[audittrail] EXTRACT-search_id = search_id=\'(?[^\']*?)\' EXTRACT-apiStartTime = apiStartTime=\'(?[^\']*?)\' EXTRACT-apiEndTime = apiEndTime=\'(?[^\']*?)\' EXTRACT-search_string = search=\'(?.*?)\',\sautojoin LOOKUP-dmc_add_instance_info = dmc_assets host OUTPUTNEW machine search_group [http_event_collector_metrics] LOOKUP-dmc_add_instance_info = dmc_assets host OUTPUTNEW machine search_group [splunk_resource_usage] LOOKUP-dmc_add_instance_info = dmc_assets host OUTPUTNEW machine search_group EVAL-data.search_props.label = if(isnull('data.search_props.label') AND isnotnull('data.search_props.sid'), "N/A", 'data.search_props.label') EVAL-data.search_props.provenance = if(isnull('data.search_props.provenance') AND isnotnull('data.search_props.sid'), "unknown", 'data.search_props.provenance') [kvstore] LOOKUP-dmc_add_instance_info = dmc_assets host OUTPUTNEW machine search_group [wlm_monitor] LOOKUP-dmc_add_instance_info = dmc_assets host OUTPUTNEW machine search_group [splunk_disk_objects] LOOKUP-dmc_add_instance_info = dmc_assets host OUTPUTNEW machine search_group [splunkd] LOOKUP-dmc_add_instance_info = dmc_assets host OUTPUTNEW machine search_group # splunk is not able to auto extract field names with parenthesis, have to explicitly extract them here # note field name cannot be more than 32 characters EXTRACT-compute_search_quota_max_ms = Compute_Search_Quota_Max_Time\(ms\)=(?\d+(\.\d+)?) EXTRACT-compute_search_quota_mean_ms = Compute_Search_Quota_Mean_Time\(ms\)=(?\d+(\.\d+)?) EXTRACT-dispatch_dir_reaper_max_ms = Dispatch_Directory_Reaper_Max_Time\(ms\)=(?\d+(\.\d+)?) EXTRACT-dispatch_dir_reaper_mean_ms = Dispatch_Directory_Reaper_Mean_Time\(ms\)=(?\d+(\.\d+)?) EXTRACT-get_bundleList_max_ms = Get_BundleList_Max_Time\(ms\)=(?\d+(\.\d+)?) EXTRACT-get_bundleList_mean_ms = Get_BundleList_Mean_Time\(ms\)=(?\d+(\.\d+)?) EXTRACT-get_auth_max_ms = Get_Authentication_Max_Time\(ms\)=(?\d+(\.\d+)?) EXTRACT-get_auth_mean_ms = Get_Authentication_Mean_Time\(ms\)=(?\d+(\.\d+)?) EXTRACT-get_serverInfo_max_ms = Get_ServerInfo_Max_Time\(ms\)=(?\d+(\.\d+)?) EXTRACT-get_serverInfo_mean_ms = Get_ServerInfo_Mean_Time\(ms\)=(?\d+(\.\d+)?) EXTRACT-bundle_dir_reaper_max_ms = Bundle_Directory_Reaper_Max_Time\(ms\)=(?\d+(\.\d+)?) EXTRACT-bundle_dir_reaper_mean_ms = Bundle_Directory_Reaper_Mean_Time\(ms\)=(?\d+(\.\d+)?) # fix typo EXTRACT-enqueue_searches_count = enqueue_seaches_count=(?\d+) [splunkd_access] LOOKUP-dmc_add_instance_info = dmc_assets host OUTPUTNEW machine search_group [splunkd_remote_searches] LOOKUP-dmc_add_instance_info = dmc_assets host OUTPUTNEW machine search_group [scheduler] LOOKUP-dmc_add_instance_info = dmc_assets host OUTPUTNEW machine search_group EVAL-status = case(status=="success", "completed", status=="skipped", "skipped", status=="continued", "deferred") [mongod] LOOKUP-dmc_add_instance_info = dmc_assets host OUTPUTNEW machine search_group [splunkd_conf] LOOKUP-dmc_add_instance_info = dmc_assets host OUTPUTNEW machine search_group EVAL-object_type = mvindex('data.asset_uri{}', 2) EVAL-owner = mvindex('data.asset_uri{}', 0) EVAL-app = mvindex('data.asset_uri{}', 1) EVAL-object_name = mvindex('data.asset_uri{}', 3) EVAL-optype_desc = 'data.optype_desc' EVAL-from_repo = 'data.from_repo' EVAL-to_repo = 'data.to_repo' EVAL-status = 'data.status'