If i have understood your situation correctly you can do one of the two things: If there is a field that is specific to you then you can have a regex that only allows events with that field to come in, and everything else go to a nullqueue. Check this doc's page for more info on nullQueue and find out if this would work for you: http://www.splunk.com/base/Documentation/4.1.5/Admin/Routeandfilterdata#Filter_event_data_and_send_to_queues If you convince ABC to install splunk on their own servers and are able to distribute-search to it, then you can create props and transforms such that the data that is specific to you goes to a separate index, say xyz - and based on user/roles privileges allow you to only search this xyz index and nothing else. Here's some more documentation on this: http://www.splunk.com/base/Documentation/4.1.5/Admin/WhatyoucansecurewithSplunk Hope this is at least a good start for ya! .gz ... View more

Ok folks, working with the customer we were able to find out what the issue is: It appears that the event in the logs does not get written (appended) to the file immediately. It seems the first line gets appended, then a bunch of lines (about 10-20) and lastly the ending 30 lines. There is about a 3 seconds pause between each of these bunches being appended. To test this we did two things: - we shut down splunk for around 10 minutes and waited for the log to be populated with new events, when restarting splunk the events got parsed correctly and had the correct breaking. - we tailed the file and the customer could see the three seconds delay. Have already suggested the customer to include some type of a delay in the reading of the data in order to overcome the 3 seconds delay. ... View more

If you want to extract a data field then you can do the following: Note this is a log file that has , as delimiters. You can then use two methods: 1 - using delims: http://www.splunk.com/base/Documentation/4.1.5/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles#Configuring_delimiter-based_field_extraction 2 - Using a regex. (note that your timestamp is always the 4th field, so setting up a regex that grabs this should work) something like: ^[^,]*,[^,]*,[^,]*,(\w+) Basically a props.conf that does something like this: [yoursourcetype] EXTRACT-TIME = ^[^,]*,[^,]*,[^,]*,(?P<time>\w+) However i think you can actually get the correct timestamp by trying to modify this: http://www.splunk.com/base/Documentation/4.1.5/admin/Configuretimestamprecognition specifically: [yoursource or sourcetype] DATETIME_CONFIG = <filename relative to $SPLUNK_HOME> MAX_TIMESTAMP_LOOKAHEAD = <integer> TIME_PREFIX = <regular expression> TIME_FORMAT = <strptime-style format> TZ = <posix timezone string> MAX_DAYS_AGO = <integer> MAX_DAYS_HENCE = <integer> so in your case i think it should be: TIME_PREFIX = ^[^,]*,[^,]*,[^,]*, TIME_FORMAT = %y%m%d%H%M%S Try that and let me know if it works, .gz ... View more

The file that is already under a tracked folder should be picked up automatically by splunk as soon as it gets turned on. To monitor the new file all you have to do is login to splunk, go to manager, then data inputs and then files and directories. There you can tell splunk to monitor the new file and the parsing should start immediately. Follow these breadcrumbs: Manager » Data inputs » Files & Directories » Add New ... View more