Using printf conversion function this is possible using something like printf("%04d",fieldName) . Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ConversionFunctions#Flag_characters Following is a run anywhere example: | makeresults | fields - _time | eval data=1 | eval padded_data= printf("%04d",data) ... View more

Starting in Splunk 6.6 (released today) you can add custom HTTP response headers by setting replyHeader.NAME=VALUE in web.conf. See the web.conf.spec file for details. This setting isn't available if you're running in the deprecated legacy appserver mode (i.e. appServerPorts=0) Hopefully nobody is still doing that, though. ... View more

Worked for me too. Thanks muchly... ... View more

mitch-1's solution of time_before_close=120 lessened the problem for us but didn't solve it. We have multiline events with timestamps on each line and every 3 seconds (the default time_before_close) the universal forwarder would cut off the most recent event and send the data to the indexer, splitting a single event into 2 events (or even 3 sometimes if there was a pause > 3s). We tried both LINE_BREAKER as well as BREAK_ONLY_BEFORE to no avail. time_before_close=120 helped a little as it made it so that incorrectly-split events happened every 120 seconds instead of every 3 seconds. After working with Splunk support for about a month they confirmed that this is just how the universal forwarder works. The workarounds available were either 1) buffer the logs in memory until an "event" was complete and write the entire event to disk at once, or 2) user a heavy forwarder (apparently it has extra capabilities which can be configured to solve this problem). We ended up going with option 1 (buffering) and it solved the problem completely. ... View more

This is the case for Splunk 6.1.x as well. ... View more