Hi, Distributed deployment that includes SH Cluster and IDX Cluster, HEC on IDXs is used to receive the data. I want to use ingest time lookups BUT the lookup will need to be refreshed (let's say hourly). Now the question is how will that work? SHs can refresh a lookup and it will be pushed as part of the search bundle to the IDXs, but I don't think IDXs will know how to use it for ingest time lookup (as this bundle is used during search time), would they? The only option I can think of is to run the scheduled search that populates the lookup on Cluster Master but tell it to output the lookup into the `slave_apps` folder, but that will require to push a new IDX bundle every time.....   Any thoughts on how to do it? Thanks. ... View more

Hi, I want eventgen (installed as an App) to continuously reply 3 events just replacing the timestamp       # etc/apps/my_app/local/eventgen.conf [host_perf_monitor.sample] mode = replay interval = 15 earliest = -15s latest = now outputMode = file fileName = /opt/tmp/host_cpu.log token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} token.0.replacementType = replaytimestamp token.0.replacement = %Y-%m-%d %H:%M:%S # etc/apps/my_app/samples/host_perf_monitor.sample 2022-03-24 01:01:10 host=linux_server_01 status=WARNING object=cpu_used_pct value=66 2022-03-24 01:01:12 host=linux_server_01 status=ERROR object=cpu_used_pct value=85 2022-03-24 01:01:14 host=linux_server_01 status=GOOD object=cpu_used_pct value=44         if the eventgen would run at 08:38:45 I would expect that the output will be     2022-03-25 08:38:41 host=linux_server_01 status=WARNING object=cpu_used_pct value=66 2022-03-25 08:38:43 host=linux_server_01 status=ERROR object=cpu_used_pct value=85 2022-03-25 08:38:45 host=linux_server_01 status=GOOD object=cpu_used_pct value=44     but it is (first and second event are at the same time)     2022-03-25 08:38:43 host=linux_server_01 status=WARNING object=cpu_used_pct value=66 2022-03-25 08:38:43 host=linux_server_01 status=ERROR object=cpu_used_pct value=85 2022-03-25 08:38:45 host=linux_server_01 status=GOOD object=cpu_used_pct value=44     Tried with other event "spreads" as well (for example on 01, 34, 45 seconds) and will still always get 1st and 2nd events with the same timestamp. Thanks   ... View more

Hi, I need to extract multiple fields (from events that are coming via HEC) and assign an index based on the concatenated values. (I know that you can assign index per HEC token, but let's assume that all the events are coming with the same token) Example payload { "sourcetype": "hec:generic", "event": { "platform": "platform01", "service": "service02", "env": "npd", "type": "alert", "test": "true", "message": "TEST HEC 040" } } i've figured out how to do it if I know the order props.conf [hec:generic] TRANSFORMS-index_selector = index_selector transforms.conf [index_selector] REGEX = platform"\s?:\s?"(?P<platform>\w+)",\n\s*"service"\s?:\s?"(?P<service>\w+)",\n\s*"env"\s?:\s?"(?P<env>\w+) DEST_KEY = _MetaData:Index FORMAT = $1_$2_$3 But what if I don't know the order of the platform , service and env fields? Any suggestions? Can I somehow have 3 separate REGEX lines? Tried below REGEX = platform"\s?:\s?"(?P<platform>\w+) REGEX = service"\s?:\s?"(?P<service>\w+) REGEX = env"\s?:\s?"(?P<env>\w+) DEST_KEY = _MetaData:Index FORMAT = $1_$2_$3 and the result it just picks up the last REGEX, so basically it tries to assign "npd_$2_$3" to index ... View more