Timestamp parsing applies as Splunk indexes new data, so any changes you make to that in props.conf will not affect data that has already been indexed. So, in order to get your timestamps right, you will indeed need to reindex your data after making your changes to props.conf (and restarting Splunk in order to activate these changes). ... View more

Have a look at eval 's urldecode function. <yourbasesearch> | eval urldecodedtext=urldecode(_raw) This will take the _raw field's contents, URL decode it and put the result in the field urldecodedtext . More info om the urldecode function here: http://www.splunk.com/base/Documentation/latest/SearchReference/CommonEvalFunctions As for your question 1, there is a search command called xmlkv that automates extraction of key/value pairs in XML for you. Unfortunately it can only take the _raw field as input. You could always rewrite the _raw field yourself using urldecode as above and write the result to _raw , though it is a bit ugly. Nevertheless it works. <yourbasesearch> | eval _raw=urldecode(_raw) | xmlkv Regarding question 2, there's no easy one-liner way to do it that I can think of. Question 3, you could achieve this using rex and apply it to the field codishotel . You'll have to specify how many matches rex should retrieve at most. <yourbasesearch> | eval _raw=urldecode(_raw) | xmlkv | rex max_match=50 field=codishotel "(?<codishotel_value>\d+)" ... View more

Splunk breaks on linebreaks by default. This is defined using the LINE_BREAKER directive in props.conf. However, there's also a directive BREAK_ONLY_BEFORE_DATE that tells Splunk not to break until it finds a timestamp. This defaults to true. Because of this, and because the events in your log do not have individual timestamps, Splunk won't break them up into individual events. There are two solutions to this that I can think of: Set BREAK_ONLY_BEFORE_DATE to false in props.conf. This should make Splunk rely only on the defined LINE_BREAKER for breaking events, and take the time that it received the event as timestamp. The drawback is that you won't know when the event was actually generated, so if you import old logs into Splunk you will get incorrect timestamps. Modify your script to include a timestamp for each event. This would be my preferred solution. ... View more

Use transpose : sourcetype="TIBCO_EMS_SAF" | table RunningCount, NotDeployedCount, UNKNOWN | transpose This transposes the table so that each field gets its own row, which you can then use as source data for your pie chart. ... View more

You could achieve this using eval to split up merchants across either your specific merchant or other merchants. <yourbasesearch> | eval merchant_type=if(merchant_id==5755757,"Current merchant","Other merchants") | timechart span=1d count by merchant_type ... View more

Was it working up until March 13th? I'm not seeing how your TIME_PREFIX applies to the log events, but if the parsing of your log events using epoch timestamps was working and recently stopped working, it seems likely it's due to the epoch bug fixed in 4.2.1: http://answers.splunk.com/questions/12621/since-march-13th-2011-gmt-splunk-no-longer-properly-parses-my-epoch-timestamps ... View more

"?" seems to work just fine for me. Do you have an example of a search + log events that should match but don't? You can also use regex and escape the question mark: * | regex _raw="\?" ... View more