Hi there, I am building a Synology Splunk TA to share with the community. In the logs, file sizes can be presented in many different units:   1.72 KB 2.35 KB 0 Bytes 75.08 KB 243.00 KB 18.62 MB 261.62 KB 48.60 GB     I've been stuck trying to convert all of these values to bytes. This post was really helpful in using regex and eval statements, but does not consider the added complexity of have decimal places. Any assistance is appreciated and will be credited in the App. ... View more

Hi, I created an App on my Splunk indexer which had a props.conf, outputs.conf and transforms.conf with the following data: [syslog] TRANSFORMS-routing = routeAll, routeSubset Edit $SPLUNK_HOME/etc/system/local/transforms.conf and add the following text: [routeAll] REGEX=(.) DEST_KEY=_TCP_ROUTING FORMAT=Everything [routeSubset] REGEX=(SYSTEM|CONFIG|THREAT) DEST_KEY=_TCP_ROUTING FORMAT=Subsidiary,Everything Edit $SPLUNK_HOME/etc/system/local/outputs.conf and add the following text: [tcpout] defaultGroup=nothing [tcpout:Everything] disabled=false server=10.1.12.1:9997 [tcpout:Subsidiary] disabled=false sendCookedData=false server=10.1.12.2:1234 I then restarted my Splunk service and it froze while restarting. It then appeared that my server had frozen, so I restarted the server on the hypervisor level after waiting some time with splunk not coming back online. Once it was back online, I realised that all Indexes were completely wiped from the mount point, and the indexes reset and started populating with new data coming from the heavy forwarder. Is there any way that changes to conf files could have done this? Or could this have happened if the server crashed while Splunk was restarting? Thank you. ... View more