I have the following custom log file
2016-07-15_05:58:57.5857-est label="adbcf" lastmodifiedtime="2016-07-15_05:58:57.5857-est" filename="13948.xml" directory="d:\temp" operation="deleted" size_in_bytes=434493
2016-07-15_17:57:18.5718-est monitor_label="abcd" lastmodifiedtime="2016-07-15_17:57:18.5718-est" filename="late123" directory="d:\temp" operation="created" size_in_bytes=673639
I am able to ingest into Splunk, however when i search for operation="deleted" i did not get the result.
when i search with "deleted" i am able to get the result. operation="created" returns results.
In the interesting field it only shows "created" value for operation even though both created and deleted are present in the results.
Is there anything that could be done in the custom log differently to make Splunk include the "deleted"
| timechart span=1h count by operation gives only created and ignores deleted.
Thanks in advance.
↧