Hi @SplunkDash  OK that is clearer and it can be done.  Give this a try in the heavy forwarders props.conf file. LINE_BREAKER = ([\r\n]*<\?xml.+<DSDATA>|</MODTRANSL>|</DSDATA>|[\n\r]) # to make XML valid again, re-append the </MODTRANSL> tag stripped in line breaking capture group SEDCMD-re-append-trailing-tag =s/$/<\/MODTRANSL>/ A good way to play with this is with a test file uploaded via the Settings > Add Data wizard. ... View more

Hi @SplunkDash  1. For the text files you look to have a typo with Splunk docs showing it should be HEADER_FIELD_LINE_NUMBER = <integer> Also, the docs show the  INDEXED_EXTRACTIONS as  capitalized, e.g. INDEXED_EXTRACTIONS = PSV  Not 100% sure capitalization would make a difference but worth a go.  As INDEX_EXTRACTIONS is used, the props.conf can live on either the UF or HF. 2. Assuming you do not want the <?xml version=...> part then the event break config would be. LINE_BREAKER = ([\r\n>]*.+)<DSDATA> Note, I kept the <DSDATA> tag to keep the XML valid with the closing <\DSDATA> tag. If you did want to get rid of the DSDATA fields too then this should work... LINE_BREAKER = ((?:</DSDATA>)?[\r\n>]*.+<DSDATA>|</DSDATA>) Note the OR statement (|</DSDATA>) is to try and strip the last entry in an event that may not have a newline or carriage return.  It will result an empty event. If it was me, I think I'd keep the DSDATA field in the LINE_BREAKER and then use SEDCMD to strip <.?DSDATA> from the events.    For the XML extraction the props.conf file must live on the HF, or indexer, depending on your setup. Restarts may be needed once configs are updated, depending on how you deploy this. Hope it helps  ... View more

This solution did not work for me I found that deleting the alert_actions.conf file under $SPLUNK_HOME/etc/app/search/local did not work, as the next time a send email alert is sent, Splunk just recreates the file with the unspec'd email.show_password = True entry. I also found that this alert_actions file is also causing the "Send email" envelope icon (Settings > Alert Actions)  to not render correctly in the UI. I'm going to open a low level bug with Splunk about this, but in the meantime this is the workaround I've implemented:  1.  Alert actions "Send email" icon cp $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/img/mod_alert_icon_email.png $SPLUNK_HOME/etc/apps/search/appserver/static/ Note: our SHC is behind a load balancer so I also needed to increment the Bump version due to Splunk Web caching ( http://<host>:<mport>/<locale_string>/_bump) .   Clearing your browser cache may also work (https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/assetcaching/) 2. Invalid entry when btool check run (optional) * For Linux (modify commands as needed for Windows) a) cd  $SPLUNK_HOME/etc/apps/search/ b) mkdir README c) cat <<EOF >README/alert_actions.conf.spec show_password = <boolean> * workaround, as parameter not defined in default alert_actions.conf.spec file * this entry simply stops btool check complaining of invalid entry EOF d) Validate: ~/bin/splunk btool check Note: I reproduced this on Splunk Enterprise v8.0.5 (it may occur in earlier version too), but looks to be fixed in latest v8.2.6.  However, you may need to manually delete the $SPLUNK_HOME/etc/apps/search/local/alert_actions.conf file (or the show_password entry) if  upgrading Splunk to latest from an earlier version (and splunk _internal call /services/admin/alert_actions/_reload + bump Splunk web) that had the issue already. ... View more

Just experienced this issue on UF 8.1.3 (UF release notes show 8.1.6 has fix) and I'm updating this topic with what we found, in case anyone else comes acrtoss this issue and may find it useful. DST change occurred (summer time ended, so fallback in our case) on Sunday morning after which we noted this issue.  It was only occurring for UF events where the log data did not have timestamped events containing a TZ offset (e.g. +1200).  So not all data was affected.  On the Sunday we restarted the UFs/HFs/and even the IDXs to try and resolve the issue, but nothing worked so raised a case with Splunk support. On Monday, while investigating this issue further, we restarted the UF again and noted that it now fixed the problem and the _time offset was now applied correctly. So, a UF restarts worked but not until 24 hours after DST change, or maybe until the next day.   The UF will still need to be restarted after this time to workaround this bug.   ... View more

Great to see you arrived at a solution that works for you. Please mark this answer as solved in case it is useful for other Splunk community members. ... View more

Hi @kaeleyt  Interested to know if this helped solve your problem?  ... View more

Hi @kaeleyt  The following will account for no results.  The first append section ensures a dummy row with date column headers based of the time picker (span=1).  This is ensure a result set no matter what you base searches do.  It does expect the date columns to have the same date format, but you could adjust as needed. ... your base searches ... | append [ | makeresults | addinfo | eval min_max_time=mvappend(info_min_time, info_max_time) | mvexpand min_max_time | streamstats count | eval _time=if(count=1, info_min_time, info_max_time) | makecontinuous _time span=1d | where isnull(count) | eval Time= strftime(_time, "%m-%d-%y") | table column Time count | fillnull column value="dummy" | fillnull count value=0 | xyseries column Time count ] | append [ | makeresults | eval column=split("Row 1|Row 2|Row 3|Row 4", "|") | mvexpand column | table column ] | stats values(*) AS * BY column | fillnull value=0 | search column="Row*" The second append is as before and ensures the rows are created etc. You may want to make this a macro if it works. Hopefully, this suits your use case better now. ... View more

Hi @kaeleyt  The question you asked was... Does anybody have a good way to create a timechart table of all 0's for searches that return "No results found"? The solution I provided does show an example way to solve this problem, based on your examples.  However, your reply indicates that it does work, but then you say it due to needing to hard code the dates.  So maybe there is some confusion with my answer, or your question has not been clear enough.   This is the provided solution. | append [ |makeresults | eval column=split("Row 1|Row 2|Row 3|Row 4", "|") | mvexpand column | table column ] | stats values(*) AS * BY column | fillnull value=0 It does not care what the date columns and only hard codes the first row values (based on the example).  But, I agree, the solution does expect that the initial base search(es) did return at least one result.   So, is this the problem?  At times,  all your base searches return no results and hence the solution does not work?  There is probably a way to fix this too, if that is the case, but you need to be clear with what is required.   , what they are named or how many, but it does expect that the initial base search does find some results.     ... View more

Hi @mbasharat  I believe you're asking for a regex to just extract the compliance-check-id for the event.  Is this correct?   There are a few ways to do this but if you just want that one field then this will work for you. ... | rex "id>(?<complianceCheckID>[a-fA-F0-9]+)\<" ... Hope it helps. ... View more