Yes, Shift-F5 also fixed it for me. But importantly, deleting the IE cache using the Internet Options dialog box did not. ... View more

I cleared my browser cache and this did not fix it. But somewhere in that thread someone made the comment of holding the control key while refreshing the page in Chrome. I tried holding the shift key in IE, and that seems to have resolved it. ... View more

I tried clearing my browser cache in IE and this did not fix it. But then I tried refreshing the page while holding the shift key, and that seemed to fix it for me. ... View more

Another user confirming the issue remains in IE on Win7 after clearing browser cache. Chrome seems to be fine. ... View more

Bingo, thanks for this response. ... View more

Resizing the timeline did not fix for me, but disabling Accelerated 2D canvas did. So this is a known issue in versions prior to 6.4? Is it published anywhere? ... View more

Thanks for the reply. As I mentioned, the message I noted above is only part of a much larger message. The beginning of the message has a timestamp, which Splunk seems to be identifying correctly. But I have BREAK_ONLY_BEFORE_DATE = true, so I don't understand why Splunk would also break at these #012 characters. Clearly the part of the message before those characters is not a timestamp. I am pretty green, so I opened a support case asking for some assistance and education, but support has been very unhelpful. What makes this so complex to me is that these messages are also processed by the Cisco ISE TA. My input applies a sourcetype=syslog, but when I view the messages, they have a sourcetype=cisco:ise:syslog. Being inexperienced, I am not quite clear on how this transition happens. But I can tell you that both my syslog sourcetype and cisco:ise:syslog sourcetypes both have BREAK_ONLY_BEFORE_DATE = true. ... View more

Solid answer. Worked for 6.3.3. Thanks! ... View more

I got this error starting Splunk: Undocumented key used in transforms.conf; stanza='x_bluecoat_proxy_primary_address' setting='SOURCE_KEY' key='x_bluecoat_proxy_primary_address' ... View more

Thank you for your response. I really don't understand Splunk well enough to create fields, and am having a very difficult time understanding these config files. All the fields I see were created by the BlueCoat TA that I have installed. The field that has value I want use for Host is named x_bluecoat_proxy_primary_address. But I'm not sure how to describe to you how it is created - I wish I could. ... View more

Thanks for your response. Here is a raw event: 2016-07-07 19:39:53 31 172.20.176.110 200 TCP_NC_MISS 202 3848 GET http sync.tidaltv.com 80 /genericusersync.ashx ?dpid=1205/ user521 - - sync.tidaltv.com - "Mozilla/5.0 (Windows NT 6.1; rv:47.0) Gecko/20100101 Firefox/47.0" - OBSERVED "Web Ads/Analytics" - 192.168.15.21 SG-HTTP-Service The BlueCoat TA is extracting 192.168.15.21 into a field named x_bluecoat_proxy_primary_address. This is the value I would like to use for Host. And when I read the doc for transforms, I saw this about SOURCE_KEY: If starts with "field:" or "fields:" the meaning is changed. Instead of looking up a KEY, it instead looks up an already indexed field. For example, if a CSV field name "price" was indexed then "SOURCE_KEY = field:price" causes the REGEX to match against the contents of that field. It's also possible to list multiple fields here with That's why I tried what I did. But I am really, really confused and frustrated by these config files, so I really have no idea if what I want to do is even possible. ... View more

That wasn't what you posted initially, which is why I asked the follow up. But I understand your revised regex, and you're right, that's a good idea. Thanks for bringing it up for consideration. ... View more

This seems odd to me because maciep's answer was right, not mine. ... View more

The first character in the line I want to ignore is a #, so that regex would not match. ... View more

Again, great reference - thank you. You were right, I had the stanzas in the wrong place. I don't see a way to convert your comment to an answer, so I wasn't sure what to do. If you know how, and care about the credit, let me know and I'll be happy to do it. Thanks again for a really helpful answer. ... View more

maciep was right - I had the correct stanzas, but in the wrong place. Here is the corrected versions. Thank you very much!!! Universal Forwarder: props.conf [source::/logs/proxy/SG_proxyna_SIEM__1920629171951.log.gz.processed] NO_BINARY_CHECK = true invalid_cause = archive unarchive_cmd = gunzip -c -f -S .processed Indexer: props.conf [source::/logs/proxy/SG_proxyna_SIEM__1920629171951.log.gz.processed] TRANSFORMS-comments = setNull TRUNCATE = 20000 TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 19 Indexer: transforms.conf [setNull] REGEX = ^# DEST_KEY = queue FORMAT = nullQueue ... View more

Actually I am a new Splunk admin and I struggle quite a bit understanding which parameters go where. I found that comment to really helpful - thanks. I'm working on the config files now... ... View more

I should have mentioned this in my original post - I have the props and transforms on a universal forwarder. I will try moving the conf files to the indexer and post the results. ... View more

Yep, that's the answer, thank you very much. This shows me how much I have to learn - that query is more complex than I expected it to be. Thanks again! ... View more