I have data incoming via TCP syslog. I have created the following transforms to process them: etc/system/local/props.conf: [source::tcp:1514] TRANSFORMS-windows = set_sourcetype_snare, set_source_wineventlog etc/system/local/transforms.conf: [set_source_wineventlog] REGEX = AgentDevice=WindowsLog.AgentLogFile=(.?)\s FORMAT = source::WinEventLog:$1 DEST_KEY = MetaData:Source [set_sourcetype_snare] REGEX = AgentDevice=WindowsLog FORMAT = sourcetype::windows_snare_syslog DEST_KEY = MetaData:Sourcetype These work as expected, and the source and sourcetype are set accordingly. However, I expected that setting these two fields would also trigger some other Splunk built-in transforms. For example: [splunk@l1807s local]$ ~/bin/splunk btool props list windows_snare_syslog [windows_snare_syslog] ... TRANSFORMS = syslog-host and [splunk@l1807s local]$ cat ~/etc/apps/Splunk_TA_windows/default/props.conf ... Apply the following properties to all Windows events [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...] ... FIELDALIAS-event_id_for_windows = RecordNumber as event_id ... As far as I can tell, the default processing is not happening. I see the source and sourcetype fields as set by my transforms, however for example I don't find the field event_id , and host is incorrectly set. What am I doing wrong here, and how can I achieve the intended behaviour? ... View more

I am running the following search: "authentication failed" | stats count by user, sourceip | sort -count | head 10 Which produces a table with three columns: user, sourceip and count, like so (scrubbed data): I would like to display this in a bubble visualization, where the X and Y axes map to my users and sourceips, and the size of the bubble maps to the count. Is there any way to do this? ... View more