Splunk

commands

streamstats

used for calculating statistics and adding them as new fields in your search results, based on the order in which the events are encountered.

# current   - option means the current event's value isn't included when calculating ( f = false, t = true)
# window    - limits to just the next event

| streamstats current=f window=1 last(value) as last_value by cve

sourcetype

json

[json]
KV_MODE = json
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+){

“If you set KV_MODE = json, do not also set INDEXED_EXTRACTIONS = JSON for the same source type. If you do this, the json fields are extracted twice, once at index time and again at search time.”

splunk: Configure automatic key-value field extraction

Environment Variables

/opt/splunk/bin/splunk envvars

Split Data from one sourcetype into different indexes

create indexes
i would recommend to create a new app to gather all configfiles in one place
transforms.conf
- define the transformation
- Regex to find the data
- Format defines the Target Index
props.conf
- combines the sourcetype with the transformation
- Transforms- - defines the transformation that will be used on the data
  - key value can be any values you want, it doesn´t matter

# input
## inputs.conf
[monitor://path/to/data]
index = <index>
sourcetype = some_data_sourcetype

# transformation
## transforms.conf
[transformation_for_somedata]
REGEX = <matching_criteria>
DEST_KEY = _MetaData:Index
Format = <target-index>

# sourcetype
## props.conf
[some_data_sourcetype]
TRANSFORMS-index = transformation_for_somedata

Splunk

commands

streamstats

sourcetype

json

Environment Variables

Split Data from one sourcetype into different indexes

source

You may also enjoy

Mastering Field Extraction in Splunk: Quick Guide

Mastering the Tstats Command in Splunk

A Technical Guide to Splunk Data Models