If I have a basic input which sets the sourcetype, configuring a timezone offset works great: In inputs.conf: [monitor:///path/to/foo.log] sourcetype = foo In props.conf: [foo] TZ = GMT If I have to setup flexible sourcetyping, the above configuration does not work: In inputs.conf: [monitor:///path/to/foo.log] In props.conf: [source::...foo.log] TRANSFORMS-abc = setFooSourcetype, setBarSourcetype [foo] TZ = GMT I'm guessing the timezone is set before the new sourcetype is applied so that is why the TZ parameter is not honored. So I then tried to set the timezone offset using host, which also does not work (no matter the ordering of the stanzas): [source::...foo.log] TRANSFORMS-abc = setFooSourcetype [host::foohost*] TZ = GMT What other options do I have? I'm not sure where in the indexing pipeline metadata is set. ... View more

I'd like to provide a table where the event count for today and yesterday are displayed. For example, count by status for access logs: status | today's count | yesterday's count ------------------------------------------ 404 10 13 500 20 24 503 15 10 Is this possible? ... View more

When setting up an indexing server to receive data from Splunk forwarders, are there good technical or management reasons for using multiple receiving ports? ... View more

On the Search App > Status > Index activity dashboard, there is an Index health report showing the bucket spread over time. In observation, it is reporting on the main index. This report is generated by the search " | dbinspect bins=400 ". The documentation could use a little more detail. Is it correct to assume the default index is main? ... View more

If a size- or time-based retention policy is set via maxTotalDataSizeMB or frozenTimePeriodInSecs in indexes.conf, how often does Splunk check the datastore to see if either of these conditions has been met? Splunk checks on startup/restart, then how often in between? Is this interval tunable? I didn't see anything in indexes.conf.spec. ... View more

It is a subtlety of the search language that keyword searches run against the raw event data only. To search metadata fields like host, source, sourcetype, one would use the host=/source=/sourcetype= field modifiers. Is there a toggle to enable keyword searches to execute on metadata? For example, take the following event: Wed Mar 3 19:04:51 2010 action=update, path="/etc/hosts", isdir=0, size=236, gid=0, uid=0, modtime="Tue Mar 2 11:51:00 2010", mode="rw-r--r--", hash=, chgs="modtime " The metadata associated with this event is host=myhost , source=fschangemonitor , sourcetype=fs_notification . If you wanted to find all the fschange events from this host, you couldn't simply type in myhost in the search bar. You need to use host=myhost . Is it possible to change the default search behavior so that a search on myhost would find these events? ... View more

If I have a field value that is URL encoded then base-64 encoded, is it possible to have Splunk decode this field before indexing (maybe via a custom processor)? Has anyone done this before? Is it recommended? How difficult is it? This is probably easily done with a custom search script at search time, but that is a less desirable approach as a user would need to have advanced understanding to run the search through this custom search command. Here is a sample event with the body field encoded: 2010-02-26 03:19:29 : LOG: M=Ce3zW5GtsGE= A=anonymous S=48976970336315650 pt=100001 body=T%3d2010-02-26%2003%3a17%3a45%20PST%26L%3di%26M%3d%5bg2mfeedback%5d%26N%3d553%26X%3d%253cG2MFeedback%253e%2520FeedbackTracker%253a%253aupdate()%2520lastUpdateTime%25201267183021171%2520curTime%25201267183051205%2520timeSinceUpdate%252030034%2520currentAttentivenessState%25201%2520_currentSatisfactionState%25202%2520-%2520Tracker%2520025A6658%252c%2520Seconds%2520in%2520great%252039818%253b%2520fair%25200%253b%2520poor%25200%253b%2520attentive%252039818%253b%2520not%25200%0d%0aT%3d ... View more

Technically, summary indexing can be configured on either the search head or indexing server. Are there advantages/disadvantages on having it on one versus the other? ... View more

Would someone confirm the following observations regarding data input configuration via inputs.conf? when using wildcards in the spec header, the wildcards expand into a whitelist such that anything set by the _whitelist parameter is overwritten the _whitelist and _blacklist parameters cannot be used simultaneously in the same input overlapping inputs are not allowed If any of these are false, would you kindly explain? ... View more

In inputs.conf and props.conf, the wildcards ... and * are supported for use in the spec headers. What do they translate to in PCRE? This is useful to know because sometimes the resulting matches are confusing. ... View more

The use of LINE_BREAKER is a bit cryptic to me... ok, a lot. But I think I've managed to figure out how to break my XML elements into events... sorta. Here's a data sample: <Exception><Description>some ugly exception</Description><StackTrace>woah</StackTrace></Exception><Exception><Description>another ugly exception</Description><StackTrace>lots of stuff</StackTrace></Exception> With this config in props.conf: [foo] SHOULD_LINEMERGE = false LINE_BREAKER = ()<Exception> Since the <Exception> elements do not appear on a new line, it seems LINE_BREAKER is my only option in props.conf to specify where to make a new event. The trouble is LINE_BREAKER requires at least 1 matching group, and the contents of the matching group do not appear in the event. The rule above effectively eats the opening bracket, such that events appear like this in Splunk: Exception><Description>some ugly exception</Description><StackTrace>woah</StackTrace></Exception> Exception><Description>another ugly exception</Description><StackTrace>lots of stuff</StackTrace></Exception> How disgusting. Is there some regex magic to put the < back in Exception> ? ... View more