Also, be sure to put these configs in the props/transforms on the heavy forwarder and not the indexer. ... View more

I think you are close to what you want to but there is one (maybe more) error. One error was the spaces that you had in the regex, also specifying ".*^Type=Success Audit" in the regex is unnecessary. I also modified the sourcetype name in the props.conf stanza (are you actually collecting the logs via WMI?) Try this: props.conf changes [WinEventLog:Security] TRANSFORMS-set=setnull transforms.conf changes [setnull] REGEX=(?mi)^EventCode=(4674) DEST_KEY=queue FORMAT=nullQueue ... View more

A heavy forwarder can filter logs but what I think you want is to forward the logs, in their entirety, to the indexer, using a universal forwarder. The indexer component of Splunk then stores and indexes the logs so they can be parsed, searched, have alerts generated from, etc from the search head (note that the search head could be the same physical device as the indexer, in a small environment). Splunk provides awesome documentation that can get you started (I use it frequently myself 😉 😞 http://docs.splunk.com/Documentation/Splunk/latest/Tutorial/WelcometotheSplunkTutorial ... View more

You could utilize syslog if you do not want to install a forwarder on the linux/unix systems in question. Best practice would be to setup a host, running a syslog daemon, such as rsyslog or syslog-ng (a syslog aggregator). This host would also have a Splunk forwarder on it, to read and forward the logs collected from your "agentless" systems. ... View more

Take a look at this app, it should help in your quest: http://splunk-base.splunk.com/apps/64805/splunk-dashboard-examples ... View more

You can specify the sourcetype in a few places. On the forwarder, in inputs.conf: [monitor://path to log file] sourcetype=log4j OR On the indexer, in props.conf: [source::full path to log file] sourcetype=log4j ... View more

Your description is a bit confusing. You say that "the inputs on the index was set to log4j", do you mean that the inputs.conf file on the forwarder, within the stanza collecting this file, has a line that says "sourcetype=log4j"? ... View more

It's possible that there is another inputs.conf file that is overriding your inputs.conf file. Run the following command to check the active configuration: $SPLUNK_HOME/bin/splunk cmd btool inputs list --debug A further description of the tool is here: http://docs.splunk.com/Documentation/Splunk/5.0.2/Troubleshooting/Usebtooltotroubleshootconfigurations ... View more

Which browsers have you tried? ... View more

Be careful of changing the settings via the GUI if you are utilizing deployment server in your environment. ... View more

You can also get the most recent value of a particular field using the "first" function in stats: ... | stats first(X) ... View more

NetApp's Data OnTap OS uses a syslog.conf file to configure the syslog daemon. I think you can just use this syntax to forward to a different port on the remote server: *.* @remotehost:12345 ... View more

Although you have a field name of Counter32, are you also seeing field names with this format? "ifOutDiscards.2" ... View more

Yes, you are getting the default key/value pairs because of the '='. Try this regex in place of yours: IF-MIB::(.+)\s=\s\w+:\s(\d+)$ ... View more

I made a few assumptions about the props.conf. Just to be sure, is the props.conf on the indexer? Does the stanza for the checkpoint data have the correct name to match the sourcetype? Can you post the entire stanza for checkpoint? It's always best to be explicit. Maybe something like this: [checkpoint] TIME_PREFIX = ^(?:(?:[^\s]+)\s){5} TIME_FORMAT = %d%b%Y %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD = 25 LINE_BREAKER = ([\r\n]+) SHOULD_LINEMERGE = false ... View more

Try this as your time prefix: TIME_PREFIX = ^(?:(?:[^\s]+)\s){5} ... View more

FYI, you can either escape the slashes in your answer or highlight the "code" portion of your answer and click the "code sample" (1s and 0s) button on the formatting menu. ... View more

Hi there- I'm not sure what you've tried already but you have several options: You can utilize Splunk's lookup functionality by: a. write the data you want to save out to a csv file, using the outputlookup command, http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Outputlookup b. read the data back in from the file using the inputlookup command, http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Inputlookup Schedule the search that you've created, to extract your values, and choose to write them to a summary index. You can then search that summary index for the relevant values. Although option 2 is valid, it may be overkill, depending on how you want to manage your data. I would start out with the first option and see if that does what you need it to. ... View more

runDuration is what you want to get the full time that the search took. Toward the top of that report window (Execution costs), there is a further breakdown to see where time was spent during the search, which can help you to optimize your searches. There is of course additional information in the referenced search.log file, in case you need to refer to the raw data that the report is drawing from. ... View more