Outputcsv will only write files to splunk's var/run/splunk directory, for security reasons. It will not write to arbitrary file system locations. You could, I believe, create a symlink (or hard link) to a directory under there and write to that location however. ... View more

You should not have quotes in the format string. There is something off in the configuration you have provided. Basically if Splunk is unable to match according to what's in TIME_FORMAT / TIME_PREFIX /etc in props.conf, it will fall through to the internal default rules (which are defined in etc/datetime.xml). I would not entirely take the opengroup docs as absolutely definitive, as Splunk has a couple of extensions to the format. But do I think that if you data is in fact in that single-line CSV format, and the timestamp is the first entry, you should be able to use: SHOULD_LINEMERGE = false TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT = %d/%m/%Y %I:%M %p Another possibility I suppose is that the sourcetype simply isn't getting applied to your data, and it's still using the defaults. A quick and dirty hack you can use to try to see what might be the case would be to modify the default fall-through rules in datetime.xml file and switch the order of the "usdate" and "eurodate" formats listed in the "datePatterns" section of the file. You can do this a couple of ways. One way, just copy the file to a new location, make the changes, then add: DATETIME_CONFIG = /etc/newdatetime.xml (path is relative to SPLUNK_HOME ) to your sourcetype. If that works, then it indicates that the sourcetype is matching, but for some reason the specified TIME_FORMAT isn't being applied. The second test would simply be modify the original datetime.xml. If that has no effect, it would indicate that the sourcetype matching is not right for some reason. ... View more

Thanks for all the suggestions! I have to use a specific start time for my use case -- but based on the suggestions in comments, I've gotten this to work: Here is my query with subsearch [search index=summary marker=abc earliest=1350595800 | rename info_max_time as _time | format maxresults=0 ] OR index=main sourcetype=xyz OR sourcetype=123 earliest=1350595800 | timechart span=10m count(eval(sourcetype=="abc")) as XYZ count(eval(sourcetype=="123")) as 123 count(eval(marker=="abc")) as ABC ... View more

As with http://splunk-base.splunk.com/answers/11680/sedcmd-not-executing, if there is a heavy forwarder processing the data before the indexer, the SEDCMD and other parsing happens there. See http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings for more details ... View more

Hello, I am the supreme reigning idiot. I was missing this in commands.conf for the custom search command: supports_multivalues = true ... View more

Issue solved. Replaced TRANSFORMS-vievents with REPORT-vievents. Reboot splunkd. Also needed to rename some field names as they overlap with existing splunk fields: EventType, Host ... View more