So don't use double quotes with rax command in scheduled searches for alerts. Just use a search like:
source="C:\test\data\log1.txt" | rex v=(? .*) | head 10
This works fine for alerts and is more readable.
... View more
Set up an alert with the search command:
source="C:\test\data\log1.txt" | rex v="(? .*)" | head 10
the alert has never been triggered, although the same search on Aplunk UI generates results.
... View more
I tested following commands with 4.3.3 release and both work fine:
splunk export eventdata -index main -dir /temp/events.out -source 'C:\work\test\test.log'
splunk export eventdata -index main -dir /temp/raven -host 'raven-PC'
... View more