Hi danielbb, Sadly there is no single show them all command in Splunk but have a look at this answer https://answers.splunk.com/answers/293407/how-do-i-show-the-running-configuration-on-my-forw.html#answer-293409 it will show an example to list all Splunk .conf files. With the output you can compare it server by server. Hope this helps ... cheers, MuS ... View more

Hi ricotries, What is the class in that entry? Can it be anything I want, should it tie to what the transform will do or does it have to be related to the stanzas I'll be calling? The class entry needs to be a uniq value that can be set to anything you want, there is no relation to the actual transforms.conf stanza you call. Usually I do something like this : [source::<source>] TRANSFORMS-001-ThisIsMyStanzaName = ThisIsMyStanzaName But it can also be something like this: [source::<source>] TRANSFORMS-PleaseCallThisStanzaInTransforms = ThisIsMyStanzaName Hope this makes sense and helps ... cheers, MuS ... View more

Hi untieshoe, give this regex a try: TIME_PREFIX = LAST_VM_SCANNED_DATE=" Also check on one of the indexer of your config gets applied with this command: splunk btool props list --debug Hope this helps ... cheers, MuS ... View more

Hi 373782073, Give this a try: | makeresults | eval example="abc-servicen.City-backup-1986-01-08-16:00:43-level1.tar" | rex field=example "(?<bkp_filename>[a-zA-Z-\.]+)-(?<bkp_file_date>\d{4}-\d{2}-\d{2})" Hope this helps ... cheers, MuS ... View more

Hi pavanae, If I understand it correctly then you don't match on the macro command `macroNameHere` but just on the string of the name like: | eval macro_match= case(searchmatch("macro_1"),"macro_1", searchmatch("macro_2"),"macro_2", true(), "None") If you intend to call and run a macro this way, I don't think that is possible out of the box ... but might be wrong on that for the latest version of Splunk ¯\_(ツ)_/¯ Hope this helps ... cheers, MuS ... View more

Hi pacifikn, Please run this command instead: /opt/splunk/bin/splunk reload deploy-server It will ask you for a Splunk username that needs the admin role assigned and the password of this user. Hope this helps ... cheers, MuS ... View more

Hi grantlindley, the easiest option would be to modify server.conf on that server and restart Splunk. See the docs for details https://docs.splunk.com/Documentation/Splunk/latest/admin/serverconf#License_manager_settings_for_configuring_the_license_pool.28s.29 or use the CLI command splunk edit licenser-localslave -master_uri https://YourLicenseMaster:8089 see the docs https://docs.splunk.com/Documentation/Splunk/latest/Admin/CLIadmincommands#Commands.2C_objects.2C_and_examples for details Hope this helps ... cheers, MuS ... View more

Hi jordanking1992, I posted that in the slack channel #splunky2k channel: index=* TERM(19) | regex _raw="[\\\/\|-](19)" | rex "(?<myField>[^\s]+19)" | search myField!="*2019*" | stats count by index sourcetype It later got this little enhancement: index=* TERM(19) | eval sample=substr(_raw,0,128), search="index=".index." sourcetype=".sourcetype." TERM(19)" | regex sample="(((?:^|\D)\d{1,2}[-\/]\d{1,2}[-\/]19[^\d])|((?:^|\D)19[-\/]\d{1,2}[-\/]\d{1,2}[^\d])|((?:^|\D)\d{1,2}\s[-\/]\s\d{1,2}\s[-\/]\s19[^\d])|((?:^|\D)19\s[-\/]\s\d{1,2}\s[-\/]\s\d{1,2}[^\d])|((?:^|\D)([a-zA-Z]{3}[- \/]+\d{1,2}[- \/]+19[^:\d]))|((?:^|\D)19[- \/][a-zA-Z]{3}[- \/]\d{1,2}[^:\d])|((?:^|\D)\d{1,2}[- \/]+[a-zA-Z]{3}[- \/]+19[^:\d]))" | stats count last(sample) as sample by search Please be aware that this is a very hungry, resource intensive search! Hope this helps ... cheers, MuS UPDATE modifications to the regex and the substr() uses the first 128 characters of the event. ... View more