This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 , 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13
You can override Splunk's default multiline event handling rules by editing properties set by source or sourcetype. Complete instructions can be found in the Admin Manual. You can see examples in the example files in $SPLUNK_HOME/splunk/etc/bundles/.
You can train Splunk to recognize timestamps better. Run $SPLUNK_HOME/bin/splunk train dates to teach Splunk the dates to extract from your datasources.
You can specify additional fields to be indexed or extracted at search time in properties configuration files. Instructions can be found in the Admin Manual. You can see examples in the example files in $SPLUNK_HOME/etc/bundles/props.conf.example and $SPLUNK_HOME/etc/bundles/transforms.conf.example.
Yes. There is an anonymizer you can use to maintain confidentiality. Please see the section of our Admin Manual on Anonymizing your Data Samples.
Yes. You will have to configure Splunk to recognize the common field and use the "transaction" search command to connect all events with that field in common. You can see examples in the Admin Manual.
Yes, introduced in Splunk 3.2, we now have support for parsing milliseconds as part of the indexed timestamp field