Use the rex command: ..... | rex "" | ....., For example use the following regex to extract indexes.conf into the conf_file variable in the following event: 05-21-2010 17:41:51.166 INFO IndexProcessor - indexes.conf - memPoolMB param autotuned to 512MB ... | rex " - (?<conf_file>\w+\.conf) - "| ..... ... View more

it seems like you've hit a bug !!! The current workaround would be to use another search after the transaction command to filter out "bad" transactions. So: sourcetype=LSWebMessaging | transaction startswith=("epic=DIAAAAACAA5J5AG") maxevents=10 | search "epic=DIAAAAACAA5J5AG" ... View more

I'm not sure I understand what you're trying to do, can you please elaborate a bit more ? ... View more

There are very few suggestions about general eventtype optimization: use app scoping to limit the number of eventtypes a search has to consider eventtypes using just terms/phrases/wildcarded terms are sometimes computationally cheaper than eventtypes with fields in them since eventtyping is done at search time, all fields (indexed, search time, looked up) are treated the same There are two modes in which the splunk UI executes searches: exploratory mode - searches in the flashtimeline view are ran this way in this mode all fields, including eventtype, are required. This enables the users to view the field picker and field summary etc .. optimized mode - searches in the Advanced Charting view are ran this way (the scheduler runs searches in this mode too) in this mode we analyze the search to determine the set of required fields and in most cases the eventtype field is not required, (unless of course the search is using the eventtype ) - thus no eventtyping is done There is one neat trick to avoid the eventtyping even when running searches from the flashtimeline view: simply add "| fields - eventtype" to your search, for example: "search * | fields - eventtype | stats count" - no eventtyping even in exploratory mode Note, that the number of eventtypes a search has to consider will not linearly correlate with the performance of eventtyping - the reason for this is that many eventtypes will share terms, phrases or field comparisons which we evaluate only once. ... View more

This is an outstanding issue (SPL-31786) scheduled to be fixed in our next maintenance release (4.1.4) In the meantime the following search will identify incomplete transactions: ... | rex field=message " function (?<repFunction>.[a-zA-Z]+)" | transaction thread_name repFunction startswith=(message="Calling function*") keepevicted=t | search NOT message="Completed calling function*" ... View more

This is an outstanding issue (SPL-31786) scheduled to be fixed in out next maintenance release (4.1.4) The following search might do what you want (if ID is a unique id at least within the 60 seconds that the transactions are supposed to last): host="host1" source="C:\\logs\app*" ("DBG User made a request" OR "request acknowledged") | rex "DBG User made a requst: Foo \((?<ID>\d+)\) \[" | rex "DBG reply for user (?<ID>\d+): " | transaction ID maxspan=60s startswith="DBG User made a request" | search NOT "request acknowledged" ... View more

the alert script should be placed in: $SPLUNK_HOME/etc/apps/<app>/bin/scripts/ The error message you're seeing occurs because splunk first looks in the above app level directory and then falls back to the system level script location $SPLUNK_HOME/bin/scripts/ - if a script is not found at the system level a failure is reported and the system level dir is output. ... View more

What version is this happening in? Also was this a one time occurrence or scheduler.log contains multiple warn messages? There is an open issue for this: SPL-33391 ... View more

The recommended way to access the summary events is to use source="". Usin search_name="" should work too, so I'm a little puzzled. Can you post how the event looks like and what version of splunk are you running? ... View more

This was a (harmless) bug fixed in 4.1 ... View more

when a bucket is moved from hot to warm splunk runs a splunk-optimize which generates the optimize.result file followed by splunk-optimize-lex. The reason splunk-optimize-lex waits for a optimize.result is that it can only operate on optimized buckets. ... View more