I can think of at least one valid use case for using multiple timezones - if your team works globally and wants to know what local time at the originating site is (for example to decide whether something happened during workhours or not). Yes, it could be done differently but showing local times is the most natural thing. But I admit that it's a relatively rare use case and allowing users to easily display dates in various timezones (especially without explicit timezone information in the rendered timestamp) can lead to a huge load of confusion and badly created dashboards. ... View more

Hi, is the problem that these extractions don't work, or that you're still smashing the license? I'm about to do something similar, via a HF - do let me know how you get on. I will probably post back here with results... First time using INGEST_EVAL too! ... View more

As you have pure json event you probably could try INGEST_EVAL with json_extract? https://docs.splunk.com/Documentation/Splunk/9.0.3/SearchReference/JSONFunctions#json_extract.28.26lt.3Bjson.26gt.3B.2C_.26lt.3Bpaths.26gt.3B.29 ... View more

The short answer is that you changed the sourcetype before your [instance] transform could operate on it.  I get that this question was first asked 6 years ago, but hopefully this answer reveals similar issues that others may be encountering. Transforms are applied in alphabetical order by the props name and in the order set in each transforms call. The order set lists createsource first and instance second: [tomcat-appl] TRANSFORMS-set = createsource, instance So, [createsource] changes the sourcetype so that the data no longer matches "tomcat-appl" for [instance] to apply to it. Listing the props transforms calls separately follows the props name rule, where props are called in alphabetical order by prop names: [tomcat-appl] TRANSFORMS-instance_set = instance TRANSFORMS-createsource_set = createsource [createsource] starts with a "c", which is before the "i" of [instance].  So [createsource] applies first and changes the sourcetype so that [instance] cannot apply to the data (different sourcetype now). ... View more

Trying using our app , http://splunkbase.splunk.com/app/668/ , which is the original JMX App. ... View more

I think the problem is that you don't need to use INDEXED_EXTRACTIONS at all if you don't intend to have Splunk extract the data based on the field headers at the top of the CSV file. I think DELIMS is also a search-time extraction and it doesn't have any reliance on INDEXED_EXTRACTIONS. So you can use PREAMBLE_REGEX but just don't use INDEXED_EXTRACTIONS. Don't treat it like a CSV file, just treat it like a log file. ... View more

This does appear to get the job done. Upvoted/accepted. ... View more

Enjoy your karma. ... View more

We would definitely need a sample search using which you can get site information from each index separately. For now give this a try index=index1 OR index=index2 | chart dc(site) over site by index | where index1=0 OR index2=0 ... View more

I tired indexing data using GUI. There is no issue in line breaking. This line break issue not happened every day . It happens randomly one day 1 event get splitted another day 2 events but not more than 2 events. No issue in some days ... View more

Is there any reason to use index time extractions over search-time? Search-time extractions are better in 99% of cases. This is an overly complicated solution for something that could be done with just the search time extraction? ^Remark\=\"(?P<Remark>[^\s]+) ... View more

As someone already mentioned it's difficult to understand what that regex is supposed to be doing. My understanding from the example data and the "bluecoat_categories" stanza you posted is that it should be taking this block of log data: 2016-07-27 01:44:37 82 aaa.bbb.ccc.ddd - - liveupdate.symantecliveupdate.com 173.222.148.19 None - - OBSERVED "Technology/Internet;Non-Viewable/Infrastructure" - 200 TCP_NC_MISS GET application/zip http liveupdate.symantecliveupdate.com 80 /sepc$20virus$20definitions$20win64$20$28x64$29$2012.1$20ru6_microdefsb.curdefs_symalllanguages_livetri.zip - zip "SEP/12.1.6318.6100, MID/{AE0696BC-BC71-CDA9-C292-88E224F7E9F3}, SID/59" 166.45.51.140 7735 447 - "Symantec Live Update" "Update Software" unavailable 27222a8161c3a978-0000000000bc77b0-0000000057981205 - - And pulling out this value: 2016-07-27 01:44:37 82 aaa.bbb.ccc.ddd - - liveupdate.symantecliveupdate.com 173.222.148.19 None - - OBSERVED "Technology/Internet But what you're actually looking for is: Technology/Internet;Non-Viewable/Infrastructure The regex for extracting that is wrong here and in the link you posted. But it's probably supposed to be this...: (?:[^;]+) It is basically saying "Capture everything except a semicolon and then stop" which seems like it wouldn't work that well. So while I think the regex I just posted is the 'correct' regex, I don't think it's very good. Maybe try this: ^(?:[^ \n]* ){12}\"([^\"]*)\" Translated this means: Start at the beginning of the log line. Match everything except spaces and a newline 12 times (I'm assuming a single space is the only delimiter between these columns and doesn't occur in the fields leading up to it... can change it if necessary), at which point capture everything that occurs after a quotation mark before encountering a quotation mark. ... View more

This would work as a props configuration. Just take whatever you need. The regex may be different if only because I can't tell if your timestamp line starts with a space or not, so I've included both. This one will assume there is no space: SHOULD_LINEMERGE=true BREAK_ONLY_BEFORE=^(\w{3}\s\d{1,2}\,\s\d{4}\s\d{1,2}:\d{2}:\d{2}\s\w{2}\s\w{3}) MAX_TIMESTAMP_LOOKAHEAD=27 If there is a space: ^(\s\w{3}\s\d{1,2}\,\s\d{4}\s\d{1,2}:\d{2}:\d{2}\s\w{2}\s\w{3}) ... View more

That does indeed the give the effect I'm looking for. ... View more

I just had a thought that maybe someone would like to weigh in on... no matter how I configure the props.conf, the events, for the most part, seem to always break the same way. I can't find any rhyme or reason to it. I've looked at my regex, thinking maybe it was too greedy... I changed it to something more limited: ([\d+-\d+-\d+\w+:\d+:\d+][\w+][\w+][\w+].-{18}) I've even taken the regex out and changed several other settings... while this affects things in a minor way, the breaking actually works more or less the same. Thinking it was timestamp related, I set DATETIME_CONFIG to NONE... and it still doesn't work (though I can see the setting is making the data offset with Splunk's indexed time by a a few seconds). How is this for a theory... it occurred to me that maybe it's not the timestamps causing the issue but the timestamps are more indicative of when the file has been opened/closed by the app writing the log... what if the app is constantly writing it "End of File" everytime it adds a block of log data? How would the Splunk heavy forwarder handle this information? How would it join these events, if it keeps seeing an end of file for the log? Just a theory... that maybe this is getting broken in some way that isn't related at all to the property settings? ... View more

Give this a try HF props.conf [source::E:\\Tomcat-\PVSP*\\logs\\server_frontend.log] ...your event processing attributes TRANSFORM-sourcetype = set_sourcetype ... View more

Splunk does take care of rolling over files (read the last unread content), so you should be good. What I would suggest is to read just the base file splunk_audit.log and change your monitoring stanza to remove wildcard. Redo the same steps (restart and list monitoring) and let's see if that helps. ... View more