NO this is no April Fools Joke. But it feels that way to me... I'm trying to use transforms.conf and props.conf to change the way the source of a log file looks in Splunk when it is indexed. However sometimes the log file is long, other times it is not. For example: arcd_3278659_me00quc_cat-qu-mouse01.20140331 arcd_3268459_me04quc_rat-qu-mouse04.20140331 arcd_me00quc_cat-qu-mouse.20140331 arcd_me02quc_bat-qf-mouse.20140331 arcd_100_me00quc_cat-qu-mouse01.20140331 Normally there are digits between the words arcd and me00que...but in some cases, there is not! I want the source name to show up as: arcd_me00quc_cat-qu-mouse arcd_me04quc_rat-qu-mouse04 arcd_me02quc_bat-qf-mouse I don't care about the trailing numbers at the end and I don't care about the numbers between arcd and me00que. This is where I"m having a problem renaming the source. Transforms.conf [source_clean-digits-before-ext] DEST_KEY = MetaData:Source SOURCE_KEY = MetaData:Source REGEX = source::(.*)[-._]\d+[-._]([a-z0-9]+)[-._]([a-zA-Z0-9-]+)[-._]\d+$ FORMAT = source::$1$3$4 Props.conf: [arcd] TRANSFORMS-fix_source = source_clean-digits-before-ext When I turned this on, the source names showed up as: arcdme00quc-batch01$4 arcd_me00quc_cat-qu-mouse01.20140401 I think this is messing up the regex. I'm wondering if there is a way to have the source name always show up as: arcd_me00quc_cat-qu-mouse01 I don't want the training numbers at the end and if there are numbers in $2, I don't want those either! I'm playing around with this but thought hey, I'll post it here too because I'm having trouble trying to nail it down. ... View more

I'm trying to use lookups to do a keyword search and I can't grasp my brain around the right way to do this. I've got some web logs I'm looking at in splunk that contain data that identifies what operating system and browser a user is using. The string that contains this data isn't always the same algorithm so my regex's haven't been succssful. I'm planning on making a chart of the most popular browsers and the most popular operating systems. I'd like to do the following as a new idea: Make a csv of all the operating systems and a csv of all the browsers. Use the lookups command to do a keyword search to locate these key words and rename them to more identifiable terms (example: Windows NT 6.1 = Windows 7). Perform a count of how many times the new identifiable term (example: Windows 7) has been found for the given period of time. I have a simple search like this. I am looking at one particular object to get the information I need: sourcetype=access_logs command=GET company_logo | dedup username The type of information i get back in results is : 10.10.10.10 10.120.130.140 www.testing.somedomain.com [22/Jul/2013:19:22:08 +0000] 304 "GET /blahblah-tmf/images/company_logo.png HTTP/1.1" [booberry] (http-apr-8080-exec-3) 1 - "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" So, I want to pipe this search to look at the lookup file, look for keywords I have listed, rename those keywords to something else and put them in a field, and then I will do a count of how many times those new renamed keywords were found. Even if I don't use the lookups command and somehow could do an automatic lookup would be cool. My lookup file for the browser csv I started looked like: keyword, browser_type Trident/4.0,IE8 Trident/5.0,IE9 Trident/6.0,IE10 I checked a few other questions on this but didn't get it right just yet so figured I'd dump that here. I tried this one: http://splunk-base.splunk.com/answers/84799/find-multiple-keywords-in-file-and-show-them-on-a-chart My search is this so far: sourcetype=access_logs command=GET company_logo | dedup username Any ideas? ... View more