@ITWhisperer Thank you so much, it really saved my time. ... View more

Treating structured data as pure text is doomed to be unstable.  Have you tried my suggestion of reconstructing events based on inherent structure? ... View more

If your problem is resolved, then please click the "Accept as Solution" button to help future readers. ... View more

can anyone help on this?? ... View more

Hour (7-21,0-9,12-21):  The range 7-21 includes hours from 7 AM to 9 PM. The additional ranges 0-9 and 12-21 ensure that hours from midnight to 9 AM and from noon to 9 PM are also included. Therefore, the cron job runs every minute from 7 AM to 9 PM, excluding 10 PM and 11 PM. ... View more

The whole search is... strange to say the least. You generate a single value (and do that in a strange way - by aggregating by a field and the  ignoring the split by that field and summing up everything). Then you use appendcols to add another value which is obtained by joining two data sets from the same index. Very strange and possibly inefficient way. Even if you split your data by site, there is no guarantee that both result sets joined by appendcols will have the same order of results (and appendcols doesn't care about any field matching or something like that so it's up to you to make sure both result sets are compatible). Anyway, I suspect there might be a more elegant (and possibly more efficient) way to do the same. Also remember that your search might be subject to subsearch limitations. ... View more

Hi this message told that you haven't have enough indexers up and running. E.g. if your RF=3 and you have only 2 indexers up it cannot fulfil requirement of 3 separate version of data. This has fixed when you have enough indexers up to fulfil your SF & RF and if you have multisite cluster also site_search_factor and site_replication_factor. r. Ismo ... View more

Among other things, proper JSON uses quotation marks around strings. ... View more

Hi, i came to know the issue, i was doing a wrong query. Now the issue resolved. Thanks in advance  ... View more

I think @gcusello means the latest event in the bucket not the earliest, that is, the bucket will be kept until the most recent event in the bucket is older than the retention period. With very few events entering the bucket, this may take a while. ... View more

The default LINE_BREAKER = ([\r\n]+) should work for those events (at least the part that is shared). The trouble you'll have is with the TIME_FORMAT setting.  No format will match both of those events so you're better off leaving out TIME_FORMAT and letting Splunk figure out each format on its own.  It'll be a little slower, but should work. If those events are in different files then then you should use different sourcetypes and the above won't apply. ... View more

@Santosh2 - You can take some predefined steps in case of data input issues: Check if you have inputs.conf entry for these files Have you specified the right index? Have you created that index on the Indexer? Make sure you are not filtering the data with transforms.conf config check for queue=null line in transforms.conf  If you see any, make sure it's not related to your data Make sure you are receiving other data from that host. index=_internal host=<hostname-that-has-inputs.conf>  Make sure you have permission to read the index data and also make sure no other restriction being applied. You can check with Splunk Admin.   I hope this helps!!! Upvote/karma would be appreciated!! ... View more

Hi @Santosh2, maybe the timestamp isn't correctly parsed, try to search something special of your logs in a very large time period. Then, if you're searching logs in the first 11 days of the month, try to search the 1st of may (01/05/2022) at the 5th of january (05/01/2022). Then, are you sure about index? then, try to add an asterisk at the beginning of the source, maybe there's the full path and/ot an asterisk at the end of host, maybe there's the FQDN name instead of the hostname. Ciao. Giuseppe ... View more