I have not made any props.conf changes before, so looking for some help please / thanks. I am pulling tomcat logs and Splunk is splitting up XML into multiple files because of the embedded times stamps within the XML. Can you tell me the best way to stop this? Time stamps within the XML should be ignored. Specifically in the example - ignore timestamp after <ClientDt> and <ServerDt> Thanks for the help. --- example snip of log --- 2015-08-07 11:54:13 [DEBUG] (com.somedomain.pbj.impl.dao.CommonBaseDao.java:195) - Engine URL: http://someserver:8080/WebServiceEngine/services/WSEngine/invoke 2015-08-07 11:54:13 [DEBUG] (com.somesomain.pbj.impl.dao.CommonBaseDao.java:174) - #### Response Xml #### <?xml version="1.0" encoding="UTF-8"?><ACORD xmlns="http://www.some.org/standards/some/some/xml/somemore"> <SignonRs> <Status> <StatusCd>0</StatusCd> <StatusDesc>Annonymous public user accepted.</StatusDesc> </Status> <CustId> <SPName>PBL</SPName> <CustLoginId>PUBLIC</CustLoginId> </CustId> <ClientDt>2015-08-07T11:54:13</ClientDt> <CustLangPref>ENG</CustLangPref> <ClientApp> <Org>internet</Org> <Name>COMML</Name> <Version>1.6</Version> <Env>qua</Env> </ClientApp> <ServerDt>2015-08-07T11:54:13</ServerDt> <Language>ENG</Language> </SignonRs> <PageRs> <RqUID>4DF230E0-1945-60D8-B80F-AE1BA2576488</RqUID> <TransactionResponseDt>2015-08-07T11:54:13</TransactionResponseDt> <MsgStatus> <MsgStatusCd>Success</MsgStatusCd> </MsgStatus> <CommlLocationGetRs> <MsgStatus> <MsgStatusCd>Success</MsgStatusCd> </MsgStatus> <Location> <ItemIdInfo> <AgencyId>1</AgencyId> </ItemIdInfo> <SubLocation> <ItemIdInfo> <AgencyId>1</AgencyId> <UnitNumber>1</UnitNumber> </ItemIdInfo> <SubLocationName>some location</SubLocationName> <Addr> <Addr1>some address</Addr1> <City>some city</City> <StateProvCd>some state</StateProvCd> <PostalCode>some zip</PostalCode> </Addr> <com.somedomain>10252</com.somedomain> <com.somedomain>1</com.somedomain> </SubLocation> </Location> </CommlLocationGetRs> </PageRs> </some> ... View more

Installed the latest update for Splunk Add-on for Unix and Linix (5.1.2). After restarted I clicked on the app and it gave the following - "The "Splunk Add-on for *Nix" app has not been fully configured yet. This app has configuration properties that can be customized for this Splunk instance. Depending on the app, these properties may or may not be required." I clicked continue to add setup page - where there are the enable / disable options. I click save, and it just refreshed to the same page.... Cant get past this. Any idea's - if not Ill open a ticket with support. Thanks John ... View more

Had a server that rebooted this weekend and the Universal Forwarder Service did not start. I want to get alerts about this, so after some digging - it looks like deployment monitor can do this. I have set up a 15 min cron job to look for dm_missing_forwarders But now I am getting emails on a server that we shut down temporarily. Can anyone tell me - what the dm_missing_forwarders is looking for - it states "A missing forwarder has connected at some point in the past, but has not connected in the last 24 hours" Does "at some point" mean any time at all? How do we exclude servers from this list? If there are better suggestions on how to monitor services (within splunk) please let me know. I have some other monitoring tools, but don't want to load agents on my servers if I can use splunk. Basically all I want is... If a host has sent events in the last 24 hours, but you have nothing from it in the last hour, send an alert. If (event count from * host in timespan 24h > 0) and (event count from * host in timespan 1h <0) then send alert If my logic is correct, a search like this would be if the host has been active in the last 24 hours, but in the last hour you have received nothing - then send email. Thanks for your help ... View more