thanks woodcok, this saved my day, at least what was left of it after struggling for hours. This behaviour seems very counter-intuitive; I am used to the concept of UFs beeing dumb and having no notion of events ... View more

Hello, I'm coming to you, I'm trying to implement a BLOB to a splunk like you. I have the same concern that you have found a solution to this problem? Have a good day ... View more

Schedule PDF delivery is not available to forms. If you are using form please convert it to dashboard in your xml code. For this you need to remove all input filters. ... View more

Open a ticket - its likely an issue on Splunks side ... View more

Hi @rajasekhar14 , It's not straight PCRE, it includes the path translations as specified in the props.conf documentation. You could use something like: [source::.../(messages|performance)/345/345/*.blob] sourcetype = json SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+){\s*messages I would recommend using SHOULD_LINEMERGE = false & LINE_BREAKER instead of BREAK_ONLY_BEFORE. See if that works for you. ... View more

Hi @koshyk , i have a small question on this, the above settings will use for source file name right? if i want to extract a index filed extraction in side from source file,? i changed like this but its not working. can you please take a look. props.conf [ms:iis:auto] TRANSFORMS-raj_namee = test-raj Transforms.conf [test-raj] REGEX = ^(?:[^ \n]* ){2}([^ ]+) FORMAT = appname::$1 WRITE_META = true filed.conf INDEXED=true and the log format is 2019-07-17 18:21:33 xx-xx.xxx test 10.185.162.2 GET /monitor/monitor.html ---- and i'm using the above regex bold text and it need extract as a appname. ... View more

Try this: | appendpipe [| inputlookup abc.csv ] | eval key = column1."|".column2."|".column3 | dedup key |outputlookup abc.csv append=false ... View more