We have the same problem on our WS 2003R2 boxes. Are you running the same OS? ... View more

We connected Splunk to the virtual instance, this way it queries the active node. ... View more

TIME_PREFIX = \;[\r\n]+ ... View more

Anytime! Glad I could help. ... View more

Actually, there is an answer similar to this and there is a way to refresh an individual panel http://answers.splunk.com/answers/4263/can-you-refresh-a-single-modulechart-without-refreshing-the-whole-dashboard ... View more

Have you setup a deployment client on another box, your desktop will work. Just set the forwarders to phone home to your desktop/laptop for configs. If that doesn't work, I would say there is more than likely a problem with the forwarders. If it does work, then you will want to run splunk diag on the deployment server and both forwarders and submit a ticket to splunk explaining this. A deployment server should be able to handle about 2500 clients, depending on the amount of CPU's and RAM you have. ... View more

You can use xmllv xmlkv link If that doesn't work for you, | rex field=_raw "Amount\=(?<amount>\d+)\.Discount\=(?<discount>\d+)\.Pay\=(?<pay>\d+)" ... View more

I do not think it is possible to refresh an individual panel inside a view, you can set the entire page to refresh at set intervals though. ... View more

I have never moved the spool to a new location, not to say it is not possible. As far as deleting the events, just shut down splunk, then delete the files from the directory. Make sure you disable the input from dbx that is filling up your drive before restarting splunk. ... View more

send me an email, you can get my contact info by clicking on my username. ... View more

Do you have time for a quick webex? ... View more

Just to clarify, SPLUNK402 is your indexer, correct? ... View more

This means that the index has been disabled. When you go through the Manager console and select indexes, does it say the index is disabled? If so, enable it. ... View more

That "user role" will override your admin role. ... View more

If you are monitoring that exact path twice, one entry will be ignored. You will have to bring them both in with a single monitor stanza, then use props.conf and transforms.conf to distinguish sourcetypes at index time. props.conf [iis_log] NO_BINARY_CHECK = 1 #TRANSFORMS-0_define_sourcetype = iis_sourcetype_transform transforms.conf [iis_sourcetype_transform] SOURCE_KEY = MetaData:Source REGEX = iis_D(d+)-(d+).log DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::adviis Does that help? ... View more

You should be getting a GUID in IIS as well for the session. Use that to create a transaction. That will allow you to see each users entire session, then you can capture the pervious 4 pages viewed from there. ... View more

If you are trying to map roles via AD, which is what I see, you will need to create a new OU that contains all Splunk users not in the other 2 OU's. Splunk is not very great at AD... ... View more

Raw format : DateTime Description Event Type Source Count Desired format : DateTime Source Type Event Description Count | table DateTime Source Type Event Description Count Replace the default value if any value is missing. |fillnull value=your_value field=your_field Also is there any way to store the received data into exernal storage system (db or hadoop).Instead store into Splunk database. Yes, you can install the DBX app and do SQL inserts. The method for doing this, without indexing, is tricky. You essentially use Splunk as an ETL tool. Also is there any way to avoid the indexing on received data? Yes, if you just want to "not index" certain data, and don't need to move it somewhere... you can send it to the nullqueue via the props.conf file. ... View more

Instead of using timechart, try just chart dc(Username) by _time ... View more

Settings>Access Controls>Roles>Admin>Indexes Searched by Default - Add "All non-internal indexes Does that help? ... View more

Why are you calling the saved search twice in the same module set? You should only need to call it once, above the ViewstateAdapter module. ... View more