Hello.  I have a large data set that I'm working through that gives either a 5 digit number or a "-" if there is no value. I have my search results but I can't seem to get them into the format I'm looking for.  I'd like to get the results into a format showing Room 1  Set (total) Unset (total) And the same for Room 2, 3, 4   Query Index=acme dvc_room="*" station="*"  Output  index=acme dvc_room=4 station="-" index=acme dvc_room=3 station="123456" index=bluecoat dvc_room=2 station="-" index=bluecoat dvc_room=1 station="56132" index=bluecoat dvc_room=3 station="-" index=bluecoat dvc_room=2 station="56132" index=bluecoat dvc_room=4 station="56132"   Any help would be appreciated.  ... View more

I need to write a search to report on what devices are sending logs to my heavy forwarders using syslog-ng to the /var/log/splunk/* directory. The issue is those directories under Splunk are mostly by IP address instead of host name. I'd like to map the source log location to the index or vendor type which I could then use to determine if every device log type is actually being ingested into Splunk. I tried Index!=_* | chart count by sourcetype, host limit=100 but it doesn't identify the folder the log is in. Any ideas would be helpful. ... View more

I've installed the Splunk for Palo Alto app and while attempting to configure it found this reference. "In the inputs.conf file, add the following configuration. For UDP syslogs, make sure to include the line no_appending_timestamp = true. [udp://5514] index = pan_logs sourcetype = pan_log connection_host = ip no_appending_timestamp = true" The issue is my Palo logs are already in Splunk with the following (multiple source types). Index=paloalto sourcetype=pan_traffic sourcetype=pan_threat sourcetype=pan_system sourcetype=pan_config How do I change the app to meet my current configuration. I guess I'm a bit lost on what exactly to do. I've tried to modify the XML but it doesn't seem to work. Thanks, M ... View more