Hi, I have TCP 514 logs in the same sourcetype. There are different formats of timestamp in log and even in events. I don't understand my mistakes with datetime.xml. It's working for one format but not for the second. I text regexp with search ( | rex field=_raw ".........") fields are correctly extracted. I follow thus tuto: https://www.function1.com/2013/01/oh-no-splunking-log-files-with-multiple-formats-no-problem Thanks for your help.   Example: first log: <111> YYYY-MM-DDTHH:MM:SS+02:00 localhost house 12154 - @ip [DD/LitMM/YYYY:HH:MM:SS.MS] ........... _time is correctly extract, second log: <145> YYYY-MM-DDTHH:MM:SS+02:00 localhost foo - - YYYY-MM-DDTHH:MM:SS.MS+0000 jizjfoziejfz battle: cececeijoijoi [YYYY-MM-DDTHH:MM:SS.MS+0000] ........... _time is not extracted, value is index time 😞   I'm on a standalone station, so i copy regexp without storage (maybe typo). Configuration: in datetime.xml on HeayFW (etc/apps/test/default) <define name="_house" extract="day, litmonth,year,hour,minute,second,subsecond"> <text>house.*\[(\d{2})/(\w{3})/(\d{4}):(\d{2}):(\d{2}):(\d{2})\.\d+\]></text> </define> <define name="_battle" extract="year,month,day,hour,minute,second,subsecond"> <text>battle.*\[(\d{4})\-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})\.\d+\+\d{4}\]></text> </define> <timePatterns> <use name="_house"/> <use name="_battle"/> </timePatterns> <datePatterns> <use name="_house"/> <use name="_battle"/> </datePatterns> </datetime> in props.conf [my_sourcetype] DATETIME_CONGIG= /etc/apps/test/defaults/datetime.xml LINE_BREAKER = ([\r|\n])+ SHOULD_LINEMERGE = false   ... View more

Hi, I have a data stream on the forwarder, streaming on the 514. the data is correctly indexed. But I would like to extract/build some fields from the _raw. In search head, i try with rex field. it works but it's too long for user. So, i want to do it on forwarder before indexation. Example: _raw: <150> 2021-06-01: 00: 05: 12 localhost blue car=porsche,959 ..... i want build this fields for begining: carbrand : porsche inputs.conf [tcp://my_hostname_client:514] index = car_park sourcetype = sale First WAY: only in props.conf [sale] # i try something EXTRACT-testsale = ^.*car=(?<carbrand>.*)\,$ Second WAY: props + transforms In props.conf [sale] REPORT-testsale = extract-cardata And in transforms.conf [extract-cardata] REGEX = ^.*car=(.*)\,$ FORMAT = carbrand::$1 So, is-it possible to extract field in the _raw on the forwarder from  tcp flow 514 ? If yes, where are my mistakes in my conf? Thks for your returns and help. Best regards. ... View more