One thing that I've noticed, and it may be something that I'm doing incorrectly, but when I search for an event containing, say, "connected from" and I get say 15 results, when I attempt to run the extraction on the results, it pulls everything else in as well. Often more than 1000 lines of information are shown without what I was searching specifically for, being available. The default Splunk extraction utility does the same thing.
For example, in our firewalls, we log packet teardown data as well as the vpn logins. So, if I issue "WEBvpn session started NOT Teardown" I end up with the results that I'm looking for, just the vpn session started events. Then, if I attempt use either the internal extraction utility OR this app, up to 1000 events, regardless if I'm using latest, diverse or outliers, I end up with all of the Teardown information clogging up the results.
... View more