@ITWhisperer  I have updated my question.....I have removed my example for better understanding. Let me know if that is clear . TIA ... View more

No , i guess my question is misunderstood.   If my alert throws 4 results .....i want all the 4 results to be logged into an index . Instead Splunk logs only one result into an index. ... View more

My alert action is to log an  event to an index for each result . But when there are multiple results for an alert ...it logs only one result to the index .  Attached screenshot of my alert  ... View more

Thanks for the confirmation @gcusello  ... View more

is there a way to clear fishbucket  without reindexing? In one of the old UF , fishbucket file has occupied complete disk space and i need to clear the file to run Splunk again. ... View more

Raw log format attached ... View more

@Vardhan  There are 2 things I'm looking at . 1. Auto extraction of fields at index time . Check the formatted log file snapshot. It has a nested json .(All the fields inside the message field needs to be extracted) if option 1 is not possible .  Need help in 2nd option   2. Parse the incoming raw logs and remove  the {"message":"<100>  at the beginning of each event. Check raw log snapshot for reference.   Sample log  can be seen in other comments.   Thanks in Advance   ... View more

Second Regex i didnt try as the regex is not capturing the intended characters. If you look at raw the log , i just want to parse and remove the  {"message":"<100>  from the raw log and start with the timestamp instead ... View more

@Vardhan Your first regex looks good as it is capturing the intended characters . But after adding that in props.conf at HF .Im still seeing the characters and it is not removed. ... View more

    Hi @scelikok  @isoutamo As an alternate option i want to remove the the starting characters(marked in Red) from the below log sample .   This gets appended in all the logs and i want to remove it before indexing . Could you please help with the props and transforms config   Raw Event : {"message":"<100>Mar 11 15:58:48 XX.XXX.XXX.XXX LOGSTASH[-]: {\"@version\":\"1\",\"facility_label\":\"user-level\",\"program\":\"audispd\",\"logtype\":\"syslog\",\"priority\":14,\"tags\":[\"_grokparsefailure\"],\"vmd_name\":\"abc\",\"host\":\"XX.XXX.XXX.XXX\",\"severity\":6,\"facility\":1,\"Hostname\":\"abc\",\"beat\":{\"name\":\"abc\"},\"@timestamp\":\"2021-03-11T15:58:48.000Z\",\"type\":\"abc\",\"timestamp\":\"Mar 11 15:58:48\",\"logsource\":\"abc\",\"severity_label\":\"Informational\",\"message\":\"node=abc type=SOCKADDR msg=audit(1615478328.279:1722168): saddr=000000000000000000000000\\n\"}","@timestamp":"2021-03-11T15:50:46.242Z","host":"XX.XXX.XXX.XXX","@version":"1","port":00000}   ... View more

Hi @scelikok  it didnt work. Fields are not getting extracted. ... View more

Raw Event : {"message":"<171>Mar 11 15:58:48 XX.XXX.XXX.XXX LOGSTASH[-]: {\"@version\":\"1\",\"facility_label\":\"user-level\",\"program\":\"audispd\",\"logtype\":\"syslog\",\"priority\":14,\"tags\":[\"_grokparsefailure\"],\"vmd_name\":\"abc\",\"host\":\"XX.XXX.XXX.XXX\",\"severity\":6,\"facility\":1,\"Hostname\":\"abc\",\"beat\":{\"name\":\"abc\"},\"@timestamp\":\"2021-03-11T15:58:48.000Z\",\"type\":\"abc\",\"timestamp\":\"Mar 11 15:58:48\",\"logsource\":\"abc\",\"severity_label\":\"Informational\",\"message\":\"node=abc type=SOCKADDR msg=audit(1615478328.279:1722168): saddr=000000000000000000000000\\n\"}","@timestamp":"2021-03-11T15:50:46.242Z","host":"XX.XXX.XXX.XXX","@version":"1","port":00000}     and this is how it look syntaxed format:   { [-] @timestamp: 2021-03-11T15:50:46.242Z @version: 1 host: XX.XXX.XXX.XXX message: <171>Mar 11 15:58:48 XX.XXX.XXX.XXX LOGSTASH[-]: {"@version":"1","facility_label":"user-level","program":"audispd","logtype":"syslog","priority":14,"tags":["_grokparsefailure"],"vmd_name":"abc","host":"XX.XXX.XXX.XXX","severity":6,"facility":1,"Hostname":"abc","beat":{"name":"abc"},"@timestamp":"2021-03-11T15:58:48.000Z","type":"abc","timestamp":"Mar 11 15:58:48","logsource":"abc","severity_label":"Informational","message":"node=abc type=SOCKADDR msg=audit(1615478328.279:1722168): saddr=000000000000000000000000\n"} port: 0000 } ... View more

@scelikok  , @koshyk Any help on this topic please ? ... View more

Hi @scelikok , I have decided to increase the  min free space and eviction padding . Before doing  this  , i  want to clarify on the steps .  It will be great if you could  validate my steps. I have 3 indexers in cluster with one Cluster master.   Step 1: I'm going to put indexers on maintenance mode  Step 2 : Login into each the server.conf  and update the following settings:  [diskusage] minFreeSpace = “10%”   [cachemanager] eviction_padding = 51200   Step 3 : Enable maintenance mode   Please validate the above steps and let me know if i missed anything.   Additional question, if my disk is already 95% full , is it safe to update now with minfreespace as 10%? I hope it will evict the buckets immediately to maintain 10 % free space and will not cause any other issue?   Thanks in advance ... View more