You need to put dollar signs $ around the variable/field you're inserting into the ldap filter. For example, if eventtype=msad-user-logons is returning a field called "user" in the resultset, I could then use an ldapfilter that looks like this: | ldapfilter domain=mydomain search="(objectClass=$user$)" attrs="displayName" ... View more

Do you get any results when you run this search? eventtype=msad-admin-audit NOT src_nt_domain="NT AUTHORITY"| This is the search that populates the Acount Domain and Administrator drop down menus. The EventType msad-admin-audit relies on data from the following nested eventtypes. If you're not getting data back from these searches, then there is a problem with your data ingestion. eventtype=msad-group-changes eventtype=msad-nt5-group-changes sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security (EventCode=631 OR EventCode=634 OR EventCode=635 OR EventCode=638 OR EventCode=639 OR EventCode=641 OR EventCode=648 OR EventCode=649 OR EventCode=652 OR EventCode=653 OR EventCode=654 OR EventCode=657 OR EventCode=658 OR EventCode=659 OR EventCode=662 OR EventCode=663 OR EventCode=664 OR EventCode=667 OR EventCode=668) eventtype=msad-nt6-group-changes sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security (EventCode=4727 OR EventCode=4730 OR EventCode=4731 OR EventCode=4734 OR EventCode=4735 OR EventCode=4737 OR EventCode=4744 OR EventCode=4745 OR EventCode=4748 OR EventCode=4749 OR EventCode=4750 OR EventCode=4753 OR EventCode=4754 OR EventCode=4755 OR EventCode=4758 OR EventCode=4759 OR EventCode=4760 OR EventCode=4763 OR EventCode=4764) eventtype=msad-groupmembership-changes eventtype=msad-nt5-groupmembership-changes sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security (EventCode=632 OR EventCode=633 OR EventCode=636 OR EventCode=637 OR EventCode=650 OR EventCode=651 OR EventCode=655 OR EventCode=656 OR EventCode=660 OR EventCode=661 OR EventCode=665 OR EventCode=666) eventtype=msad-nt6-groupmembership-changes sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security (EventCode=4728 OR EventCode=4729 OR EventCode=4732 OR EventCode=4733 OR EventCode=4746 OR EventCode=4747 OR EventCode=4751 OR EventCode=4752 OR EventCode=4756 OR EventCode=4757 OR EventCode=4761 OR EventCode=4762) eventtype=msad-computer-changes eventtype=msad-nt5-computer-changes sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security (EventCode=645 OR EventCode=646 OR EventCode=647) eventtype=msad-nt6-computer-changes sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security (EventCode=4741 OR EventCode=4742 OR EventCode=4743) eventtype=msad-user-changes eventtype=msad-nt5-user-changes sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security (EventCode=624 OR EventCode=625 OR EventCode=626 OR EventCode=628 OR EventCode=629 OR EventCode=630 OR EventCode=642 OR EventCode=671 OR EventCode=685 OR EventCode=807) user!="*$" eventtype=msad-nt6-user-changes sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security (EventCode=4720 OR EventCode=4722 OR EventCode=4724 OR EventCode=4725 OR EventCode=4726 OR EventCode=4738 OR EventCode=4767 OR EventCode=4781 OR EventCode=4912) user!="*$" eventtype=msad-account-lockout eventtype=msad-nt5-account-lockout sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security EventCode=644 eventtype=msad-nt6-account-lockout sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security EventCode=4740 eventtype=msad-account-unlock) eventtype=msad-nt5-account-unlock sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security EventCode=671 eventtype=msad-nt6-account-unlock sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security EventCode=4767 ... View more

A single deployment server running on our reference hardware can handle 10,000+ clients. It all comes down to the size of the bundles being distributed and how quickly you'd like to distribute the configurations. We have a formula to help you figure out how long it will take a single deployment server to distribute configurations to all of your clients: http://docs.splunk.com/Documentation/Splunk/6.3.1511/Updating/Calculatedeploymentserverperformance Yes, if you reduce the phone home interval for deployment clients, that would lower the load on the deployment server and allow you to support more clients. However, it also increases the distribution time for configurations. ... View more

What does your server.conf file look like on the Cluster Master, Indexers (search peers), and search head look like? http://docs.splunk.com/Documentation/Splunk/6.3.1511/Indexer/Enableclustersindetail ... View more

There is nothing stopping you from using Index Clustering and just setting the SF:1 and RF:1. You'll get all of the advantages configuration management across your indexers AND all of your buckets will be ready for clustering should you decide to turn it on someday. With regard to other configurations, you can use something like rsync to synchronize $splunk_home/etc/users and $splunk_home/etc/apps that aren't synchronized by the cluster master. For your forwarders, if you're not using Deployment server, you'll need to use some other kind of configuration management tool like SCCM, Chef, or Puppet. ... View more

This will do what you're looking for: blacklist1 = EventCode="4688" Message="(A new process has been created)(?s).*(splunk-.+mon\.exe)" ... View more

Also, the values above for blacklist1 and blacklist2 should match ... View more

See my comments below under Lisa's answer. I made a mistake above and we actually need to work with a specific set of Keys here, not just the raw event. ... View more

Lisa is totally right, I had forgotten that there are specific keys that we extract for filtering Windows events at the forwarder level. We've got to create RegEx filters for each of those keys. This should work: blacklist1 = EventCode="4688" Message="New Process Name:\s+.*(splunk-winprintmon\.exe)" With this blacklist1 rule, we've got two keys, EventCode and Message. Each of those keys have a RegEx value that is bounded by comma delimiters as required in the spec. I don't believe that matching for the Message key is anchored, however, if it is, we'll probably need to do something like this to match all of the message text prior to "New Process Name": blacklist1 = EventCode="4688" Message="(?s).*New Process Name:\s+.*(splunk-winprintmon\.exe)" However, I'd try the initial RegEx first. Big thanks to Lisa for pointing out that we've got to work with Keys and not just the raw data! ... View more

Yes, you're right. Somehow the formatting got messed up. The line should look like the one you've posted. blacklist3 = (?msi)EventCode=(4688).^.*New Process Name:\s+.(splunk-winprintmon.exe) ... View more

Ok, that looks good...except that I doubt the RegEx in blacklist1 and blacklist2 will match anything ... View more

baf879, as a few people have mentioned, you can also use nullQueue routing on the indexer...however, what you're attempting to accomplish is entirely possible via the method you're using. We just need to fix the RegEx matching for it to work. Let's keep the filtering as close to the data as possible...out on the Universal Forwarder. ... View more

Try this: blacklist3=(?msi)EventCode=(4688).*^.*New Process Name:\s+.*(splunk-winprintmon\.exe).* The carat (^) you were using between (?msi) and EventCode is causing a matching problem. EventCode does not appear at the beginning of your event, its the 5th line. Also, make sure your blacklists are sequential. For example, you should go: blacklist1 blacklist2 blacklist3 not blacklist1 blacklist3 blacklist4 ... View more

The problem you're going to run into is that the App for Windows Infrastructure won't be able to do any LDAP lookups on your data. So dashboards that show you a user's details like Display Name, Phone Number, Location, etc... instead of just a username won't work. ... View more

Where are you writing the JVM logs to on the host? What's the full path? You can use host_regex or host_segment to extract the JVM "hostname" out of the log file path. Splunk would then replace the built-in host field with that value. http://docs.splunk.com/Documentation/Splunk/6.3.2/admin/Inputsconf ... View more

Thats great to hear. As renjith.nair mentioned below, this will only stop new data from coming in. If you want to delete the old data, you can run a search to pull back the old data and then add | delete to the end of the search. A couple of things to note about the delete command, by default you won't have the capability to run the command, you'll need to add this to your role under settings>access controls The delete command also doesn't actually delete the data on disk, it just marks it as deleted so Splunk won't include the data in your results. It won't actually get delete until the underlying bucket rolls off. http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchReference/Delete ... View more

You'd need to use the ldapfilter command to pull back the user's Display Name from Active Directory. http://docs.splunk.com/Documentation/SA-LdapSearch/2.1.2/User/Theldapfiltercommand Assuming you're using the msad-failed-user-logons eventtype, you search would look something like this: eventtype=msad-failed-user-logons |ldapfilter domain=$dest_nt_domain$ search="(objectClass=$src_user$)" attrs="displayName" ... View more

From the command prompt, type "set", you should see the environmental variable listed. If you don't see it, follow these instructions to create one: https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sysdm_advancd_environmnt_addchange_variable.mspx?mfr=true ... View more

Ok, you'll need to create a Windows environmental variable for $SPLUNK_HOME. Please set the SPLUNK_HOME variable to C:\Program Files\Splunk ... View more

How are you defining the order of your rows? By time? From your example, it looks like you want to see the earliest col2 value of each col1 series. To get that, you'd do something like this: index="myIndex" sourcetype="myData" | stats earliest(col2) as col2 by col1 If you want to see the last col2 value for each col1 series, you'd do something like this: index="myIndex" sourcetype="myData" | stats latest(col2) as col2 by col1 ... View more

The order of precedence when processing stanzas in props.conf is: source host sourcetype As noted here: http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Propsconf **[<spec>] stanza precedence:** For settings that are specified in multiple categories of matching [<spec>] stanzas, [host::<host>] settings override [<sourcetype>] settings. Additionally, [source::<source>] settings override both [host::<host>] and [<sourcetype>] settings. Consider the following example: The Universal Forwarder is installed on my_server01 and reading opt/myapp/system.log (source) and tagging it with a sourcetype of system_traffic. We have 3 different props.conf files across 3 apps in our $splunk_home/etc/apps folder $splunk_home/etc/apps/my_app1/default/props.conf: [system_traffic] TZ=UTC $splunk_home/etc/apps/my_app2/default/props.conf: [source::opt/myapp/system.log] TZ=America/Los_Angeles $splunk_home/etc/apps/my_app3/default/props.conf: [host::my_server01] TZ=America/New_York Our resulting TZ for opt/myapp/system.log on my_server01 would be: TZ=America/Los_Angeles because the source stanza overrides both the host and the sourcetype stanzas. ... View more