I have a header variable that I would like to attach to each event in a table. Header variable, FY= 2017 table bill | reason | FY 100 |restaurant | 2017 200 | gas | 2017 500 | water | 2017 \sourcetype=Bill |table bill reason|appendcols[search sourtype=Bill |fields FY] |table bill reason FY The search above does not append the column to all events, it only appends it to the first row. Is there a search or function that allows me to append the variable to all the events. FYI, when I do eval tempVari="test" , it attaches it to all events, but it doesn't work when it's a variable. ... View more

I have read multiple blogs and answers and couldn't find anything that helps. The filename will be something like this blah_blah_blah....161030.txt I have checked my regex on regex101 and it works perfectly. This is what I have, props.conf [filedate] DATETIME_CONFIG = /etc/system/local/datetime.xml category= Date_time CHARSET=AUTO disabled=false pulldown_type = true Datetime.xml <datetime> <define name="_masheddate3" extract="year, month, day,"> <text> ![CDATA[(?:^|source:|source::).*?([123]\d)([01]\d)([0123]\d)[^0-9]]] </text> </define> <datePatterns> <use name="_masheddate3"/> </datePatterns> </datetime> And this the error message that i get from Splunkd.log 11-03-2016 12:44:36.860 -0400 ERROR AggregatorMiningProcessor - Uncaught exception in Aggregator, skipping an event: Error parsing regex XML file: C:\Program Files\Splunk\etc\system\local\datetime.xml - Couldn't find 'timePatterns' in config data for AggregatorProcessor. - data_source="C:\Users\ComputerName\Documents\Test2\blah_blah161030.txt", data_host="local", data_sourcetype="filedate"</code> 11-03-2016 12:44:36.860 -0400 ERROR AggregatorMiningProcessor - Uncaught exception in Aggregator, skipping an event: Error parsing regex XML file: C:\Program Files\Splunk\etc\system\local\datetime.xml - Couldn't find 'timePatterns' in config data for AggregatorProcessor. - data_source="C:\Users\ComputerName\Documents\Test2\blah_blah161030.txt", data_host="local", data_sourcetype="filedate" I know Props.conf is working by looking at this error message, so the only issue is in datetime.xml... The time is irrelevant to me. How do I make Splunk just get the date and ignore the time? If there is anyone that had success in this, please let me know! ... View more

So i have scenario where i have to group by a table (Make, model, horsepower year) like the one below, Make model(mvFields) horspower(mvFields) year(mvFields) comment Toyota camry 175 2013 (empty field) corolla 120 2013 (empty field) camry (empty field) 2013 (empty field) separator Honda accord 180 2013 (empty field) civic 115 (empty field) broken tail light accord 180 2013 (empty field) Now i have used eval comb=mvzip(model,horsepower,",")| eval comb=mvzip(comb,comment) so whenever I try to combine empty fields, the field comb returns null or empty. My goal here is to have a count of unique group by of all the fields combined for example Toyota camry 175 2013 (empty field) count=1 Toyota camry (empty field) 2013 (empty field) count=1 Honda accord 180 2013 (empty field) count=2 if there are other ways of doing this, please share. thanks ... View more

There are a lot of documentation on how to set Host equal to filename or directory name, however i couldn't find anything on how to set source equal to file name? [monitor://.......\fil.log] disabled=0 source=??? sourcetype= logFile props.conf [logFile] setting . . . ... View more

So I have this: 01010101 01/02/2015 4200000 U-55555555-0000 1.00 Q CC 100 Random Text with numbers 676 R BB 2 Another Random Text Message 23$kjaldsf@@ 01010101 01/02/2015 4200000 U-55555555-0000 1.00 value 1 ==>(Q) CC 100 Random Text with numbers 676 value 2 ==>(R) BB 2 Another Random Text Message 23$kjaldsf@@ I can extract both fields using this in search Rex command _index search ....| rex field=_raw "\s(?[A-z])\s"_ returns the multivalue field i want. However if i use the same regex during Extract field, it only takes the first value "Q" not the second one. So how can i extract multivalue field using Extract Field option. Let me know if that is even possible, if it is please let me know how? this is how i wanted it to be otherField WantedField Date AnotherField AnotherMultiValueField ....etc 01010101 Q 01/02/2015 U-5555555-0000 CC R BB ... View more

I have multiple CSV lookup files and I want to use a variable to determine which lookup table to choose in my search. for example: field1 {lookupFile, lookupFile2, lookupfile3,.....} field2 {choose2, choose3, choose1, .....} index="sample_index" |mvexpand field2| eval file_name= field2 + ".csv" | lookup file_name Id Ouput value | table * ... View more

I have two multi value fields with delim "," (comma) field1 field2 \value\random\end, \value3\random3\end3, \value2\random2\end2, \value\random\end, \value3\random3\end3, \value2\random2\end2, \value\that\does\not\exist \diff\value\anything I can make them a multivalue using makemv delim="," field1 and the same thing for field2. I want each value from field 1 and check if it exists in field 2, and if it does, then add it to a new field called "field 3" i wanted to use foreach but i'm not really familiar with it. ... View more