There are several ways to send, but the easiest is to set up Splunk to listen on a plain TCP or UDP port, and have your program send out the log event to the server/port as a text string, i.e., just print a simple log line to the socket. ... View more

When you run eval, the final result is rounded to a precision appropriate to the precision of the input results. The precision of the final result can be no greater than the precision of the least-precise input. Note that you will get results expressed differently if you do 8.250 * 0.2 vs 8.250 * 0.20 vs 8.250 * 0.200 . This can be problem if by 0.2 , you actually mean 0.2 to an arbitrary number of digits of precision . If that is what you mean, then you can express that by using exact(0.2) instead of 0.2 . ... View more

This will work: NOT message.request.authorization=* See also http://answers.splunk.com/answers/6981/which-is-better-not-or ... View more

R.Turk has mostly the right answer. To be very specific, it's because of the way Splunk tokenizes words that go into the index, and how it searches on fields. Basically, because your field values are not tokens, Splunk doesn't store or find the value in the index. I don't want to go too much into tokenization, but basically, Splunk will only create tokens (which is just what we call "words in the index") based on certain character breaks. It happens that with your data, the default settings in Splunk are indexed as a single word/token Search on field values in turn searches the index for the field values first, then extracts, then validates that the extracted fields have the right values. Because they aren't there, you won't return the results in the first search. You have two good ways to fix this: Create indexed fields. This will ensure that your specified field values can be found. Modify fields.conf to look in the index differently. R.Turk's method will work, but will be extremely inefficient in most cases since setting INDEXED_VALUE = false simply tells Splunk to not look for the value in the index, but to return all events that otherwise match, extract, and then filter out values. Unfortunately, given how your data is tokenized, you're not going to be able to get a much better way, so that will work for you. You could use INDEXED_VALUE=*<VALUE>* , but I don't believe it will behave or perform differently. You have one rather risky and experimental way to fix this, which to be honest, I'm not sure will work, but if it does it would perform a lot better: create a custom stanza in a segmenters.conf file: [my_custom_segmentation] MAJOR = [ ] < > ( ) { } | ! ; , ' " * \n \r \s \t & ? + ^ \x1f MINOR = / : = @ . - $ # % \\ _ basically, you're adding ^ and 0x1f as major breakers in your data. The questionable part is, I don't know what the correct syntax for including 0x1f actually is, so I'm guessing. I'm not even sure it's possible. set up your indexed data sourcetype to use it in props.conf, adding this to the stanza for the sourcetype on your indexers: [my_sourcetype] SEGMENTATION = my_custom_segmentation Note that any changes to indexing properties (including either indexing fields or modifying index segmentation) would require data to be reindexed to have proper effect. ... View more