Ooh, got it! So you need to modify it globally from the general configuration, not from the single visualization. Thank you! ... View more

Hi @richgalloway , I agree with the transforms/props solution. I further tested the SEDCMD solution and saw that (at least on my instance) is working as expected. Is there any known mechanism that automatically remove that empty line?  that's my sourcetype:   [TestmylogRemoveHeader] DATETIME_CONFIG = LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true SEDCMD-removeheader = s/^Timestamp\sProcess\sTID\sArea\sCategory\sEventID\sLevel\sMessage\sCorrelation.*//g SHOULD_LINEMERGE = false category = Custom pulldown_type = true     Produced result: Any suggestion is highly appreciated! I'll eventually use the props/transforms as preferred method for these cases. Have a nice day! Fabrizio ... View more

Hi @Roy_9 , have you specified the entire configuration? SEDCMD-removeheader = s/^Timestamp\sProcess\sTID\sArea\sCategory\sEventID\sLevel\sMessage\sCorrelation.*//g I tested it in the Add data preview and the header gets correctly removed as you can see below: Also, header removal won't be applied to already ingested data Hope this helps you, have a nice day, Fabrizio ... View more

With your dataset, it is difficult to use any indexed extraction or similar in props.conf for reference: INDEXED_EXTRACTIONS = <CSV|TSV|PSV|W3C|JSON|HEC>   I would personally find a pattern to parse the logs at search time and generate the field extractions for each field  Hope this helps, have a nice day, Fabrizio ... View more

place the following in the props.conf file: SEDCMD-removeheader = s/^Timestamp\sProcess\sTID\sArea\sCategory\sEventID\sLevel\sMessage\sCorrelation.*//g General sintax explained in the props.conf documentation:  * replace - s/regex/replacement/flags * regex is a perl regular expression (optionally containing capturing groups). * replacement is a string to replace the regex match. Use \n for back references, where "n" is a single digit. * flags can be either: g to replace all matches, or a number to replace a specified match.  Hope this helps, have a nice day, Fabrizio ... View more

Hi @Roy_9 , My bad, I did not understand where you were having the issue. Splunk is giving you that error because header doesn't have a timestamp and can't interpret it. To prevent this, you should remove the header with SEDCM (props.conf) or combining props.conf and transforms to discard that specific line. Hope this helps you, have a nice day, Fabrizio ... View more

Hi @Roy_9 , I think you won't be able to use %N variable different from the available ones: %N The number of subsecond digits. The default is %9N. You can specify %3N = milliseconds, %6N = microseconds, %9N = nanoseconds.   Hope this helps you, have a good day, Fabrizio ... View more

@Hi @ssuluguri, I'm not sure if that's the case, but version 9.0.4 solved several issues included thread and memory usage Fixed issues SPL-230581, SPL-227411 After upgrade one set of clustered indexers has increase in thread crashes during search SPL-231852, SPL-230091 Search utilize huge memory on only one indexer.   Hope this will help you, have a nice day, Fabrizio ... View more

Hi @ssuluguri , Prior to Splunk Enterprise version 9.0, the cluster manager used the master-apps directory as the configuration bundle repository. Starting with 9.0, a new directory called manager-apps was added to the cluster manager as a replacement for master-apps The peer nodes used the slave-apps directory as the configuration bundle repository. Starting with 9.0, peer-apps replaces slave-apps. If your peer node was upgraded from a pre-9.0 version, the slave-apps directory was renamed to peer-apps during the upgrade process. Additional information can be found in the Managing Indexers and Clusters of Indexers guide section Hope this will help you, have a nice day! Fabrizio ... View more

Hi @SamuraP , You can specify what configuration you are searching for and filter the returned results for your app context (--app=<yourapp>) and get additional details regarding the source of the produced configuration using --debug In the example below you will get the props configurations from the "search" app context, along with the file that have generated each line (--debug) ./splunk btool props list --app=search --debug  Also you can use grep command to filter the returned btool output to further deepen your analysis. ./splunk btool props list --app=search | grep informationThatYouWantToGrep Additional details and explanations can be found in the Splunk btool documentation from the troubleshooting manual Hope this will help you! Have a nice day, Fabrizio ... View more

Hi @bitnapper, Without knowing what type of logs you are working with, I would assume your issue might be related to the use of the default LINE_BREAKER ([\r\n]+) while also keeping SHOULD_LINEMERGE = true (default setting). SHOULD_LINEMERGE explanation from props.conf file: * When you set this to "true", Splunk software combines several lines of data into a single multi-line event, based on values you configure in the following settings. * When you set this to "false", Splunk software does not combine lines of data into multiline events. * Default: true When SHOULD_LINEMERGE is set to true, other settings (BREAK_ONLY_BEFORE_DATE (default), BREAK_ONLY_BEFORE, MUST_BREAK_AFTER...) are used to define how Splunk software builds multi-line events merging previously broken lines. Also, remember to restart your Splunk instance where the new parsing rules are being applied (tipically HF/INDEXER or all-in-one architecture) Hope this helps, have a nice day, Fabrizio ... View more

hi @phamxuantung LINE_BREAKER is applied during the Parsing Pipeline, so the instance with the LINE_BREAKER and SHOULD_LINEMERGE = false (merging pipeline) must be set on HF/Indexer level. LINE_BREAKER on Search Heads would work if that Search Heads are directly indexing events (i.e. in Splunk all-in-one architectures), hence parsing events themself. Hope this helps, Fabrizio ... View more