Sorry to be a bit slow here.
I'm not sure where props.conf is located.
From the web interface of Splunk, I have added the wildcard to monitor, so this is located in apps/_server_app_mail/local/inputs.conf
There is not existing props.conf file. Should I just add one in this directory?
And so your regex deletes the timestamps?
I was kinda looking for something so I can group by sessionid ([39647:2]) - (whatever is in the brackets).
End goal is to list how many sessions has a specific line associated
e.g.
Fri 2016-10-21 12:40:01: [55444:3] * zen.spamhaus.org - failed - 127.0.0.4
Hope you can elaborate a bit. Thanks
... View more