I've made no indication that I'm editing or have edited files in system/default -- I pointed out that SHOULD_LINEMERGE defaults to true in system/default/props.conf and that since I'm not setting it elsewhere, it's true. Which you indicated was some sort of problem. I'm editing files in apps/appname/default. ... View more

File contents are tricky, since they're not always standard. Also they're too big to post. Suffice to say, they consist of a bunch of various system output, with one section being dedicated to system logs as I explained above, always following this format: 1/1/2015 12:34:56 <Log header> Log text. inputs.conf is (plus one stanza seting SSL password, rootCA, serverCert): [tcp://port#] connection_host = dns index = myindex sourcetype = my-type [tcp-ssl:sslport#] index = myindex sourcetype = my-type I've masked these slightly. The sourcetype is unique to these inputs. props.conf is (some of these files are really big -- 100,000+ lines) [default] TRUNCATE = 0 MAX_EVENTS = 150000 I'm not setting LINE_BREAKER or SHOULD_LINEMERGE. SHOULD_LINEMERGE defaults to true in the system/default/props.conf, of course. ... View more

That's the point: I'm not doing anything in transforms, my props file is just two lines to keep from truncating large files (from above: TRUNCATE for long lines and MAX_EVENTS for big linecounts), and my inputs just pull in tcp/ssl and set a sourcetype. ... View more

My file does not get split into multiple events. I am forced to extract the timestamps manually. I don't know why this is the case. I'm certainly not doing this on purpose. ... View more

If you look back at my initial question, you'll see that Splunk is not splitting the file into multiple events. It's retaining the entire file as a single event. It is not extracting the timestamp for each line, which is why I'm trying to do it manually in the first place. ... View more

In my cases, the timestamp isn't typically in the filename. I see _time, but it's unclear on where it's being extracted from. All the timestamps that I actually want are extracted neatly with rex, so that I have: timestamp, logfield1, logfield2,logfield3, etc... where all my necessary log data is lined up with a timestamp, but then I find I can't do anything with the timestamp for filtering purposes without building my own faux time picker with form inputs. ... View more

inputs.conf: setting one tcp and one ssl input props.conf: setting TRUNCATE and MAX_EVENTS transforms.conf: not using anything here Command outputs about 75 fields. ... View more

I think we broke the comment section. Moving up here. I'm doing event linebreaking at index time, but I'm not actually working with a unique source field per original file since I'm getting data over TCP and UDP -- I'm using files too, but not 100%, which is the only case in which your solution would really work. I'm not pre-processing outside of Splunk, I'm using props.conf and transforms.conf stanzas to handle the event linebreaking at index time. What I'm really looking for, and what I think would be most useful, is a way to extract a value from the input before event linebreaking and then embed it in each new event after. ... View more

No, the source field is not unique in that source = source = source = source = source for most files, unless you're literally using individual text files as your inputs. If you're gathering data from a TCP source, source is always going to equal TCP:500 or however. Which means when you go to do eventstats by source, and none of your sources are unique, the ID number that's applied to each event is going to be the same one. This isn't crazy, and there are limited instances in which your solution would work, but this isn't one of them. ... View more

I'm sorry if I wasn't clear -- I did try it, and it acted as I stated in my previous comment. The Source field is not unique. ... View more

That doesn't work. It just extracts from the very first event that matches the rex for System Type and applies that to every result in the search. Since each section was broken into its own event at index time and there's no overlapping unique information, I don't have any relational linkage between sections. EDIT: Additionally, the files themselves are too big not to break into smaller events. I still get some truncation issues on subsections, even. ... View more

If this is right, I don't think I understand how eventstats works. This may get complicated. So I made my sample look very generic. My actual ID looks like (sorry for the regex): System Type: \w+-\w+ (I'm also looking to do similar searches filtering out by MAC addresses and some other things) I'm pretty sure I can't just ask it to eventstats first("System Type") and expect it to pick up what I want -- also I tried it, so I'm even more pretty sure there. Will I need to build in an auto field extraction or is there a better way around this? ... View more

As I mentioned, I'm dividing the files at index time so if I'm searching sourcetype=Section2 or sourcetype=Section3, the ID number isn't in the current search results to run eventstats on. The files are ~15,000 lines long and contain 20 or so sections, so I can't really manage them at search time in their original format. ... View more

The sections are broken out at index time, so I can't grab the ID from Section1 if I'm searching on Section3. Currently I lose the relationship between sections, which is why I'm trying to put a unique identifier in all sections so they can be tracked after they're broken out. ... View more

The solution there is for creating a new field. I'm trying to reference an existing field. ... View more

More convoluted. I want to copy the value from the field whose name is specified in monthSearch1 (field 201507 in the example, yielding 12) to month1. ... View more

Sadly, no. I never got anywhere investigating this one. ... View more

Here are my statements, starting from the relevant portion: | eval yr="$form.yr$" | eval quarter="$form.quarter$" | eval yr=if("$form.quarter$"="Q1" OR "$form.quarter$"="Q2",yr-1,yr) | eval monthSearch=if("$form.quarter$"="Q1",'yr'+"07 "+'yr'+"08 "+'yr'+"09 ",monthSearch) | eval monthSearch=if("$form.quarter$"="Q2",'yr'+"10 "+'yr'+"11 "+'yr'+"12 ",monthSearch) | eval monthSearch=if("$form.quarter$"="Q3",'yr'+"01 "+'yr'+"02 "+'yr'+"03 ",monthSearch) | eval monthSearch=if("$form.quarter$"="Q4",'yr'+"04 "+'yr'+"05 "+'yr'+"06 ",monthSearch) | makemv monthSearch | eval monthSearch1=mvindex(monthSearch,0) | eval monthSearch2=mvindex(monthSearch,1) | eval monthSearch3=mvindex(monthSearch,2) | lookup closures "fullName" AS "fullName" The following is what doesn't work: | eval month1='monthSearch1' | eval month2='monthSearch2' | eval month3='monthSearch3' |** fillnull value=0 month1 month2 month3 Assume $form.quarter$=Q1 and $form.yr$=2015 The lookup "closures" contains the following info: fullname,201507,201508,201509,201510,201511,201512 Adam Anderson,12,10,15,,37,11 Bob Briggs,,,4,21,,15 Cam Carson,10,25,31,22,16,1 I want an intermediate table that looks like: fullName,monthSearch1,monthSearch2,monthSearch3,201507,201508,201509,month1,month2,month3 Adam Anderson,201507,201508,201509,12,10,15,12,10,15 ... View more

Wow. None of the info I could find in the documentation suggested that was needed. Thanks! ... View more