I am trying to alter how much data I am getting from my universal forwarder. The configuration I have is UF -> HF -> Indexer -> SH . I am getting a lot of data sent from the UF to the HF, and want to restrict what the HF sends to the indexer. Therefore, I am trying to create a filter using the props.conf and transforms.conf on the HF. So far, I have received some suggestions from the community, but I am still having troubles. I want only messages that contain 'warning' to be sent from the HF to the Indexer (for this certain sourcetype, that is). The sourcetype is 'marimba'. I will show you what I currently have in my configuration files. inputs.conf [monitor://C:\Windows\.marimba\MarimbaEndpointTuner\history-y*.log] disabled=0 sourcetype = marimba props.conf [marimba] TRANSFORMS-mfilter=filter-marimba,remove-marimba transforms.conf [filter-marimba] SOURCE_KEY=_raw REGEX=\]\s-\swarning DEST_KEY=_MetaData:Index FORMAT=main [remove-marimba] SOURCE_KEY=_raw REGEX= . DEST_KEY=queue FORMAT=nullQueue However, I am still not getting anything on my search head. I have confirmed that if I take away the stanzas from props.conf and transforms.conf, I receive the data, with the index 'marimba' and sourcetype 'marimba'. Any ideas? ... View more

I was just poking around to find out why my data had this strange sourcetype history-y2016-m06-d-10 , and when I went to C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local , I found a props.conf and sourcetypes.conf. It's like it has been recording what I have it reading from inputs.conf? What are these files generated for? ... View more

I am trying to sort through certain event logs, and I am noticing that some I am searching for aren't under either System, Security, or Application. Instead, they reside under the Microsoft-specific event folders, such as Microsoft-Windows-ApplicationExperience/Program-Inventory . Is there an easy way to access these? I am already getting the Security, System, and Application ones through inputs.conf. Thanks. ... View more

I am currently trying to use my Marimba data gathered from the Endpoint tuner in Splunk. On my Universal Forwarder, I am placing a monitor on the log file I wish to monitor, and it is being sent correctly to the Indexer. I wish to filter these events on my Heavy Forwarder so that not all of them are sent, since there are certain ones I wish to ignore. Where do I start to do this? I believe it involves props.conf and transforms.conf, but I have had little interaction with both of them. Thanks for any help. Edit Here is an example from the Search Head. This is what is currently being received. [16/Jun/2015:08:54:41 -0500] - warning nce054 50012 Common Reboot Service is disabled. host = C235189 index = main source = C:\Windows\.marimba\MarimbaEndpointTuner\history-y2015-m06-d16.log sourcetype = history-y2015-m06-d-4 I was hoping to maybe only receive alerts with the first word being 'warning', like it is for this one. EDIT I have placed this in my props.conf on my Heavy Forwarder to see if it would label the data with a sourcetype. [source::C:\\Windows\.marimba\MarimbaEndpointTuner\history...] sourcetype = marimba SHOULD_LINEMERGE = true This didn't seem to have an effect. I'm wondering if I did the source incorrectly? AKA it's not finding anything that matches [source::C:\\Windows\.marimba\MarimbaEndpointTuner\history...] ... View more

I have a deployment server that is pushing apps to multiple universal forwarders without issues. Every time that I add an app, however, I have to physically log into the machine that the deployment server resides on, and drag the app from "apps" to "deployment-apps" for it to show up on the "Forwarder Management" tab on Splunk Web. Is there an easier way to do this? I want users to be able to add their own apps to the deployment server without having to log into the actual machine and move files. ... View more

I am getting to the point where I have quite a few Universal Forwarders in my Splunk infrastructure. I was wondering if there was a more simple way of installing/configuring the Universal Forwarders, specifically in inputs.conf. Every change I want to make I have to go through each machines' inputs.conf to alter it. As an infomercial might say, "There's got to be a better way!" Any help appreciated. ... View more

I am trying to get my PowerShell script to be invoked by inputs.conf. My PowerShell script, ScriptTest.ps1, looks like this (borrowed) Get-Process | Where-Object {$_.ws -gt 0MB} | ForEach-Object -Begin { $Owner = Get-WmiObject -Class Win32_Process } -Process { $ID = $_.Id New-Object -TypeName 'PSCustomObject' -Property @{ 'UserName' = ($Owner | Where-Object {$_.ProcessID -eq $ID}).GetOwner().User 'DomainName' = ($Owner | Where-Object {$_.ProcessID -eq $ID}).GetOwner().Domain 'ProcessName' = $_.ProcessName 'MemoryUsed' = "{0:N2} MB" -f ($_.WS / 1MB) } | Select-Object -Property UserName,DomainName,ProcessName,MemoryUsed } | out-file output.txt My .cmd file is Status.cmd, and looks like @powershell -File H:\MyScripts\ScriptTest.ps1 My inputs.conf looks like [script://$SPLUNK_HOME\etc\apps\SA-ModularInput-PowerShell\Status.cmd] interval = 0 sourcetype = winperf index = main So essentially, I was expecting that when I restarted the service, the output.txt file would be generated. I know the script and command file work because I have ran the command file and the output.txt file was generated. Does anyone know what I am doing incorrectly? Thanks for any help. ... View more