Thats the answer, thanks! ... View more

blah blah blah MATCH_ME foo bar(end of line) ... View more

While the URLs are correct, the Java SDK (which the OP refers to), supports namespaces. There is a description here: http://dev.splunk.com/view/SP-CAAAECN#namespaces ... View more

The "extract" command docs and the docs for the transforms.conf file should do it. You define it in transforms.conf, then call it on demand using the "extract" command (instead of "rex"). You could use props.conf to make it run automatically for the sourcetype as well. BTW I would not use macros.conf for this particular case, since it adds a whole new layer of escaping and parsing. ... View more

I'm borrowing from Mick's answer here. I just want to point out that you can use this metadata approach to really capture two different scenarios: Your forwarder stopped sending you data. (The original question) Your forwarder is sending you data from the future. (time travel?) I would like to make the argument that both are of equal importance to monitor, for the following reasons: We want to know when a forwarder is down (obviously) It's important to detect when the system clock on a forwarder is out of sync with the indexer. Timestamp recognition problems need to be fixed ASAP. Not checking for future events inhibits your ability to detect when a forwarder goes down. (e.g. if an event is received for 10 days in the future then the lastTime will not be able to reflect the current time correct time until that point. Therefore if the forwarder goes down within that time frame, it will not be detected by an alert that only is looking for old events.) Here is a search that can detect both situations: | metadata index=_internal type=hosts | eval age=time()-lastTime | search age>60 OR age<-15 | sort age d | convert ctime(lastTime) | fields age,host,lastTime There are a few things to note here: If you are forwarding internal events then the index=_internal will let you check for down forwarder on a much quicker interval. (Since metrics events are generated every 30-seconds). If you are not, then pick your most active index, or you could use something like | metadata type=hosts | append [ metadata index=os type=hosts ] | stats max(lastTime) as lastTime by host to query more than one index. (Try to make sure that you pick an index that is less-prone to timestamp configuration glitches which could prevent this alert from working properly.) Notice that I'm using time() here and not now() . This is because we want the current system clock instead of the time the search was scheduled to run. This allows for a more accurate value for age, which can otherwise be skewed due to delays is scheduled search execution. (Note that if your are running a version prior to 4.1, then you'll need to use now() instead of time() , and you will need to change the -15 number to something like -60 or -90, all depending on your potential scheduler delays) ... View more

Hi, I have a similar question. My inner search returns the date and time(for eg 06-22-2015-23). I want to use this time in my outer search as earliest time = "06-22-2015-23" and latest should be one hour after that(06-23-2015-00) i.e one hour post the earliest time. For eg. "outer search" [search ... | eval MyLatestTime=_time | fields + MyLatestTime | rename MyLatestTime as earliest] latest= earliest+1 Thanks in advance ... View more