I already know to use whitelist and blacklist, the problem is that those files are touched by different users and they don't use a standard way to name them. The only thing that I am sure is that they reserved this formal format: WEXXXXXXXX.log for official use. Thanks anyway for your response. ... View more

This search provided all the right data. If I look in Statistics I have a table with one row: _raw search NOT () ... View more

It is very interesting your idea, but it didn't work and I am not sure why. The right side search provides all the good data, so basically the Boolean operator NOT should eliminate the good data from the total data leaving only the bad data. ... View more

I don't see how this solve my problem. Could you elaborate or explain more your solution? now()= is the time when the search started oldest = is 1 day before the search request started Basically I need a solution that provides the same results than woodcock's solution but without using eventstat. ... View more

I got the same error. My roles are can_delete, user, power. ... View more

Your command is perfect for selecting the events, but I encountered the following error when added the delete command. Error in 'delete' command: This command cannot be invoked after the non-streaming command 'eventstats'. The search job has failed due to an error. You may be able view the job in the Job Inspector. I am going to retry to run the command, but for some reason it takes so much time to run. ... View more

I have permission to use the delete command, the problem is that I don't know how to select the appropriate data for deleting. ... View more

The only way I have found is deleting file at a time which is very inefficient. ... View more

Ok. That's too bad. But how to make Splunk delete events that has a new version of them? I know about the delete command, but I haven't been successful to select the appropriate data. With the below command I've been able to see the indextime and which files have more than two files for the same source. ... | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") | stats count by source| where count>1 ... View more

Hi Is there is a way to include a message at the bottom of each page in SPLUNK web? Just below: About Support File a Bug Documentation Privacy Policy © 2005-2015 Splunk Inc. All rights reserved. ... View more

HI Sorry for taking so much time to respond. At least for second example which is a configuration file the data is being reindexed but I ended up having two files with the same name and same directory. This is not what I want. This is just a configuration file, not a log file, so if this file is modified Splunk should reindexed and replace it for the old one. ...| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")| stats count by source, indextime This command showed that the file is simply reindexed and I ended with two files. I still need to check if this behavior is the same for the first example which is a log file. ... View more

I thought that raby1996 only needed to know how to run two searches at the same time. Please excuse me if anyway I caused any confusion. I see that your answer used also the Boolean operator OR, but your answer is very complete definitely. ... View more

index=blabla | my_search_request OR [index=blabla2 | my_search_request_2] ... View more

Hi I included crcSalt because all the files are very similar and if Splunk thinks they are the same they will not be indexed in Splunk. crcSalt makes sure that all files with different source(location) are indexed into Splunk. Also if I disable crcSalt then new files that are added to the directory will not be indexed. ... | your command output: source: indextime count <directory>/filename1 2015-10-14 14:48:14 1 <directory>/filename1 2015-10-16 10:27:25 1 <directory>/filename2 2015-10-14 14:48:14 1 <directory>/filename2 2015-10-16 10:27:25 1 The output showed that those files were re-indexed the next day causing the problem. I remembered that day I added the crcSalt configuration because I wasn't able to index all the files because of their similarity. Once I added the configuration all files were indexed. Looks like Splunk re-indexed all files even though there were files already indexed with the same SOURCE value. This means that Splunk will ignored whatever is already indexed if the inputs.conf file is changed. Thanks for your help. Now, how could I solve this issue? ... View more

I have only four files of outputs.conf: find ./ -name "outputs.conf" /etc/modules/distributedDeployment/classes/deployable/outputs.conf /etc/system/default/outputs.conf /etc/apps/SplunkLightForwarder/default/outputs.conf /etc/apps/SplunkForwarder/default/outputs.conf file at .../classes/deployable: [tcpout] disabled=false # Replace 'YourDeploymentServerHostname' with the ip-address where your deployment server is running. [tcpout:RouteMetricsToDeploymentServer] disabled=false server=YourDeploymentServerHostname:9997 File at /SplunkForwarder/default: [tcpout] maxQueueSize = 500kb forwardedindex.0.whitelist = .* forwardedindex.1.blacklist = _.* forwardedindex.2.whitelist = (_audit|_introspection) forwardedindex.filter.disable = false File at /SplunkLightForwarder/default: [tcpout] forwardedindex.0.whitelist = .* forwardedindex.1.blacklist = _.* forwardedindex.2.whitelist = (_audit|_introspection) forwardedindex.filter.disable = false File at .../system/default. [tcpout] maxQueueSize = auto forwardedindex.0.whitelist = .* forwardedindex.1.blacklist = _.* forwardedindex.2.whitelist = (_audit|_internal|_introspection) forwardedindex.filter.disable = false indexAndForward = false autoLBFrequency = 30 blockOnCloning = true compressed = false disabled = false dropClonedEventsOnQueueFull = 5 dropEventsOnQueueFull = -1 heartbeatFrequency = 30 maxFailuresPerInterval = 2 secsInFailureInterval = 1 maxConnectionsPerIndexer = 2 forceTimebasedAutoLb = false sendCookedData = true connectionTimeout = 20 readTimeout = 300 writeTimeout = 300 tcpSendBufSz = 0 ackTimeoutOnShutdown = 30 useACK = false blockWarnThreshold = 100 sslQuietShutdown = false [syslog] type = udp priority = <13> dropEventsOnQueueFull = -1 maxEventSize = 1024 ... | stats dc(splunk_server) count by source output: source: dc(splunk_server) count <directory>/filename1 1 2 <directory>/filename2 1 2 <directory>/filename3 1 2 <directory>/filename4 1 2 All dc(splunk_server) values are 1 and I haven't made any change in any of those outputs.conf files. ... View more

There is only one event per file. I'm not using forwarders ( I'm just monitoring a directory in the server) I don't know what indexing acknowledgement is, but I'm not forwarding anything. ... View more

Well it is possible. The command is showing events with the same source(location). The results of the output: source: count <directory>/filename1 2 <directory>/filename2 2 <directory>/filename3 2 <directory>/filename4 2 ... View more

Yes, but I was talking about the invalid field names which are "1000" and "1100" in my example. ... View more

The event cannot be divided because there are relevant information at the beginning of the event related to all the steps. If I divided the steps of the event, then the information in this step would not have any reference of what's about and they would be useless. ... View more

I tried the regex and it doesn't extract anything. Also I read that the name of the group must start with an alpha value. I tried the following first regex inline and it worked. I tried the second one and Splunk displayed an error related with the alpha value issue. ... | rex "STEP:\s+\d+\n(?<myvalue>[\w\W\n]+?)\nSTEP" ... | rex "STEP:\s+\d+\n(?<1myvalue>[\w\W\n]+?)\nSTEP" ... View more