Highstakes72

On the license piece, you can get a 10GB/day license if you sign up as a Splunk developer, which would be legitimate in this case. You have to renew the license every 6 months. On the SPL content side, that is easy enough to get help.

Yeah, completely agree the default log structure is garbage. I am thinking of making a python "connector" that will take the initial datetime stamp and then create new composite timestamps using the "seconds" integer field. Then push that into Splunk in a serialized fashion. My group is based out of Tyson's Corner, VA but I am remote in north Texas as I cover some sites across the southwest.

Well, PM me. I can set you up with all you want to know. Prior to joining Splunk I ran a ~6TB/day platform for a fortune 50 company. -Robbie

Gollum, I work for Splunk and I am also a car guy. I use MS3 on my 1972 Turbo 4.8 Nova. Can you share your present work on this topic?