Hi nirt, Using the example data provided you can set up your props.conf and transforms.conf in your apps local directory. For example: props.conf ... [my_sourcetype] DATETIME_CONFIG = CURRENT LINE_BREAKER = ([\n\r]+)\s*<[MC]+ SHOULD_LINEMERGE = false NO_BINARY_CHECK = true category = Custom pulldown_type = true disabled = false TRANSFORMS-newhost = newhost This will break the events by lines beginning with <(C|M) and the following will extract the hostname value and index it as host. transforms.conf ... [newhost] REGEX = ^\s*<(?:MOBILE|CENTRAL)\s+hostname="(\w+)"> DEST_KEY = MetaData:Host FORMAT = host::$1 The abc values will also be auto extracted due to the semantic logging, i.e. field=value. Hope this helps. ... View more

This is much better!, however a few issues: 1. the first rex did not work so i changed it to: rex "s.d.r.rrm.(? .?).TIME.(? . ?). 2. For some reason in each timerange i see a country called 'OTHER' and 'VALUE' 3. if i manually try to find those countries by running search: "s.d.r.rrm.OTHER.TIME.Range[*].hod.-1.number" , it finds no results - so it doesn't exist. Splunk adds this manually? Other than that - AMAZING! Thanks!!! ... View more

The best option in my opinion is to build this logic into the script instead. ... View more

The integrated PDF report generator has hard coded chart sizes... I manually changed it but it is global for the whole search head... ... View more

I have changed the timechart to the following and it seems to give me the result I want: timechart span=10m per_minute(UsersCount) Thanks ... View more

Thanks! I've edited the answer ... View more

Always a pleasure. Btw. if you need more advanced charting and graphing features the only viable option is to extract data via the REST API and build it yourself. Exactly what I'm doing. ... View more

Something like this?: sourcetype=yourdata | rex max_match=99999 field=your_field_holding_all_values "(?<yourfield>[^\n]+)" | mvexpand yourfield | search yourfield="ipc.DDBRemoveCache.alerts.success.hod.-1.total*" | rex field=yourfield "(?P<field>[^\=]+)=(?P<value>.*)" | table field, value ... View more

This thread has been inactive for more than 4 years. You stand a better chance of getting an answer if you post a new question. ... View more