Have you tried: [source::C:\Users\...\Splunk\*_dbg.txt] According to the documentation Splunk uses 3 dots (...) to recurse through directories until the match is met: http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Specifyinputpathswithwildcards Usually it is better to work with sourcetypes rather than using sources for your stanzas in props.conf (but maybe you're using the config you have for a reason I don't know): http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Whysourcetypesmatter Regards Chris ... View more

Splunk does not keep track of every line it has ever read. And you can't modify records in Splunk like you can in a "normal" DB. Splunk works with checksums on files by default the first 256 and the last 256 bytes are used for the checksum (plus a pointer up to where a file was read). If the checksums do not match Splunk thinks it's a file it has never seen before and it will read it again. Why are you changeing "abc" to "xyz" in your file? Maybe someone can tell you how to solve the problem with Splunk. Or maybe Splunk is not the right tool for you. Regards Chris ... View more

I still do not see what is not working with your events. If you do not know if you have any manual field extractions configured you probably don't have any. I have encountered sourcetypes where Splunk did not work in 100% of the cases. What I usually do then is switch to a manually configured extraction. If you do not know about props & transforms yet -> read this documentation There is a GUI field extractor that might help -> documented here I don't use it so I can't tell if it will work for your problem If you have access to the file system of your Splunk server you can either create or add the following stanzas to props.conf & transforms.conf in /etc/system/local props.conf [replaceWithYourSourcetype] KV_MODE=none REPORT-test=delims transforms.conf [delims] DELIMS = " ", "=" ... View more

In the events of the habanero instance there is a line with the queue id of the nagaviper instance: Sep 5 11:04:27 habanero postfix/smtp[52618]: 8966F601B4: to=<user@123.com>, relay=nagaviper.123.com[192.168.1.67]:25, delay=0.32, delays=0.27/0/0/0.04, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as B570F448E65) You could try the following: | transaction queue_id keepevicted=true maxspan=60s| rex "queued\sas\s(?<matching_id>[^\)]+)" | eval matching_id=coalesce(matching_id,queue_id) | transaction matching_id keepevicted=true The rex command will extract the id in the habanero events and will fail in the nagaviper events The coalesce command will fill matching_id with the first value it will find. Which is matching_id for the habanero events and queue_id for the nagaviper events Then you can use the final transaction cmd ... View more

I'm not sure I understand what you are trying to do but this might help: index=* | lookup flatorg "1" as person OUTPUT "2" as manager | search [inputlookup flatorg | search "1"=op | fields "2" | rename "2" as manager ] | stats count sum(field) values(field) by person I'm assuming that the fields in your sourcetype are person (values are fk and op) and field (values are 3,6,1,5) the third field is not used. Let me know if this helps. ... View more

I had to set the alert condition of the alerts to something different that "always". This prevents splunk from creating a directory every time the alert is run/triggered which is a lot for rt alerts. ... View more

I recommend that you have a look at how the Splunk CIM can be used to normalize your field names. The coalesce function for the eval command used below will make sure that you have a "user" field in both your sources. You might be able to correlate your events using the transaction command: source="A" OR source=VPN | lookup lookuptable.csv app_user | eval user=coalesce(ad_id,citrix_user) | transaction user | where eventcount > 2 |where mvcount(source)>1 | table _time, trader_login, ad_id, citrix_user, action The transaction command will group the events that belong to one event. It has options to define the limits of the events that belong together such as maxspan or startswith. You could use the startswith parameter with a string that identifies your vpn login. By searching for transactions with an eventcount > 2 and that consist of events from mor than one source you should get results with a login event, a "source A" event and a logout event (this might need fine tuning though). Just another thing I've noticed, is that you search for sources in your search. Usually it is best to use sourcetypes. But you might have a reason for doing it this way. ... View more