I am trying to do a groupby operation at index time on Ironport logs. I have looked in all the documents and posts and they all talk about search time groupby using stats.
Scenario: We are getting Ironport Mail logs. The logs are pretty chatty and multiline. If that alone was the case, we could have done props line-break statements and be done with it. These logs, however, are Multiline as well as Multi-message (parallel: shown below). I want to try separate the logs belonging to individual email and group them before they hit indexers. Any help will be very appreciated.
As you can see there is not specific start and end strings to the log so it is hard to do MUST_BREAK_BEFORE or MUST_NOT_BREAK_BEFORE regexs
... View more
I am creating an add-on for splunk v4.2 (hold your thoughts about the version) and can't seem to get around the below problem
Possible typo in stanza [omnia_secure] in /opt/splunk/etc/apps/TA-omnia_ODP_prod_Management_inputs/local/props.conf, line 3: EVAL-action = if(app="su" AND isnull(action),"success",action)
I have done a bit of research and tried this version with 's on the custom field and still get the same thing
Possible typo in stanza [omnia_secure] in /opt/splunk/etc/apps/TA-omnia_ODP_prod_Management_inputs/local/props.conf, line 3: EVAL-action = if('app'="su" AND isnull(action),"success",action)
as a result, the props and transforms are not being processed.
Have any of you faced the same and bumped into a solution??
... View more