I've got Splunk installed on a Linux system and I'm forwarding all of the logs from my Zimbra email server over to splunk using Splunk to listen on UDP 514. The logs are being captured as syslog events and tagged with the host name. The Zimbra logs are actually being written as CSV events similar to the below: [host data and timestamp info excluded] zimbramon[3207]: 3207:info: zmstat mtaqueue.csv: timestamp, KBytes, requests:: 10/04/2011 10:27:38, 0, 0 [host data and timestamp info excluded] zimbramon[3191]: 3191:info: zmstat cpu.csv: timestamp, cpu:user, cpu:nice, cpu:sys, cpu:idle, cpu:iowait, cpu:irq, cpu:softirq, cpu0:user, cpu0:nice, cpu0:sys, cpu0:idle, cpu0:iowait, cpu0:irq, cpu0:softirq:: 10/04/2011 10:27:30, 4.2, 0.0, 1.8, 93.6, 0.4, 0.0, 0.0, 4.2, 0.0, 1.8, 93.6, 0.4, 0.0, 0.0 Each type of output has it's own csv format, with the header included in the log event. Any tips on how to categorize each of these for more efficient field tagging, and possibly even charting? As you can see for performance monitoring it can track the mail queue size and also provides cpu stats. Once I get them categorized I can also look at creating alerts when an event gets to high or stays to high. ... View more