@ cfrantsen - I think maverick is saying you can utilize Splunk's alerting feature, only instead of specifying to send an email alert when the search runs and finds the duplicates, you will choose the last option in the scheduled saved search popup window and tell splunk to simply add the dedup'd search results into a secondary index that you create on the indexes management page exactly for this purpose. ... View more

I believe you can do what you are wanting by overriding Metadata:Sourcetype in your transforms.conf file based on the regular expression (i.e. REGEX=foo ) pattern match and then mapping it to syslog sourcetype in your props.conf file. However, I believe a better practice, depending on your particular reason for wanting to override the sourcetype, would be to leave it as syslog sourcetype and then creating an eventtype for each of your 40+ "situations". That way you have flexibility to add, delete, and/or change the eventtype definitions as you need to, without having to re-index the syslog events. (See this page regarding eventtypes and how to setup:) http://www.splunk.com/base/Documentation/latest/Knowledge/Configureeventtypes You can also create host tags as well, to group your hosts together for easier logical searching across common host groups, which when combined with eventtype, makes for a very powerful combination to leverage at search time, rather than at forwarding/indexing time. (see this page regarding tagging your hosts:) http://www.splunk.com/base/Documentation/latest/Knowledge/Tagthehostfield ... View more