Thank you Hamid.

I discussed similar stuff in below video kzbin.info/www/bejne/gKTLemmAiZtjiNU

Hi Hemnaath, Many thanks for your valuable feedback. The videos are properly sequenced in my splunk how to playlist. So please follow that. Regarding clustering I have a plan to cover splunk admin as well. I will definitely try to cover that. Have a nice day.

Splunk & Machine Learning hi Sidhartha, looking forward to your admin series

Hi Kartiga, I will be starting from next week 🙂. Already planned for it. Sid

Hi Rotimi, Yes I already created those stanzas in props.conf to save time on multiple Splunk restart. Sid

Per my understanding, correct me if I'm wrong. REPORT is like function, and you declare how the function works in transforms.conf. Then, in props.conf, you can always call to the function you defined in transforms.conf. So, write once, can be used in different stanza(s) in props.conf. Then, whenever you want to change, you just make changes once at transforms.conf that particular stanza. Instead of going through every EXTRACT functions to change in props.conf under every applicable stanza.

Hi Prammod, Yes it's in pipeline. I will be posting it soon. Sid

eval is the best way to achieve this. Otherwise you need to go for index time field extraction (INGEST EVAL config) but thats not recommended. Another way could be through data model. If you have datamodel setup for your app then in data model you can do eval so that whenever you query the datamodel the new field will be available.

@@splunk_ml Could you not do that using a calculated field? If A and B have been created using an EVAL or REPORT field extraction then calculated field should follow?

Yes even we can use calculated field here as well. Behind the scene they are eval like statement only so it will be calculated at the search time, so performance wise it will be similar I think.

Hi Yilun, I just tried...its working..are you uploading data3.txt for xmlExtraction (sourcetyrpe = demo)? Sid

@@splunk_ml Thank u for your reply! Yes data3.txt except that I changed all timestamps to 2019 ones so as to avoid _time parsing "out of ... range" error

@@splunk_ml and not only 'xmlExtraction', same error for parameterExtraction and activity_report also

Can you send me the updated file. I will take a look into that.

I am not working in Splunk ☺️

Thanks...Yes of course you can fork..It's open to public.

you will be creating seperate stanza for different sourcetypes in your props.conf. Please remeber you can also apply props settings for source or host level as well. So based on your situation you need to create corresponding stanzas.

string even

You can either keep it app level or system level, at run time splunk always combine app and system level configs to create the final version of the props and transforms.conf The practice I used to follow is when I am keeping those configs at app level I keep it in default, for system level I keep it in local.

Fields extractions are related to props.conf entries and field transforms related to transforms.conf.

@@splunk_ml thank you..we want to create fields fields extractions field transformation calculated fields in Dev environment same like prod.. We can copy props and transform conf from production? That should be good approach right instead of creating manually in dev environment

@@dhanabalanrangasamy9462 yes that should be enough.

Hi Sangeeth, Please find the links below kzbin.info/www/bejne/rGLLe6SAadmMic0 kzbin.info/www/bejne/gnW9YYOBiM6opdk kzbin.info/www/bejne/pqG2qaOwgJemoJo

Not sure why you complain on the presentation. You can clearly see the presenter did a lot of preparation with appropriate data, configuration and examples to be able to present a somewhat complex subject in a concise manner and following a clear logical path. Every piece of information builds nicely on previous so as long as you pay close attention everything makes sense. You can learn a lot in short time. You can clearly see everything that is being shown, and sound quality is good as well. According to your scale the presentation is if not 5, then certainly a very solid 4.