Hello Everyone, We have following props.conf [sourcetypeA] KV_MODE = json SHOULD_LINEMERGE = false TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3Q%Z TRUNCATE = 0 LINE_BREAKER = ([\n\r]+){ TIME_PREFIX = (\"timestamp\"[^\"]+\") TRANSFORMS-set = setnull,setparsing and transforms.conf: [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = Regex1 DEST_KEY = queue FORMAT = indexQueue Using this configuration we are getting filtered data in splunk and it is working as expected. No we have a requirement where we want to apply similar settings to another sourcetype say sourcetypeB with having different regex for [setparsing]. I have updated the props.conf as [sourcetypeA] KV_MODE = json SHOULD_LINEMERGE = false TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3Q%Z TRUNCATE = 0 LINE_BREAKER = ([\n\r]+){ TIME_PREFIX = (\"timestamp\"[^\"]+\") TRANSFORMS-set = setnull,setparsing [sourcetypeB] KV_MODE = json SHOULD_LINEMERGE = false TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3Q%Z TRUNCATE = 0 LINE_BREAKER = ([\n\r]+){ TIME_PREFIX = (\"timestamp\"[^\"]+\") TRANSFORMS-set = setnull,setparsing1 Transforms.conf has been modified as: [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = Regex1 DEST_KEY = queue FORMAT = indexQueue [setparsing1] REGEX = Regex2 DEST_KEY = queue FORMAT = indexQueue After applying these setting I see data only getting indexed for SourcetypeB and no data for SourcetypeA. Could anyone please help what do i need to change to get data for both sourcetypes A and B. I have tried multiple combinations but only getting data for one sourcetype at one time Regards, Inderjot ... View more

Hello to all the Splunkers! I have an very important question which needs to be addressed before we do an uplift of our Splunk version. We are planning to uplift our Splunk version from 6.3.2 to 6.6.2 or 6.6.3 We are using data model acceleration in our current Splunk version i.e. 6.3.2 As Splunk 6.6.3 is very new release (21 August 17) so mind says we should go with 6.6.2 Her comes the bone of contention I see following in 6.6.3 release notes: Date resolved Issue number Description 2017-07-25 SPL-142801, SPL-142771 Only one root event search in a DM gets accelerated I have no idea what is meant by this above Issue and this is making me wonder which Splunk version I should go for. As far as my limited knowledge with Splunk I knew that we can have only one root event per data model and that is the way our current Data Model are designed. Please help me clear my understanding and let us decide which Splunk version shall we go for. Thanks in advance! Regards, Inderjot Singh Rasila ... View more