I have 3 servers which process web service calls and are being indexed by Splunk. I specified their index in the inputs.conf on the forwarder as index=uvtrans and their sourcetype is ATG_Message_Log .. So now I see in Splunk 2 different sources coming in named WinEventLog.Application and WinEventLog.System which are in index=main which means their index was not specified on the forwarder so it defaults there. I'm looking in Splunk_Home/etc/system/local/inputs.conf on all 3 boxes and I do not see anywhere where WinEventLog is located. I've looked through all the conf files and cannot find it. Does Splunk index EVERYTHING on that server regardless if it's been specified in my conf files? How can I exclude the WinEventLog sources from being indexed by Splunk? ... View more

I have a forwarder on 3 different servers which grabs all the data coming from those servers. There is 1 specific sourcetype and source both called 'WinEventLog:Application' which we do not want indexed. Where in the forwarder do I exclude this source/sourcetype from being indexed? ... View more

I have search inside a dashboard which shows a table of IP Address | JSession Count | Browser | Web Request .. I have well over a million rows within my table and I included a search box which the user will search for an IP and it will return the other data I listed above from the table. Now I need to accelerate this process so the historical data is cached and can be loaded up quickly. I tried turning my search into a report and accelerating it but got the " Your report doesn't qualify for acceleration" message.. I removed the timerange picker and tried again and got the same message. The only thing I can think of is, that it's due to not having a transform command, but I am confused as I have a STATS command in my search. If all else fails can I accelerate the data model? Here's my search index=access OR index=main | transaction RTG_JSession | search RTG_IPmain=* | table RTG_IPmain RTG_WebRequest RTG_Browser | stats count values(RTG_Browser) values(RTG_WebRequest) BY RTG_IPmain | sort -count | rename RTG_IPmain AS "IP Address" | rename count AS "JSession Count" | rename "values(RTG_Browser)" AS "Browser" | rename "values(RTG_WebRequest)" AS "Web Request" ... View more

I currently have a dashboard which shows the IP Address | Web Request | Browser | JSession Count I want to create a search box where the user can enter the IP Address into and Splunk will filter the results in the table based on that IP Address and show the Web Request | Browser | JSession Count So far I currently have 3 panels at the top of my dashboard, one is a drop down for the time frame, the next one is a submit button, then a text box where the user can enter the IP Address. I have a text box, but when I hit the submit button, nothing happens. I suspect that it's not tied to the query properly so it doesn't know what to search. Can anyone help me fix this so I'm able to filter through the table displayed? Here's my xml that I have so far <form> <label>Click Fraud</label> <fieldset autoRun="true" submitButton="true"> <input type="time" searchWhenChanged="true"> <default> <earliestTime>-15m</earliestTime> <latestTime>now</latestTime> <search> <query>index=access OR index=main | transaction RTG_JSession | table RTG_IPmain RTG_WebRequest RTG_Browser | stats count values(RTG_Browser) values(RTG_WebRequest) BY RTG_IPmain | sort -count | rename RTG_IPmain AS "IP Address" | rename count AS "JSession Count" | rename "values(RTG_Browser)" AS "Browser" | rename "values(RTG_WebRequest)" AS "Web Request"</query> <earliest></earliest> <latest></latest> </search> </default> </input> </fieldset> <row> <panel> <table> <search> <query>index=access OR index=main | transaction RTG_JSession | table RTG_IPmain RTG_WebRequest RTG_Browser | stats count values(RTG_Browser) values(RTG_WebRequest) BY RTG_IPmain | sort -count | rename RTG_IPmain AS "IP Address" | rename count AS "JSession Count" | rename "values(RTG_Browser)" AS "Browser" | rename "values(RTG_WebRequest)" AS "Web Request"</query> <earliest>-15m</earliest> <latest>now</latest> </search> <option name="wrap">true</option> <option name="rowNumbers">true</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="count">10</option> </table> </panel> </row> </form> ... View more

I have a table with 3 fields (IP Address, Web Request, and Browser used).. How can I add a column to that table to count the frequency of IP addresses? I suspect that I have to change my search around because the IP Addresses are listed multiple times, so I think I have to make them list one time then add a column to count the occurrences. So can someone help me add a column to count the number of times the IP is clicked Here's my search index=access OR index=main | transaction RTG_JSession | table RTG_IPmain dc(RTG_IPmain) RTG_WebRequest RTG_Browser | where isnotnull(RTG_IPmain) ... View more