Thanks for the regex correction. Glad it worked for you. ... View more

Any ideas? Is it possible to do the query I need? I need to know when was the first occurrence for each Id, if it's a limits problem, what value should I change? ... View more

Hi Genti. I think I've found the issue. If I go to Jobs and filter this saved search, the number of events for last two runs says "0", but if I open the results I do have events (but above the flashtimeline says "0 matching events"). And if I re-run the search (on the same window) the results I got the same results but the "matching events" is right. Maybe that's what's avoiding the alarm to run? ... View more

Thanks! This case helped me understand that -output rawdata is based on the contents of the _raw field and that any field filtering is ignored. For example: splunk search 'index=anIndex some=criteria | fields + foo, bar' -output rawdata gives all fields and is not limited to foo and bar, which is my goal. Removing the special fields starting with underscore: splunk search 'index=anIndex some=criteria | fields + foo, bar | fields - _*' -output rawdata gives the error: Error result had no _raw key Ultimately I changed the query output to 'raw': splunk search 'index=anIndex some=criteria | fields + foo, bar | fields - _*' -output raw and now I get only the fields foo and bar in my results! Unfortunately the output format of 'raw' is different from 'rawdata' and thus I need to adjust my down stream processing but that's the next step. ... View more

Did you get an answer for this in the meantime? I've run into the same issue ... View more

Yep. thanks Lowell for bumping up this question again. Pager lives. ... View more

One simple and low-tech way is to use eval's 'replace' function. its not the prettiest but it might not make your head hurt as much as using rex in 'sed' mode. 😃 after your rex: | rex "\<properties>(?<Properties>.*)\</properties>" | put this: | eval Properties=replace(Properties, "</key><value>", " = ") | eval Properties=replace(Properties, "</value></property><property><key>", " | ") | eval Properties=replace(Properties, "<property><key>", "") | eval Properties=replace(Properties, "</value></property>", "") and while we're considering nutty solutions, here's another one. Again tack this onto the end of your rex where you're extracting the Properties string. | eval Properties=replace(Properties, "<property>", "") | makemv Properties delim="</property>" | mvexpand Properties | rename Properties as _raw | xmlkv that last one actually makes multivalued field and then splits them into their own rows... mileage/applicability may vary. ... View more

Never mind. In my Splunk version, it's apparently called settings. Thanks! ... View more

Regular backup will not work in case you overide files and you want to earliar/previous file, in svn you can get all previous files so put your files in svn if you want previous version of configuration files... -Kamal Bisht ... View more

We just added everyone to have read access to the Search app and then hid the Search app. ... View more