I'm not aware of ways to prevent users from creating knowledge objects in apps in which they have write access.  There are a couple of things you can do to help, though. 1) Create an app for each department and make it the default app for users in that department. 2) Hide the Search & Reporting app to make it harder for users to use. ... View more

This one is a bit tricky I think. Breaking the events up based on the INIT line should be easy enough. Tying those back to the description is tougher. In Splunk, we have to create an event first from the data streaming in. It's not like we're parsing a file in whole, we're processing it as it streams by. And so we can't grab the header, store it and then tag that data to other events....at least no way that i know how. BUT, we can do some things. For example, we can set the entire header aside as its own event and give it a different sourcetype. And then create events for the job actions. Later on when we search the data, we should be able to tie together those two events based on the host and source - since they will match. So at that point, we can sort of glue the description back in. Not sure if it's the best method to do this, but maybe it's one. This quick example assumes the sourcetype set when you ingest the logs is app:job:log and creates one called app:job:header....both of which are easily changeable of course. Indexer/Parse Config (On your indexers) props.conf [app:job:log] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)(?=\[[^\]]+\]\s*'INIT') TIME_PREFIX = ^\[ MAX_TIMESTAMP_LOOKUPAHEAD = 20 TRANSFORMS-header_sourcetype = set_app_job_header_sourcetype transforms.conf [set_app_job_header_sourcetype] REGEX = ^\[[^\]]+\]\s*#{5} DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::app:job:header Search Config (on your search heads) props.conf [app:job:header] REPORT-header_fields = app_job_header_fields transforms.conf [app_job_header_fields] REGEX = \]\s+#\s+([^:]+):\s*([^\r\n]+) FORMAT = $1::$2 And then assuming all that works, a simple sample search might be like index=app sourcetype=app:job:* | eventstats values(Description) as Description by host source | where sourcetype="app:job:log" ... View more

Test it in regex101.com, but I believe you need parentheses around each side of the | to ensure proper processing. ... View more

This is the MC search for event processing errors. index=_internal splunk_server=local search_group=dmc_group_indexer earliest=-60m (source=*splunkd.log* (component=AggregatorMiningProcessor OR component= LineBreakingProcessor OR component=DateParserVerbose) (log_level=WARN OR log_level=ERROR)) OR (source=*metrics.log* group=thruput name=index_thruput) | stats sum(eval(round(ev,0))) AS event_count count(eval(component=="AggregatorMiningProcessor")) AS aggregation_issues count(eval(component=="LineBreakingProcessor")) AS line_breaking_issues count(eval(component=="DateParserVerbose")) AS date_parsing_issues by host | eval crap_score = round((aggregation_issues + line_breaking_issues + date_parsing_issues) / event_count * 1000, 3) | eval severity_level = case(crap_score == 0, 0, crap_score > 0 AND crap_score < 1, 1, True(), 2) | rename host AS instance | fields - crap_score ... View more