There is s different count of fields so, a single REPORT with DELIMS/FIELDS will not necessarily do it for you. Haven't tried working with overlapping REPORTs, but that may work. What you could do is two EXTRACTs in props.conf Btw, (?:[^:\n]*:){4} looks rather odd in the beginning. Perhaps you could write ^[^,]+, instead to jump over the timestamp. EDIT: TYPO ... View more

Not that I have tried it, but - as it says in the docs; * Lists a set of networks or addresses to accept connections from. These rules are separated by commas or spaces From that statement I would guess something like this should work for blocking more than one host: acceptFrom = !10.1.2.3, !192.168.1.0/24, !*.test.domain.com /k ... View more

can be: 1. , the source type of an event. 2. host:: , where is the host, or host-matching pattern, for an event. 3. source:: , where is the source, or source-matching pattern, for an event. 4. rule:: , where is a unique name of a source type classification rule. 5. delayedrule:: , where is a unique name of a delayed source type classification rule. These are only considered as a last resort before generating a new source type based on the source seen. ... View more

[ ] * This stanza enables properties for a given . * A props.conf file can contain multiple stanzas for any number of different . * Follow this stanza name with any number of the following attribute/value pairs, as appropriate for what you want to do. * If you do not set an attribute for a given , the default is used. ... View more

For a sourcetype, the syntax is [insert_sourcetype_here] For a source or host, the actual value will need to be preceded by source:: or host:: respectively, e.g. [source::c:\blah.log] See the docs on props.conf which discusses this in the beginning of the page. http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/propsconf ... View more

You should not change it on the forwarder, but on the Splunk instance where the parsing takes place. This is usually the indexer. And props.conf can exist in many different places. And they all count, since they're merged together at runtime (when splunk restarts, or re-reads the configs). The one place where settings will always work is in /opt/splunk/etc/system/local. Open the props.conf there and make your adjustments. http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/Propsconf This is a pretty short answer to what might develop into several follow-up questions. But please - do take the time to read some documentation. Especially on the topics of configuration file precedence, and the splunk data pipeline. http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/Wheretofindtheconfigurationfiles http://docs.splunk.com/Documentation/Splunk/6.1.3/Deploy/Datapipeline /k ... View more

You could probably submit some more info, especially on just how you want the combined information to look like. One thing that you might try is the transaction command. Assuming that the KQ25B6P is some sort of SessionID, perhaps ... | transaction SessionID max_span=1s | might work for you. /k ... View more

Are you sure that these are separate events? If not, perhaps you need to add the max_match parameter to rex to create a multivalued field? ... View more

You have a leading space as part of your rex statement, could that be the culprit. I think you should perhaps post a few full events, not just the the partial events. /k ... View more

Thanks! /k ... View more

Haha, it's the answer to a different question! Perhaps the example in the original post is just an example. Anyway, how does DELIMS work under the hood - is it based on regex? I mean, I could see that DELIMS = "," is easily stated as ([^,]*),\s*? But is it another mechanism that actually does it? Could it be more efficient to write an EXTRACT or REPORT regex, than to rely on DELIMS/FIELDS? /k ... View more

Perhaps I'm missing something, but wouldn't this be easier to do a REPORT with DELIMS/FIELDS. It seems like a classic example. props.conf [my_sourcetype] REPORT-blah = get_my_fields transforms.conf [get_my_fields] DELIMS = "," FIELDS = date, time, userid, term, blah, bleh, bluh Makes sense? /k ... View more

Yes, in general a good idea. No need to invent sourcetypes if those that exist are good/relevant. Remember that the retention time of an index relates to the event timestamps, not when the logs were ingested. Keeping a too short retention time could cause them to be deleted before you have time to make the analysis. ... View more

"thousands of hosts with no obvious naming conventions". He wants 2 different sourcetypes. But the post is almost a year old, and maybe he solved the problem already. 🙂 /K ... View more

?? that would mean one sourcetype per host... assuming that you'd put the whole REGEX as capturing group. And the hosts were not named in such a fashion. .. and @robf has already been down that road. ... View more

%e is for days 1..31, instead of %d , which is 01..31 /k ... View more

First of all, ports are configurable (by you). However the de-facto 'standard' is 9997 for logs from Forwarder to indexer, and 8089 for communication between Splunk instances (searches, deployment traffic). Deployment traffic is normally not 'relayed' in the same way that log traffic is/can be. If you already know the ip-address of your DS, you should put that info in deploymentclient.conf on the UF (see the docs), and open the fw accordingly. Remember that it is the UF that makes the connection to the DS, not the other way around. /k ... View more

If you have (as @kbecker shows) created a field which holds the combined date and time information, you can get the epoch representation like so; your_search | eval combined_epoch = strptime(combined, "%y%m%d %H%M%S") | eval nice_date = strftime(combined_epoch, "%m/%d/%y %H:%M:%S") Note that it is important that the strptime variables actually match the contents of the field combined . In this case 140823 095421 is ok, but none of the following will work; 20140823 09:54:21 14.08.23 095421 2014-08-23 09:54:21 So basically you need to look at the data you have, and specify how parse the time string into epoch (str*ptime). Then you can decide yourself how you want to **format* the epoch timestamp (str*f*time). See the docs, or link below for common variables; http://www.strftime.net /K ... View more

Just ensure that the maxTotalDataSizeMB (i.e. the max size of the index) is set sufficiently high so that the size constraint doesn't apply before the time constraint. Also, make sure that you have enough diskspace. /k ... View more

Perhaps this can enlighten you; http://answers.splunk.com/answers/130030/how-does-one-search-for-a-cidr-range-of-addresses /K ... View more

It will be even more difficult doing it inline in the search. The point of extracting fields on a per-sourcetype basis (through config files) is that the regexes only get applied to events of that sourcetype. This is one of the main reasons behind the concept of sourcetypes - events that share a common format are to be considered a sourcetype, because configurations like field extraction can be set on the sourcetype level, rather than host or source/path level - or a combination thereof. /k ... View more

The problem is that while host=myhost is set in the input phase, data with the syslog sourcetype will be sent to a transform that rewrites the hostname to whatever comes after the timestamp in each event. If you change the sourcetype to something other than syslog this host override will not happen. /k ... View more