Thanks. 2.0.6 Chris ... View more

Yep, I removed the extra stuff and just have: [*] Keep getting 11/16/2015 10:12:39 [WARNING] [health.py] The user [foobar] is not allowed to use health logger. My healthlog.conf in the default directory looks like this: [default] ## PY - any python function health logger ## DB - dbx2 python proxy health logger ## JP - java dbx2 proxy health logger # do not leave spaces within items loggers = PY,DB,JP hiddens = SESSION_KEY,QUERY [admin] hiddens = SESSION_KEY [nobody] Any other ideas? Tx Chris ... View more

HI, do you mind sharing your exact syntax? i added: [*] hiddens=SESSION_KEY to: Splunk\etc\apps\splunk_app_db_connect\local\healthlog.conf and I still have the same issue. Thanks. Chris ... View more

Hmm, that did work for me. In testing I have the following field in EPOCH, that I know is "2015-09-15T13:56:00" CreatedDate:1442339760000 Doing the following search: basesearch |eval mytime=strftime(CreatedDate,"%c") "mytime" came back as "Fri Dec 31 23:59:59 9999" Thanks Chris ... View more

Thanks. I'm not sure this solves my issues. Anyway, I did find a work around by doing calculated fields that override the same field name that used to display EPOCH time. Like below is a MS SQL Datetime stamp field: strftime(TransactionInterval/1000,"%Y-%m-%dT%H:%M:%S.%3N") Unfortunately, I have to do this for every date or time field and remove microseconds or something else if its a different type of MS SQL date format. Seems like there could be a config that says display EPOCH or human readable. Tx Chris ... View more

Hmm, I tried this and its not working. Something wrong with my syntax? I did have to put in a second "search" after the "[" for the subquery to get past a splunk error thown ("Unknown Search Command index"). index=myindex source=mysource Description=mydescription | eval eid=_cd | search [ search index=myindex source=mysource Description=mydescription | streamstats count by _raw | search count>1 | eval eid=_cd | fields eid] Thank you! Chris ... View more

I'm baffled. Seems like it could be related to any file directly on the indexer. So now I'll just focus on splunk.log Running the tail process I see: file position 12955579 file size 12955579 parent $SPLUNK_HOME\var\log\splunk\rpc.log* percent 100.00 type open file Seems like it always stays open with subsequent calls to the tail process several minutes later and the file position does not change. When I search the indexer (index=_internal source=D:\srvapps\splunk\var\log\splunk\splunkd.log) the last event in the indexer was 40 minutes old, but when I look directly at the file on the server, I clearly see events as recent as a few minutes ago. When I restart Splunkd, evertything works fine for an hour or so, then stops again. Any events from the forwarder, DBX or monitored UNC path files are indexed in a timely manner. Any where else I should look? Thanks Chris ... View more

Thank you for your reply. This made me dig more and I noticed that some directory's were being archived. Then with more reading I saw recurse = [true|false] * If true, recurse directories within the directory specified in [fschange]. * Defaults to true. Hence, changing recurse=false, really reduced the i/o read time. Thanks! Chris ... View more

Thanks. db_connect_admin is part of the admin role. The user is me, "admin". Admin role shows the below. Imported capabilities db_connect_create_connection db_connect_create_dblookup db_connect_create_identity db_connect_create_resource_pool db_connect_delete_connection db_connect_delete_dblookup db_connect_delete_identity db_connect_delete_resource_pool db_connect_execute_query db_connect_read_app_conf db_connect_read_connection db_connect_read_dblookup db_connect_read_identity db_connect_read_resource_pool db_connect_read_rpcserver db_connect_request_metadata db_connect_request_status db_connect_update_connection db_connect_update_dblookup db_connect_update_identity db_connect_update_resource_pool db_connect_update_rpcserver db_connect_use_custom_action db_connect_write_app_conf Does not make sense.... Chris ... View more

Ah , that was it, I needed "chart", not "stats" Thank you! Chris ... View more

This didn't work. it made it close, but did not group the Place. For the same place, it duplicated a row for each SubTotal. This is what I'm looking for on one row: Place, SubTotal1, SubTotal2, SubTotal3, Grand Total. Thanks for your help. Chris ... View more

Hmm, but I can't figure out how to do that in a search query. For example, considering I have 3 sales types for each Place named, subTotal1, SubTotal2 and SubTotal3, executing this query will return mysearch | lookup salesID_lookup SalesID as SalesID OUTPUT Place, SalesType | stats sum(SalesRevenue) as SalesTypeTotal by SalesType SubTotal1 1000 SubTotal2 1200 SubTotal2 1100 What I want is: Place, SubTotal1, SubTotal2, SubTotal3, Grand Total. Where Grand Total is the total of all the SubTotals for each Place. Hope I'm explaining it correctly. Thank you Chris ... View more

Driving me batty, With the source name of : \server001\folder$\MyLogService150515-03.log I did: [source::\\server001\folder$\MyLogService*.log] Still no go. grrr. Chris ... View more

Thanks, I tried that and its still not working. This was a typo with me masking the real text. I validate my regex here: https://regex101.com/#python to make sure my entire source is captured. Baffled.... Chris ... View more

I also changed the source to a full regex. Tested the regex is working correctly. Still not applying the Transforms. I can only get the Transforms to work by using the the sourcetype, baffled with source is not working. In Props: [source::.server\d+.folder\$.MyLogService\d+-\d+\.log] TRANSFORMS-grtrash = setnull , setparsing, badError, badError2 The source: \server001\folder$\MyLogService150515-03.log Thanks Chris ... View more

Thank you very much for the response. I'm going to dig into both suggestions! Chris ... View more