I started having the issue after upgrade 9.0.3.  Did you ever resolve? ... View more

where able to fix? ... View more

Studio is better, correct?  About spent some time learning but, don't wanted to be waste of time. ... View more

where you able to solve the problem?  Have you tried to generate process chain table use process monitor baseline?  have you tried force directed viz?   ... View more

@mayurr98    Here is my search that I want to put into props & transform. index=nsips_horizon sourcetype="vmware:uag:esmanager" | rex "^(?:[^ \n]* ){3}(?P<UAG_hostname>[a-z]+\d+)\s+(?P<app_name>[^:]+)[^:\n]*:\s+\[(?P<thread_id>\S+?)\](?P<log_level>[^ ]+)\s+(?P<file_name>[^\[]+)\[(?P<function_name>[^:]+):\s+(?P<line_num>[^\]]+)[^\[\n]*\[(?P<client_IP>[^\]]+|.?)\]\[(?P<username>.+|.?)\]\[(?P<session_type>.+|.?)\]\[(?P<session_id>[^\]]+)[^\]\n]*\]\s+\-\s+(?P<message>.+)" here is sample log: Sep 9 05:36:55 UAG Name UAG-ESMANAGER: [Curator-QueueBuilder-0]INFO utils.SyslogManager[start: 355][][][][] - Edge Service Manager : started Sep 9 05:36:54 UAG Name UAG-ESMANAGER: [Curator-QueueBuilder-0]INFO utils.SyslogManager[stop: 1071][][][][] - Edge Service Manager : stopped based on what I read the props.conf  [vmware:uag:esmanager] REPORT-esmanager = esmanager Transform.conf [esmanager] REGEX = ^(?:[^ \n]* ){3}(?P<UAG_hostname>[a-z]+\d+)\s+(?P<app_name>[^:]+)[^:\n]*:\s+\[(?P<thread_id>\S+?)\](?P<log_level>[^ ]+)\s+(?P<file_name>[^\[]+)\[(?P<function_name>[^:]+):\s+(?P<line_num>[^\]]+)[^\[\n]*\[(?P<client_IP>[^\]]+|.?)\]\[(?P<username>.+|.?)\]\[(?P<session_type>.+|.?)\]\[(?P<session_id>[^\]]+)[^\]\n]*\]\s+\-\s+(?P<message>.+) FORMAT = $1::$2 Right?  What's $1::$2 doing?   ... View more

Did you fix the issue?  Would like to know what you did other than the blog posted? ... View more

@yuanliu Thanks for quick response.  It make more sense now.  The challenge now is the extract the array value on Tags{Name}.Key bring up the count of the values but, not nested values within the Name Field that has the value We want   index=aws sourcetype="aws:metadata" InstanceId=i-* | spath Tags{}.Value output=Hostname | mvexpand Hostname | fieldsummary | search field = Hostname   Return the results on the screen shot.  Notice that the count of value and field values mixed.  that's the part I don't get and trying to understand.  Hostname only returns the count. "Field name in SPL uses dot (".") to segment data paths in JSON, and curly brackets ({}) to represent a JSON array. "  So, should the path Tags.Key.Name{} return the values for Name array not the count of the values   | spath Tags.Key.Name{} output=Name    Yes.  I am having problem understanding the path logic based on the results.  The question is how do retrieve the values in 3 depth array into muti-value?   index=aws sourcetype="aws:metadata" InstanceId=i-* | spath path="Tags{}.Value" output=Name | mvexpand Name | search Name = I-* | stats count by Name   This get the results in Value but, my understanding of it still rough.  I need extract more tag.values{} in tag.values as fields with value instead of the values to re-do a savesearch that rely tag.$field_name$  Now it's broken out into Value being the field value where key is the field name.  I think, I need to group them.  Right? ... View more

which version of the add-on are you running and Splunk version?  It's not there for AWS 6.x add-on with Splunk 9.x ... View more

regex101: build, test, and debug regex Please take a look at this link.  I suggestion use regex101 before put them into splunk. ... View more

I have enhance the search to provide more details. index=_internal host=<your Indexer> source="/opt/splunk/var/log/splunk/splunkd.log" component=DateParserVerbose | rex "Context: source=(?P<sourcetypeissue>\w+)\Shost=(?P<sourcehost>\w+)" | stats list(sourcetypeissue) as file_name list(sourcehost) ... View more

Will create a new post next time.  I want to match log content.  So, I delete  SOURCE_KEY = MetaData:Source you meant transform.conf right?  not props.conf The props.conf should be change to match sourcetype right? TRANSFORMS-uag:syslog = vmware:uag:admin, vmware:uag:audit, vmware:uag:esmanager   ... View more

@sheamus69  I've made some progress.  Initial work is getting the log ingestion from syslog and overriding the SourceType. Here is my inputs.conf   [monitor:///var/log/$mask_host1$/syslog] disabled = false #initCrcLength = 800 crcSalt = <SOURCE> index = test sourcetype = uag:syslog [monitor:///var/log/$mask_host2$/syslog] disabled = false #initCrcLength = 800 crcSalt = <SOURCE> index = test sourcetype = uag:syslog [monitor:///var/log/$mask_host3$/syslog] disabled = false #initCrcLength = 800 crcSalt = <SOURCE> index = test sourcetype = uag:syslog Here is props.conf on the HF. [uag:syslog] category = Custom TRANSFORMS-uag:syslog = vmware:uag:admin, vmware:uag:audit, vmware:uag:esmanager   Here is transforms.conf the HF. [vmware:uag:admin] REGEX = uag-admin\: FORMAT = sourcetype::vmware:uag:admin DEST_KEY = MetaData:Sourcetype [vmware:uag:audit] REGEX = uag-audit\: FORMAT = sourcetype::vmware:uag:audit DEST_KEY = MetaData:Sourcetype [vmware:uag:esmanager] REGEX = uag-esmanager\: FORMAT = sourcetype::vmware:uag:esmanager DEST_KEY = MetaData:Sourcetype   Next, I'll update with field extraction if you're intrested. ... View more

@gcusello  Could you review mind?  Here is my inputs.conf [monitor:///var/log/$mask_host1$/syslog] disabled = false #initCrcLength = 800 crcSalt = <SOURCE> index = test sourcetype = uag:syslog [monitor:///var/log/$mask_host2$/syslog] disabled = false #initCrcLength = 800 crcSalt = <SOURCE> index = test sourcetype = uag:syslog [monitor:///var/log/$mask_host3/syslog] disabled = false #initCrcLength = 800 crcSalt = <SOURCE> index = test sourcetype = uag:syslog Here is props.conf on the HF. [uag:syslog] NO_BINARY_CHECK = true category = Custom pulldown_type = 1 TRANSFORMS-sourcetype = vmware:uag:admin, vmware:uag:audit, vmware:uag:esmanager Here is my transform.conf on the HF. [uag:syslog] REGEX = :\d\d\s+\w{5}\w{4}\suag-admin\: FORMAT = sourcetype::vmware:uag:admin SOURCE_KEY = MetaData:Source DEST_KEY = MetaData:Sourcetype [uag:syslog] REGEX = :\d\d\s+\w{5}\w{4}\suag-audit\: FORMAT = sourcetype::vmware:uag:admin SOURCE_KEY = MetaData:Source DEST_KEY = MetaData:Sourcetype [uag:syslog] REGEX = :\d\d\s+\w{5}\w{4}\suag-esmanager\: FORMAT = sourcetype::vmware:uag:esmanager SOURCE_KEY = MetaData:Source DEST_KEY = MetaData:Sourcetype Is there anything I am doing wrong in the configuration?   ... View more

@PickleRick Or @gcusello  Are your sourcetypes really named that?  No, It's coming the monitoring has sorucetype=syslog On which component did you put those entries? Here is the inputs.conf       [monitor:///var/log/$mask_host1$/syslog] disabled = false #initCrcLength = 800 crcSalt = <SOURCE> index = test sourcetype = uag:syslog [monitor:///var/log/$mask_host2$/syslog] disabled = false #initCrcLength = 800 crcSalt = <SOURCE> index = test sourcetype = uag:syslog [monitor:///var/log/$mask_host3$/syslog] disabled = false #initCrcLength = 800 crcSalt = <SOURCE> index = test sourcetype = uag:syslog       Props.conf on the HF   [uag:syslog] category = Custom TRANSFORMS-uag:syslog = vmware:uag:admin, vmware:uag:audit, vmware:uag:esmanager       Transform.conf on the HF   [vmware:uag:admin] REGEX = uag-admin\: FORMAT = sourcetype::vmware:uag:admin DEST_KEY = MetaData:Sourcetype [vmware:uag:audit] REGEX = uag-audit\: FORMAT = sourcetype::vmware:uag:audit DEST_KEY = MetaData:Sourcetype [vmware:uag:esmanager] REGEX = uag-esmanager\: FORMAT = sourcetype::vmware:uag:esmanager DEST_KEY = MetaData:Sourcetype       @PickleRick , does that answer your question?  Is my approach wrong?    ... View more