This worked for me on version 8.x recently. Thanks. ... View more

hi  Any further update on this issue? I also present the same ... View more

@Bleepie I had the same question and found the answer to this in another post.  You might want to check this out if you haven't solved for this already. https://community.splunk.com/t5/Dashboards-Visualizations/how-to-rearrange-visualisation-with-two-panels-vertically/m-p/546078 ... View more

No, I never created alerts from this one, good luck ... View more

I suppose I could modify my current transforms.conf, as suggested by masonmorales, and create a new one for our n environment, like this: Remove index-company_perf from each Sourcetype within props.conf and use it on a source reference instead. [index-company_perf] SOURCE_KEY = MetaData:Host REGEX = ^host::(n1.[\d]+.*)$ DEST_KEY = _MetaData:Index FORMAT = company_perf Props.conf [source::/var/appl/logs/*_perf.log] TRANSFORMS-index-company_perf = index-company_perf Create a new stanza in transforms.conf [index-company_n] SOURCE_KEY = MetaData:Host REGEX = ^host::(n1.[\d]+.*)$ DEST_KEY = _MetaData:Index FORMAT = company_n Props.conf [my_sourcetype] TRANSFORMS-index-company_n = index-company_n ... View more

@jmulcaster_splunk posted an order-of-operations diagram with links to relevant documentation to help with upgrade planning. Check it out and let us know if you find it helpful. What's the order of operations for upgrading Splunk Enterprise? ... View more

I finally got this working! This is what I had to put in my transforms.conf. I ended up having the developers put "index=" in the log path and this is the final result: TRANSFORMS.CONF [override_index_by_log_path_2] SOURCE_KEY = MetaData:Source REGEX = .*\/log-dir\/index=([^\/]*)\/.* DEST_KEY = _MetaData:Index FORMAT = $1 PROPS.CONF [servicelog] TRANSFORMS-route_index_to_log_servicelog = override_index_by_log_path_2 ... View more

I am not clear about what you want. In the first block, you show several lines of JSON logs. What is the criteria for defining an event? Do all the lines in the block belong in the same event? Do all the lines in the file belong together as one event? Do you ever want to select certain lines or perform statistical analysis on the data? If all you want is for the data to appear in chronological order, remember that Splunk search always returns the newest events first. The underlying search actually works from newer to older data as it retrieves the data. The default is for Splunk to display the search results in this reverse chronological order. But the ordering is a function of the search, not the parsing. You can specify that you want the search results displayed in chronological order, by appending | reverse to the end of any search. Be aware that this may make the search take much longer, and consume much more memory and CPU. ... View more