Hello, I have set a email alert. ID is the unique identifier my source file is text file which updates after some time whenever new activity is capture, Forwarder will re read that file again, to avoid duplication of search im using dedup ID,  if I don't use dedup ID in my search it will show me numbers of result which is not equal to the file. For e.g: my file have 3 logs before after some activity 2 more logs added in file total count is 5, however splunk is showing 8 events in GUI. to avoid this im using dedup ID.  Now, the issue is my alert is on real time im getting alot duplicated results in my email. Below is my query index=pro sourcetype=logs Remark="xyz" | dedup ID | table ID, _time, field1. field2, field3, field4 using the above query im getting correct result on GUI but numbers of alerts generate on email. ... View more

Hello, I'm integrating the .txt file in Splunk, however while integrating the file my events are breaking into single line not all events but many of them are breaking into single line. Attaching the log file in comments. Below is how my data is appearing on Splunk when I add this txt file into Splunk. Is there any way I can limit the starting and ending point of my event. I want my data to be started from @ID and ends on REMARK.    And if I use regex "(@ID[\s\S]*?REMARK[\s\S]*?)(?=@ID|$)" while adding the data, many of my logs are getting missing attaching the snapshot of it also. not sure how to resolve this issue,  if anyone can know how i can integrate this .txt file to get my event start from (@ID to REMARK)     ... View more

Hello community, Below is my sample log file I want to extract each individual piece of event(starting from @ID to REMARK) from the log file. I tried to achieve this by using following regex: (^@ID[\s\S]*?REMARK.*$) This regex is taking the whole log file as single event. Attaching the snapshot below.  Also tried to alter the props.conf by using the same regex: props.conf [t24] SHOULD_LINEMERGE=False LINE_BREAKER=(^@ID[\s\S]*?REMARK.*$) NO_BINARY_CHECK=true disabled=false INDEXED_EXTRACTIONS = csv   LIST F.PROTOCOL @ID PROTOCOL.ID PROCESS.DATE TIME.MSECS K.USER APPLICATION LEVEL.FUNCTION ID REMARK PAGE 1 11:34:02 23 NOV 2023 @ID............ 202309260081340532.21 @ID............ 202309260081340532.21 PROTOCOL.ID.... 202309260081340532.21 PROCESS.DATE... 20230926 TIME.MSECS..... 11:15:32:934 K.USER......... INPUTTER APPLICATION.... AC.INWARD.ENTRY LEVEL.FUNCTION. 1 ID............. REMARK......... ENQUIRY - AC.INTERFACE.REPORT @ID............ 202309260081340523.16 @ID............ 202309260081340523.16 PROTOCOL.ID.... 202309260081340523.16 PROCESS.DATE... 20230926 TIME.MSECS..... 11:15:23:649 K.USER......... INPUTTER APPLICATION.... AC.INWARD.ENTRY LEVEL.FUNCTION. 1 ID............. REMARK......... ENQUIRY - AC.INTERFACE.REPORT   Attaching the screenshot of the data which I'm getting on Splunk by using the regex mentioned above. Also attaching the snapshot of regex result which i have checked earlier online. I want my data to be shown in table form following is the example snapshot of how I want my data to be appear on Splunk.   ... View more

Hello Team, I was trying to parse my data by updating props.conf file i have created this file in (C:\Program Files\SplunkUniversalForwarder\etc\system\local\props.conf)  [t24protocollog] DATETIME_CONFIG=CURRENT SHOULD_LINEMERGE=false LINE_BREAKER=^@ID[\s\S]*?REMARK.*$ NO_BINARY_CHECK=true disabled=false by using above configuration file.  When I'm using the regex it separate each line as a event instead of defining starting and endpoint of event. I checked this regex on regex 101 it is giving me proper result on regex101.com but not on Splunk. Attaching the screenshot how my logs are showing on SPLUNK GUI. Below is the content of log file. -------------------------------------- LIST F.PROTOCOL @ID PROTOCOL.ID PROCESS.DATE TIME.MSECS K.USER APPLICATION LEVEL.FUNCTION ID REMARK PAGE 1 11:34:02 23 NOV 2023 @ID............ 202403.16 @ID............ 202403.16 PROTOCOL.ID.... 202403.16 PROCESS.DATE... 20230926 TIME.MSECS..... 11:15:23:649 K.USER......... INPUTTER APPLICATION.... DC.ENTRY LEVEL.FUNCTION. 1 ID............. REMARK......... QUIRY - AC.REPORT @ID............ 202303.16 @ID............ 202303.16 PROTOCOL.ID.... 202303.16 PROCESS.DATE... 20230926 TIME.MSECS..... 11:15:23:649 K.USER......... INPUTTER APPLICATION.... AC.ENTRY LEVEL.FUNCTION. 1 ID............. REMARK......... ENQUIRY - AC.REPORT Kindly do let me know if im doing anything wrong, need to parse the log file. ... View more

Hello Team, I have a .log flat file this file give us the data whenever we open and run command it give us some logs, now i am integrating this .log file with Splunk but it is not integrating. I ran following command to integrate it, "/splunk/bin ---> ./splunk add monitor [file name]" it give me message that file has been added to monitor list.  However i don't see this file on my Splunk, further if i have this file on Splunk how it will takes data from it whenever we run any command, also this .log file doesn't store data in any other directory whenever we close the file data disappears. Please note the OS im using is Sun Solaris  ... View more