How can I get stats by author if I have multiline events like the below? Project: /a/b/c loc=100 author=aaa@foo.com loc=100 author=bbb@foo.com loc=100 author=ccc@foo.com Project: /a/b/c loc=200 author=aaa@foo.com loc=200 author=ccc@foo.com loc=200 author=ddd@foo.com Given the 2 events above, am looking for a results table like this: Project Author Total Lines of Code (loc) ------------------------------------------------- /a/b/c aaa@foo.com 300 bbb@foo.com 100 ccc@foo.com 300 ddd@foo.com 200 ... View more

I am trying to extract a field with 2 distinct problems: The field length can often creep above 498 characters. This is where Splunk fails to complete the field extraction (maybe because of a PCRE recursion limit). The field values are somewhat tricky as they are surrounded by quotes and include double quotes (to escape single quotes). In psuedo speak, here is an example event: "JOB_NEW" "pretend this is the ""very"" long field with more than 498 chars" "next field" "more fields" The regex to solve #1: ... | rex "^\"JOB_NEW\" \"(?<lsfcommand>([^\"]*)\")" The regex to solve #2: ... | rex "^\"JOB_NEW\" \"(?<lsfcommand>(\"\"|[^\"])*)\"" Can you help find a regex to solve both #1 and #2? I've included a data sample below which I believe captures both problems. So if we can find a regex that works for all 3 events then we're golden. === props.conf === [regextest] SHOULD_LINEMERGE = false DATETIME_CONFIG = CURRENT === data sample (3 events) === "JOB_NEW" "siliconsmart -x ""set sis_stage libgen"" scripts/sis_runme.tcl" 0 "" "default" 32987 1 "LINUX64" "" "" "" "" 2104336 0 "" "" "/prj/abcdef/lsfgbcspool/x" -1 -1 -1 "default" 0 "" "" -1 "" 0 -1 "JOB_NEW" "/prj/abc/def-sys/bolt/users/fooo/KalmanRegressionTip/tip100173/wiltsim/tools/../../library/lsf_tools/lsf_jobname_wait.pl stressTest_iceqbe.pl.b68c83ae\* /prj/abc/lte-sys/bolt/users/fooo/KalmanRegressionTip/tip100173//wiltsim/tools/regress_finalize.pl -m xluo /prj/abc/lte-sys/bolt/users/fooo/KalmanRegressionTip/tip100173//regression/logs/log_stressTest_iceqbe.pl.20130829.013458.report.log fooo fooo" 0 "" "11644" 1 "LINUX64" "" "" "" "" 2098192 0 "" "" "/prj/abcdef/lsfgbcspool/x" -1 -1 -1 "default" 0 "" "" -1 "" 0 -1 "JOB_NEW" "/prj/abc/lte-sys/bolt/users/fooo/KalmanRegressionTip/tip100173/wiltsim/tools/../../library/lsf_tools/lsf_jobname_wait.pl stressTest_iceqbe.pl.b68c83ae.1.autosim_define\* /prj/abc/lte-sys/bolt/users/fooo/KalmanRegressionTip/tip100173//run/performance/ICEQBE/_SingleCellKalmanStressTests/_compare2reference.pl -cltv -metric PDSCH_INFO_UEID_1 ThroughputMbps 0.06 /prj/abc/lte-sys/bolt/users/fooo/KalmanRegressionTip/tip100173//regression/logs/log_stressTest_iceqbe.pl.20130829.013458.report.log fooo fooo" 0 "" "11644" 1 "LINUX64" "" "" "" "" 2098192 0 "" "" "/prj/abcdef/lsfgbcspool/x" -1 -1 -1 "default" 0 "" "" -1 "" 0 -1 ... View more

What I'm looking for is a hybrid of the stats list() and values() functions. First, I'd like the list of unique values for a multivalue field, then alongside each unique value, I'd like the count of occurrences of that value. Is this possible? Maybe this is better illustrated through an example. Given a set of events like this: 03/12/2013 15:55:00 id=foo abc=123,123,123 03/12/2013 15:56:00 id=bar abc=123,456,789,789 I can get tables like these with the list() and values() functions, respectively: id abc id abc ---------------- ---------------- foo 123 foo 123 123 bar 123 123 456 bar 123 789 456 789 789 But what I really want is this: id abc ---------------- foo 123 (3) bar 123 (1) 456 (1) 789 (2) I believe this to be possible... for a search query superhero (which I am not). 🙂 ... View more

We would love it if there was a REST endpoint or way to create and update tags similar to the way we refreshed fields in the old days with "... | extract reload=t". I understand you can simply restart Splunk to refresh new configuration including tags.conf, but we are trying to find ways to reload dynamically without restarting. I also understand we have endpoints to support the addition/deletion of tags individually. Knowledge: http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTknowledge#search.2Ftags Configurations: http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTconfig This is going to require some scripting or coding, which isn't terrible, but if there's a more efficient way to do this it would be preferred. Since there's no 'update' endpoint which means we also have to account for existing tags of the same when adding/deleting. Hoping there's some undocumented endpoint or utility to perform a bulk dynamic refresh. We like the way tags are displayed next to the field in Splunk Web so using a lookup is not ideal, but could logically accomplish the same thing. ... View more