thanks , that worked for me ! ... View more

thank you , this query was very helpful. ... View more

i had similar errors . i was able to resolve it by changing the replication port number. the issue was that , i had replication port and the receiving port as the same ( 9997) . after i dedicated port 9887 for replication under server.conf ( [replication_port://9887]) and restarted indexers and cluster master , the issue was resolved . ... View more

for a wide variety of logs please check out this site https://ossec-docs.readthedocs.io/en/latest/log_samples . you can then use eventgen app in splunk to generate runtime logs based off these samples. ... View more

you can point universal forwarder (ay host is UF1) to deployment server ( say host is DS1) in couple of ways . option 1) using the command splunk set deploy-poll on UF1 example : ./splunk set deploy-poll DS1:8089 this will create a deploymentclient.conf under etc/system/local. within this file you can set the paramters that you mentioned earlier ( phoneHomeIntervalInSecs) option 2) you can create an app ( or push it from the deployment server) and place it under UF1 . deploymentclient.conf should be part of your app , example : /etc/apps//local/deploymentclient.conf on a UF1 you can check to see which deployment server your UF is pointing to by running the below command. ./splunk show deploy-poll ... View more

in your inputs.conf add the stanza as shown below : [WinEventLog://Application] disabled = 0 ... View more

Thanks i was able to break the lines with LINE_BREAKER =()\<plane\> . Agreed my title was misleading. what i was trying to convey is that my data does not have any return character at the end of each line. By using the line_breaker , i was able to break up the rather long line of data into individual events. ... View more