: ... |eval temp_stamp=strptime(cidDOB, "%d%m%Y") |eval new_cidDOB=strftime(temp_stamp,"%d/%m/%Y") temp_stamp is now a timestamp as number of seconds since 01/01/1970. You'll see the functions are essentially the same, but this example spells it out a bit more. ... View more

Edited: you want capital %Y for four-digit years (2015), lower case for two-digit (15). Edited 2: I did not catch first that the current value only contains the date. In that case, strftime is not sufficient. Therefore, use strftime and strptime . ... View more

Hi, This should do the trick for you (without changing the value itself) ... |fieldformat date_field=strftime(strptime(date_field,"%d%m%Y"),"%d/%m/%Y") If you want to change the value itself, you would want to use strftime in eval . HTH. ... View more

And five years later, I was struggling to find the command that formats a field without actually changing the actual value of the field. This five year old answer is one that kept turning up. If anyone still reads this, I would really recommend looking into fieldformat instead. This command has been around since 6.0, so it wasn't available five years ago. I noticed with convert that you can have some unexpected results, because it changes the sorting order, e.g. in the output of stats , eventhough you might sort before using convert . Check out fieldformat : http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fieldformat ... View more

Hi again, As tom_frotscher pointed out, there is more than one way to do it (TIMTOWTDI) . If you prefer to use rex, this should do it: ... |rex field=indication "([^-]+-){2}(?<bad_data>.+)$" |where isnull(bad_data) Again, this does not look at the contents itself, only whether there are three parts or not. If you want to ensure that the second part is either "OTHER" or a number as specified, it gets more complicated: ... |rex field=indication "^([^-]+)\s*-\s*(?<middle>[0-9.]+|OTHER)(?<bad_data>\s*-.*)?" | where isnull(bad_data) AND isnotnull(middle) ... View more

Hi aramkrishnan, Based on the input and the description, you could also do this by doing a simple split (using makemv ) and checking whether the third field is null or not. This is a simple solution and it does not look into the actual values. ...|eval ind_split=indication |makemv delim="-" ind_split |eval error_detected=if(isnotnull(mvindex(ind_split,2)),1,0) |where error_detected=0 (If you know that the dash is always surrounded by spaces, you could also use delim=" - " .) ... View more

Yes, rename works well! Thanks! Funny, I thought that + was the only concatenation operator. Ironic, since I have a Perl background and . comes natural to me. I wonder if this is going to change, because I fear this behaviour will surprise many users. ... View more