# props.conf

#
# TrackMe audit events
#

[trackme:audit]
KV_MODE = json
EVAL-tenant_id = mvdedup(tenant_id)
EVAL-object = mvindex(mvdedup(object), 0)
EVAL-object_category = mvdedup(object_category)
TZ = UTC

#
# TrackMe flipping state events
#

[trackme:flip]
KV_MODE = json
EVAL-tenant_id = mvdedup(tenant_id)
EVAL-object = mvindex(mvdedup(object), 0)
EVAL-object_category = mvdedup(object_category)
TZ = UTC

# anomaly_reason is a JSON list, the following forces the usage of anomaly_reason{} from the auto extracted JSON, and hide the original field
FIELDALIAS-anomaly_reason = anomaly_reason{} ASNEW anomaly_reason
EVAL-anomaly_reason{} = null

#
# TrackMe SLA breaches notifications events
#

[trackme:sla_breaches]
KV_MODE = json
EVAL-tenant_id = mvdedup(tenant_id)
EVAL-object = mvindex(mvdedup(object), 0)
EVAL-object_category = mvdedup(object_category)
TZ = UTC

# anomaly_reason is a JSON list, the following forces the usage of anomaly_reason{} from the auto extracted JSON, and hide the original field
FIELDALIAS-anomaly_reason = anomaly_reason{} ASNEW anomaly_reason
EVAL-anomaly_reason{} = null

#
# TrackMe score events
#

[trackme:score]
KV_MODE = json
EVAL-tenant_id = mvdedup(tenant_id)
EVAL-object = mvindex(mvdedup(object), 0)
EVAL-object_category = mvdedup(object_category)
TZ = UTC

#
# trackMe notable events
#

[trackme:notable]
KV_MODE=json
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\{
CHARSET=UTF-8
TIME_PREFIX=\"_time\":\s
TIME_FORMAT=%s.%f
MAX_TIMESTAMP_LOOKAHEAD = 25
TRUNCATE=0
EVAL-tenant_id = mvdedup(tenant_id)
EVAL-object = mvindex(mvdedup(object), 0)
EVAL-object_category = mvdedup(object_category)
TZ = UTC

# transforms applies at the sourcetype level for Notables
TRANSFORMS-trackme_indexed_fields = trackme_indexed_json_tenant_id, trackme_indexed_json_object_category, trackme_indexed_json_object, trackme_indexed_json_monitored_state

# anomaly_reason is a JSON list, the following forces the usage of anomaly_reason{} from the auto extracted JSON, and hide the original field
FIELDALIAS-anomaly_reason = anomaly_reason{} ASNEW anomaly_reason
EVAL-anomaly_reason{} = null

#
# trackMe Smart Status
#

# Events are ingested via the SDK method, _time should be now when the method is called

[trackme:smart_status]
KV_MODE = json
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\{
CHARSET=UTF-8
DATETIME_CONFIG = CURRENT
TRUNCATE=0
EVAL-tenant_id = mvdedup(tenant_id)
EVAL-object = mvindex(mvdedup(object), 0)
EVAL-object_category = mvdedup(object_category)
TZ = UTC

TRANSFORMS-trackme_indexed_fields = trackme_indexed_json_tenant_id, trackme_indexed_json_object_category, trackme_indexed_json_object

#
# TrackMe health events
#

[trackme:health]
KV_MODE = json
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\{
CHARSET=UTF-8
DATETIME_CONFIG = CURRENT
TRUNCATE=0
EVAL-tenant_id = mvdedup(tenant_id)
EVAL-object = mvindex(mvdedup(object), 0)
EVAL-object_category = mvdedup(object_category)
TZ = UTC

TRANSFORMS-trackme_indexed_fields = trackme_indexed_json_tenant_id, trackme_indexed_json_object_category, trackme_indexed_json_object

#
# TrackMe notification events
#

[trackme:handler]
KV_MODE = json
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\{
CHARSET=UTF-8
DATETIME_CONFIG = CURRENT
TRUNCATE=0
EVAL-tenant_id = mvdedup(tenant_id)
EVAL-object = mvindex(mvdedup(object), 0)
EVAL-object_category = mvdedup(object_category)
TZ = UTC

TRANSFORMS-trackme_indexed_fields = trackme_indexed_json_tenant_id, trackme_indexed_json_object_category, trackme_indexed_json_object

#
# TrackMe stateful alert events
#

[trackme:stateful_alerts]
KV_MODE = json
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\{
CHARSET=UTF-8
DATETIME_CONFIG = CURRENT
TRUNCATE=0
EVAL-tenant_id = mvdedup(tenant_id)
EVAL-object = mvindex(mvdedup(object), 0)
EVAL-object_category = mvdedup(object_category)
TZ = UTC

TRANSFORMS-trackme_indexed_fields = trackme_indexed_json_tenant_id, trackme_indexed_json_object_category, trackme_indexed_json_object

#
# TrackMe Workload version Metadata
#

[trackme:wlk:version_id]
KV_MODE = json
TRANSFORMS-trackme_indexed_fields = trackme_indexed_tenant_id, trackme_indexed_object_category, trackme_indexed_object
EVAL-tenant_id = mvdedup(tenant_id)
EVAL-object = mvindex(mvdedup(object), 0)
EVAL-object_category = mvdedup(object_category)
TZ = UTC

#
# TrackMe fields quality
#

[trackme:fields_quality]
KV_MODE=json
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\{
CHARSET=UTF-8
TIME_PREFIX=\"time\":
TIME_FORMAT=%s.%f
MAX_TIMESTAMP_LOOKAHEAD = 25
TRUNCATE=0
# TZ: this is not UTC in this case and is meant to be ingested through the collect command

#
# alert actions
#

# Issue#851: modular alerts actions logs should not set UTC timezone

[source::...trackme_smart_status_modalert.log*]
sourcetype = modular_alerts:trackme_smart_status
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s

[source::...trackme_auto_ack_modalert.log*]
sourcetype = modular_alerts:trackme_auto_ack
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s

[source::...trackme_free_style_rest_call_modalert.log*]
sourcetype = modular_alerts:trackme_free_style_rest_call
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s

[source::...trackme_notable_modalert.log*]
sourcetype = modular_alerts:trackme_notable
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s

[source::...trackme_stateful_alert_modalert.log*]
sourcetype = modular_alerts:trackme_stateful_alert
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s

#
# TrackMe REST API
#

[source::...trackme_rest_api_*.log*]
sourcetype = trackme:rest_api
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s

#
# TrackMe handler events
#

[source::...trackme_handler_events.log*]
KV_MODE = none
# this is required for the INGEST_EVAL, however we only keep the final final fields from the INGEST_EVALS
INDEXED_EXTRACTIONS = JSON
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\{
CHARSET=UTF-8
TIME_PREFIX=\"time\":\s\"
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
MAX_TIMESTAMP_LOOKAHEAD=30
TZ = UTC

TRANSFORMS-eventslog = trackme_events_ingest_evals, trackme_indexed_json_tenant_id, trackme_indexed_json_object_category, trackme_indexed_json_object, trackme_indexed_json_monitored_state

#
# TrackMe events
#

[source::...trackme_state_events.log*]
KV_MODE = none
# this is required for the INGEST_EVAL, however we only keep the final final fields from the INGEST_EVALS
INDEXED_EXTRACTIONS = JSON
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\{
CHARSET=UTF-8
TIME_PREFIX=\"time\":\s\"
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
MAX_TIMESTAMP_LOOKAHEAD=30
TZ = UTC

TRANSFORMS-eventslog = trackme_events_ingest_evals, trackme_indexed_json_tenant_id, trackme_indexed_json_object_category, trackme_indexed_json_object, trackme_indexed_json_monitored_state

#
# TrackMe audit events (new format introduced in 2.1.2, index time parsing happens here and is then redirected to trackme:audit)
#

[source::...trackme_audit_events.log*]
KV_MODE = none
# this is required for the INGEST_EVAL, however we only keep the final final fields from the INGEST_EVALS
INDEXED_EXTRACTIONS = JSON
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\{
CHARSET=UTF-8
TIME_PREFIX=\"time\":\s
TIME_FORMAT=%s.%6N
TRUNCATE=0
MAX_TIMESTAMP_LOOKAHEAD=30
TZ = UTC

TRANSFORMS-auditlog = trackme_audit_events_ingest_evals


# this applies at the overriden props level
[trackme:state]
KV_MODE = json
EVAL-tenant_id = mvdedup(tenant_id)
EVAL-object = mvindex(mvdedup(object), 0)
EVAL-object_category = mvdedup(object_category)

# anomaly_reason is a JSON list, the following forces the usage of anomaly_reason{} from the auto extracted JSON, and hide the original field
FIELDALIAS-anomaly_reason = anomaly_reason{} ASNEW anomaly_reason
EVAL-anomaly_reason{} = null

#
# TrackMe Workload versioning
#

[source::...trackme_wlk_version.log*]
KV_MODE = none
# this is required for the INGEST_EVAL, however we only keep the final final fields from the INGEST_EVALS
INDEXED_EXTRACTIONS = JSON
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\{
CHARSET=UTF-8
TIME_PREFIX=\"time\":\s\"
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
MAX_TIMESTAMP_LOOKAHEAD=30
TZ = UTC

TRANSFORMS-eventslog = trackme_events_ingest_evals, trackme_indexed_json_tenant_id, trackme_indexed_json_object_category, trackme_indexed_json_object

#
# Required for the Workload
#

[source::...resource_usage.log*]
FIELDALIAS-app = data.search_props.app ASNEW app

[source::splunk-svc-consumer]
FIELDALIAS-app = search_app ASNEW app

[source::splunk-svc-search-attribution]
FIELDALIAS-app = search_app ASNEW app

#
# Events to metrics
#

# scoring metrics
[source::...trackme_scoring_metrics.log*]
sourcetype = metrics_log
KV_MODE = none
# this is required for the INGEST_EVAL, however we only keep the final final fields from the INGEST_EVALS
INDEXED_EXTRACTIONS = JSON
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\{
CHARSET=UTF-8
TIME_PREFIX=\"time\":\s
TIME_FORMAT=%s.%6N
TRUNCATE=0
MAX_TIMESTAMP_LOOKAHEAD=30
TZ = UTC

METRIC-SCHEMA-TRANSFORMS = metric-schema:trackme_scoring_metrics_extract_schema
TRANSFORMS-metricslog = trackme_scoring_metrics_index_redirect,trackme_scoring_metrics_field_extraction,trackme_scoring_metrics_field_extraction_json,trackme_scoring_metrics_metric_name

# sla state metrics
[source::...trackme_sla_metrics.log*]
sourcetype = metrics_log
KV_MODE = none
# this is required for the INGEST_EVAL, however we only keep the final final fields from the INGEST_EVALS
INDEXED_EXTRACTIONS = JSON
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\{
CHARSET=UTF-8
TIME_PREFIX=\"time\":\s
TIME_FORMAT=%s.%6N
TRUNCATE=0
MAX_TIMESTAMP_LOOKAHEAD=30
TZ = UTC

METRIC-SCHEMA-TRANSFORMS = metric-schema:trackme_sla_metrics_extract_schema
TRANSFORMS-metricslog = trackme_sla_metrics_index_redirect,trackme_sla_metrics_field_extraction,trackme_sla_metrics_field_extraction_json,trackme_sla_metrics_metric_name

# components register metrics
[source::...trackme_components_register_metrics.log*]
sourcetype = metrics_log
KV_MODE = none
# this is required for the INGEST_EVAL, however we only keep the final final fields from the INGEST_EVALS
INDEXED_EXTRACTIONS = JSON
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\{
CHARSET=UTF-8
TIME_PREFIX=\"time\":\s
TIME_FORMAT=%s.%6N
TRUNCATE=0
MAX_TIMESTAMP_LOOKAHEAD=30
TZ = UTC

METRIC-SCHEMA-TRANSFORMS = metric-schema:trackme_components_register_metrics_extract_schema
TRANSFORMS-metricslog = trackme_components_register_metrics_index_redirect,trackme_components_register_metrics_field_extraction,trackme_components_register_metrics_field_extraction_json,trackme_components_register_metrics_metric_name

# splk-dsm state metrics
[source::...trackme_splk_dsm_metrics.log*]
sourcetype = metrics_log
KV_MODE = none
# this is required for the INGEST_EVAL, however we only keep the final final fields from the INGEST_EVALS
INDEXED_EXTRACTIONS = JSON
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\{
CHARSET=UTF-8
TIME_PREFIX=\"time\":\s
TIME_FORMAT=%s.%6N
TRUNCATE=0
MAX_TIMESTAMP_LOOKAHEAD=30
TZ = UTC

METRIC-SCHEMA-TRANSFORMS = metric-schema:trackme_splk_dsm_metrics_extract_schema
TRANSFORMS-metricslog = trackme_splk_dsm_metrics_index_redirect,trackme_splk_dsm_metrics_field_extraction,trackme_splk_dsm_metrics_field_extraction_json,trackme_splk_dsm_metrics_metric_name

# splk-dhm state metrics
[source::...trackme_splk_dhm_metrics.log*]
sourcetype = metrics_log
KV_MODE = none
# this is required for the INGEST_EVAL, however we only keep the final final fields from the INGEST_EVALS
INDEXED_EXTRACTIONS = JSON
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\{
CHARSET=UTF-8
TIME_PREFIX=\"time\":\s
TIME_FORMAT=%s.%6N
TRUNCATE=0
MAX_TIMESTAMP_LOOKAHEAD=30
TZ = UTC

METRIC-SCHEMA-TRANSFORMS = metric-schema:trackme_splk_dhm_metrics_extract_schema
TRANSFORMS-metricslog = trackme_splk_dhm_metrics_index_redirect,trackme_splk_dhm_metrics_field_extraction,trackme_splk_dhm_metrics_field_extraction_json,trackme_splk_dhm_metrics_metric_name

# splk-mhm state metrics
[source::...trackme_splk_mhm_metrics.log*]
sourcetype = metrics_log
KV_MODE = none
# this is required for the INGEST_EVAL, however we only keep the final final fields from the INGEST_EVALS
INDEXED_EXTRACTIONS = JSON
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\{
CHARSET=UTF-8
TIME_PREFIX=\"time\":\s
TIME_FORMAT=%s.%6N
TRUNCATE=0
MAX_TIMESTAMP_LOOKAHEAD=30
TZ = UTC

METRIC-SCHEMA-TRANSFORMS = metric-schema:trackme_splk_mhm_metrics_extract_schema
TRANSFORMS-metricslog = trackme_splk_mhm_metrics_index_redirect,trackme_splk_mhm_metrics_field_extraction,trackme_splk_mhm_metrics_field_extraction_json,trackme_splk_mhm_metrics_metric_name

# splk-flx metrics
[source::...trackme_flx_metrics.log*]
sourcetype = metrics_log
KV_MODE = none
# this is required for the INGEST_EVAL, however we only keep the final final fields from the INGEST_EVALS
INDEXED_EXTRACTIONS = JSON
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\{
CHARSET=UTF-8
TIME_PREFIX=\"time\":\s
TIME_FORMAT=%s.%6N
TRUNCATE=0
MAX_TIMESTAMP_LOOKAHEAD=30
TZ = UTC

METRIC-SCHEMA-TRANSFORMS = metric-schema:trackme_flx_metrics_extract_schema
TRANSFORMS-metricslog = trackme_flx_metrics_index_redirect,trackme_flx_metrics_field_extraction,trackme_flx_metrics_field_extraction_json,trackme_flx_metrics_metric_name

# splk-fqm metrics
[source::...trackme_fqm_metrics.log*]
sourcetype = metrics_log
KV_MODE = none
# this is required for the INGEST_EVAL, however we only keep the final final fields from the INGEST_EVALS
INDEXED_EXTRACTIONS = JSON
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\{
CHARSET=UTF-8
TIME_PREFIX=\"time\":\s
TIME_FORMAT=%s.%6N
TRUNCATE=0
MAX_TIMESTAMP_LOOKAHEAD=30
TZ = UTC

METRIC-SCHEMA-TRANSFORMS = metric-schema:trackme_fqm_metrics_extract_schema
TRANSFORMS-metricslog = trackme_fqm_metrics_index_redirect,trackme_fqm_metrics_field_extraction,trackme_fqm_metrics_field_extraction_json,trackme_fqm_metrics_metric_name

# splk-wlk metrics
[source::...trackme_wlk_metrics.log*]
sourcetype = metrics_log
KV_MODE = none
# this is required for the INGEST_EVAL, however we only keep the final final fields from the INGEST_EVALS
INDEXED_EXTRACTIONS = JSON
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\{
CHARSET=UTF-8
TIME_PREFIX=\"time\":\s
TIME_FORMAT=%s.%6N
TRUNCATE=0
MAX_TIMESTAMP_LOOKAHEAD=30
TZ = UTC

METRIC-SCHEMA-TRANSFORMS = metric-schema:trackme_wlk_metrics_extract_schema
TRANSFORMS-metricslog = trackme_wlk_metrics_index_redirect,trackme_wlk_metrics_field_extraction,trackme_wlk_metrics_field_extraction_json,trackme_wlk_metrics_metric_name

#
# TrackMe custom commands
#

# per command definition

[source::...trackme_splunkremotesearch.log*]
sourcetype = trackme:custom_commands:splunkremotesearch
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme.log*]
sourcetype = trackme:custom_commands:trackme
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_get_conf.log*]
sourcetype = trackme:custom_commands:trackmegetconf
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_trackmepurgeaudit.log*]
sourcetype = trackme:custom_commands:trackmepurgeaudit
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_tracker_executor.log*]
sourcetype = trackme:custom_commands:trackmetrackerexecutor
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_cimtracker_executor.log*]
sourcetype = trackme:custom_commands:trackmecimtrackerexecutor
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_sampling_executor.log*]
sourcetype = trackme:custom_commands:trackmesamplingexecutor
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_elastic_sources_shared_executor.log*]
sourcetype = trackme:custom_commands:trackmeelasticexecutor
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_merge_splk_dhm.log*]
sourcetype = trackme:custom_commands:trackmemergesplkdhm
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_extract_splk_dhm.log*]
sourcetype = trackme:custom_commands:trackmeextractsplkdhm
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_extract_splk_cim.log*]
sourcetype = trackme:custom_commands:trackmeextractsplkcim
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_splk_get_flipping.log*]
sourcetype = trackme:custom_commands:trackmesplkgetflipping
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_ack_tracker.log*]
sourcetype = trackme:custom_commands:trackmeacktracker
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_gen_notable.log*]
sourcetype = trackme:custom_commands:trackmegennotable
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_collect.log*]
sourcetype = trackme:custom_commands:trackmecollect
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_collect_health.log*]
sourcetype = trackme:custom_commands:trackmecollecthealth
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_load_tenants_summary.log*]
sourcetype = trackme:custom_commands:trackmetenantstatus
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_load_tenants.log*]
sourcetype = trackme:custom_commands:trackmeload
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_merge_splk_mhm.log*]
sourcetype = trackme:custom_commands:trackmemergesplkmhm
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_extract_splk_mhm.log*]
sourcetype = trackme:custom_commands:trackmeextractsplkmhm
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_expand_splk_mhm.log*]
sourcetype = trackme:custom_commands:trackmeexpandsplkmhm
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_splk_outliers_set_rules.log*]
sourcetype = trackme:custom_commands:trackmesplkoutlierssetrules
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_splk_outliers_cim_set_rules.log*]
sourcetype = trackme:custom_commands:trackmesplkoutlierscimsetrules
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_splk_outliers_get_rules.log*]
sourcetype = trackme:custom_commands:trackmesplkoutliersgetrules
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_splk_outliers_cim_get_rules.log*]
sourcetype = trackme:custom_commands:trackmesplkoutlierscimgetrules
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_splk_outliers_get_data.log*]
sourcetype = trackme:custom_commands:trackmesplkoutliersgetdata
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_splk_outliers_train.log*]
sourcetype = trackme:custom_commands:trackmesplkoutlierstrain
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_splk_outliers_cim_train.log*]
sourcetype = trackme:custom_commands:trackmesplkoutlierscimtrain
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_splk_outliers_render.log*]
sourcetype = trackme:custom_commands:trackmesplkoutliersrender
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_splk_outliers_cim_render.log*]
sourcetype = trackme:custom_commands:trackmesplkoutlierscimrender
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_splk_outliers_train_helper.log*]
sourcetype = trackme:custom_commands:trackmesplkoutlierstrainhelper
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_splk_outliers_tracker_helper.log*]
sourcetype = trackme:custom_commands:trackmesplkoutlierstrackerhelper
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_splk_outliers_cim_tracker_helper.log*]
sourcetype = trackme:custom_commands:trackmesplkoutlierscimtrackerhelper
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_tracker_health.log*]
sourcetype = trackme:custom_commands:trackmetrackerhealth
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_splk_flx_parse.log*]
sourcetype = trackme:custom_commands:trackmesplkflxparse
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_splk_flx_converging.log*]
sourcetype = trackme:custom_commands:trackmesplkflxconverging
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_splk_wlk_parse.log*]
sourcetype = trackme:custom_commands:trackmesplkwlkparse
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_opsstatus_expand.log*]
sourcetype = trackme:custom_commands:trackmeopsstatusexpand
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_stsummary_splk_dhm.log*]
sourcetype = trackme:custom_commands:trackmestsummarysplkdhm
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_persistentfields.log*]
sourcetype = trackme:custom_commands:trackmepersistentfields
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_delayed_feeds_inspector.log*]
sourcetype = trackme:custom_commands:trackmesplkfeedsdelayed
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_splkwlk_getreportsdef_gen.log*]
sourcetype = trackme:custom_commands:trackmesplkwlkgetreportsdefgen
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_splkwlk_getreportsdef_stream.log*]
sourcetype = trackme:custom_commands:trackmesplkwlkgetreportsdefstream
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_splkwlk_getreportowner_stream.log*]
sourcetype = trackme:custom_commands:trackmesplkwlkgetreportowner
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_genjson_metrics.log*]
sourcetype = trackme:custom_commands:trackmegenjsonmetrics
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_splkwlk_inactive_inspector.log*]
sourcetype = trackme:custom_commands:trackmesplkwlkinactiveinspector
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_extract_json_metrics.log*]
sourcetype = trackme:custom_commands:trackmeextractjsonmetrics
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_trackmereplicator.log*]
sourcetype = trackme:custom_commands:trackmereplicator
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_replica_executor.log*]
sourcetype = trackme:custom_commands:trackmereplicaexecutor
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_trackmeautogroup.log*]
sourcetype = trackme:custom_commands:trackmeautogroup
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_pretty_json.log*]
sourcetype = trackme:custom_commands:trackmeprettyjson
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_yield_json.log*]
sourcetype = trackme:custom_commands:trackmeyieldjson
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_oneshot_executor.log*]
sourcetype = trackme:custom_commands:trackmeoneshotexecutor
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_flx_get_usecases.log*]
sourcetype = trackme:custom_commands:trackmesplkflxgetuc
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_splkflx_inactive_inspector.log*]
sourcetype = trackme:custom_commands:trackmesplkflxinactiveinspector
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_splk_soar.log*]
sourcetype = trackme:custom_commands:trackmesplksoar
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_splk_soar_trackmesplksoarlookup*]
sourcetype = trackme:custom_commands:trackmesplksoarlookup
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_splk_cmdb.log*]
sourcetype = trackme:custom_commands:trackmesplkcmdb
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_stateful.log*]
sourcetype = trackme:custom_commands:trackmestateful
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_trackmesplkoutliersexpand.log*]
sourcetype = trackme:custom_commands:trackmesplkoutliersexpand
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_trackmesplkflxexpandextra.log*]
sourcetype = trackme:custom_commands:trackmesplkflxexpandextra
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_setcurrent_dcounthost_stream.log*]
sourcetype = trackme:custom_commands:trackmesplksetcurrentdcounthost
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_adaptive_delay.log*]
sourcetype = trackme:custom_commands:trackmesplkadaptivedelay
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id, trackme_indexed_kv_object
TZ = UTC

[source::...trackme_return_maintenance_kdb.log*]
sourcetype = trackme:custom_commands:trackmereturnmaintenancedb
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_decision_maker.log*]
sourcetype = trackme:custom_commands:trackmedecisionmaker
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_trackmesplktags.log*]
sourcetype = trackme:custom_commands:trackmesplktags
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_trackmesplkpriority.log*]
sourcetype = trackme:custom_commands:trackmesplkpriority
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_trackmesplkslaclass.log*]
sourcetype = trackme:custom_commands:trackmesplkslaclass
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_general_health_manager.log*]
sourcetype = trackme:custom_commands:trackmegeneralhealthmanager
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_get_collection.log*]
sourcetype = trackme:custom_commands:trackmegetcoll
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_testperf_get_collection.log*]
sourcetype = trackme:custom_commands:trackmetestperfgetcoll
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_get_logicalgroups.log*]
sourcetype = trackme:custom_commands:trackmegetlogicalgroups
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_trackmehashobject.log*]
sourcetype = trackme:custom_commands:trackmehashobject
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_get_kos.log*]
sourcetype = trackme:custom_commands:trackmegetkos
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_check_backups.log*]
sourcetype = trackme:custom_commands:trackmecheckbackups
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_splk_feeds_delayed_inspector.log*]
sourcetype = trackme:custom_commands:trackmesplkfeedsdelayedinspector
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_trackmetestremoteaccounts.log*]
sourcetype = trackme:custom_commands:trackmetestremoteaccounts
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=0
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_trackmefieldsquality.log*]
sourcetype = trackme:custom_commands:trackmefieldsquality
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_trackmefieldsqualityextract.log*]
sourcetype = trackme:custom_commands:trackmefieldsqualityextract
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_trackmefieldsqualitygensummary.log*]
sourcetype = trackme:custom_commands:trackmefieldsqualitygensummary
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_trackmefieldsqualitygendict.log*]
sourcetype = trackme:custom_commands:trackmefieldsqualitygendict
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_trackmepushdatasource.log*]
sourcetype = trackme:custom_commands:trackmepushdatasource
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_trackmeexpandtokens.log*]
sourcetype = trackme:custom_commands:trackmeexpandtokens
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_splk_fqm_parse.log*]
sourcetype = trackme:custom_commands:trackmesplkfqmparse
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

[source::...trackme_trackmeyamlpath.log*]
sourcetype = trackme:custom_commands:trackmeyamlpath
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}
CHARSET=UTF-8
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
EXTRACT-log_level = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d*\s(?<log_level>\w*)\s
TRANSFORMS-trackme_indexed_fields = trackme_indexed_kv_tenant_id
TZ = UTC

# search_telemetry
# Splunk generates date time parsing erros with the search telemetry due to a timestamp missing in the second json payload of a same json generated
# This seems to be a Splunk core issue with telemetry and the root cause was not idenfitied
# however, this can be workaround with a source based stanza forcing the a date time config

[source::.../var/run/splunk/search_telemetry/...trackme...telemetry.json]
TRUNCATE = 99999
DATETIME_CONFIG = CURRENT