Hi, i am monitoring IIS logs for my environment and i want to ignore the older log files.i just want the files for the last 3 days. here is my inputs.conf [monitor://C:\inetpub\logs\LogFiles\W3SVC2] disabled=false index=fam sourcetype=ms:iis:auto ignoreOlderThan=2d attached are the screenshot for the log file location and output for the list monitor Any help is appreciated Thanks ... View more

Hi i edited the inputs.cinfig file on my forwarder and once i restart splunk etc i see the data on search but it is not readeble. can anyone tell me what i am doing wrong? [default] host = xxxxxxx [monitor://C:\Windows\System32\winevt\Logs*] disabled = false index=xxxxxx followTail = 0 sourcetype = sync i have all the other data coming in fine. Thanks, ... View more

Hi, i am not able to receive any data from my forwarder. It stopped working yesterday.port 9997 is open.connection is established.i can telnet to my server(which is my laptop). here is the error from the splunkd from the forwarder 09-21-2017 15:20:51.293 -0400 WARN TcpOutputProc - Tcpout Processor: The TCP output processor has paused the data flow. Forwarding to output group default-autolb-group has been blocked for 82200 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data. here is my input file from the forwarder server [default] host = HC1xxxxxxCV [monitor://C:\Program Files (x86)..........] disabled = false followTail = 0 sourcetype=Data Import ignoreOlderThan = 6d here is my outputs file from the forwarder [tcpout] defaultGroup = default-autolb-group [tcpout-server://rs1-sbaba-t440.xxxxxxxx:9997] [tcpout:default-autolb-group] disabled = false server = rs1-sbaba-t440.xxxxxxxxxxxxx:9997,rs1-sbaba-t440:9997 [tcpout-server://rs1-sbaba-t440:9997] i checked on my laptop the reeving is enabled this is my input file from the receiver [default] host = rs1-sbaba-t440 [script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path] disabled = 0 i read something about internal que being blocked.and set the stopacceptafterqblock attribute on inputs file which i dont see in my receivers inputs file(under local folder)never change the conf files under default folder. i've been banging my head for hours and since i am stuck probably missing something very simple but can't find it.anyhelp is appreciated. this thing was working fine till yesterday and now all of a sudden i am not bale to get data thanks, ... View more

Hi, Here is my search query; index=* sourcetype="WMI:WinEventLog:Application" SourceName="Investran RS Word Processing Service" Message=* | table Message , SourceName _time |dedup _time |sort -_time and this brings up ; So what i am trying to do if possible is,calculate the average time between stop/start.and if that average is greater than lets say 10 mins only bring that results/messages Thanks, ... View more

Hi, i am new to the splunk and i do have a search which returns a service stopped from windows application event log.from the results i can see when the service does not start automatically(usually if there is a gap greater than 1-2 mins between start and stop).service stops and in less than 20 secs it starts back again. here is my search sourcetype="WMI:WinEventLog:Application" SourceName="Word Processing Service" Message="*" and here are the results; 9/7/17 11:08:15.000 AM 20170907110815.000000 Category=0 CategoryString=NULL EventCode=0 EventIdentifier=0 EventType=3 Logfile=Application RecordNumber=264012 SourceName=Word Processing Service TimeGenerated=20170907150815.000000-000 TimeWritten=20170907150815.000000-000 Type=Information User=NULL ComputerName=x wmi_type=WinEventLog:Application Message=Service stopped successfully. 9/7/17 11:08:20.000 AM 20170907110820.000000 Category=0 CategoryString=NULL EventCode=0 EventIdentifier=0 EventType=3 Logfile=Application RecordNumber=264016 SourceName=Word Processing Service TimeGenerated=20170907150820.000000-000 TimeWritten=20170907150820.000000-000 Type=Information User=NULL ComputerName=x wmi_type=WinEventLog:Application Message=Service started successfully. in reality i want to create an alert and when that gap happens and service does not start back in lets say, in 2 mins send an email out.i did find another post about this but not quite the same,or maybe it is the same but like i said i am new to this and was not able to apply it to my case.here is the link for that post https://answers.splunk.com/answers/524252/how-to-get-duration-between-a-start-and-stop-event.html Any help you can provide is greatly appreciated. Thanks ... View more