This is old article, but I still add one comment how I'm doing it if possible (little bit modified version from @gjanders ' own method). I have plain app from splunkbase without any inputs. Then separate apps like 0xy_<splunkbase_app> for all needed separate configurations and join these into serverclasses. r. Ismo ... View more

If you own the script, update the same to remove these unwanted lines from the output. If that's not possible, you can use event filtering method to drop those lines from indexing http://docs.splunk.com/Documentation/Splunk/6.4.3/Forwarding/Routeandfilterdatad#Filter_and_route_event_data_to_target_groups https://answers.splunk.com/answers/37423/how-to-configure-a-forwarder-to-filter-and-send-the-specific-events-i-want.html ... View more

Does it have to be spath? If you're open to using xpath instead you could do something like this: | xpath outfield=MemberSid "//*[local-name()='Data' and namespace-uri()='http://schemas.microsoft.com/win/2004/08/events/event' and @Name='MemberSid']" It is indeed a bit more complex of a query, thanks to unprefixed XML namespaces, and the corresponding xpath behaviour as pointed out in this stack overflow answer, but you can get the value of any data element with a specific Name attribute this way. Dummy Test: | makeresults | eval _raw="<Event xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"> <EventData> <Data Name=\"MemberName\">member</Data> <Data Name=\"MemberSid\">ABC</Data> <Data Name=\"TargetDomainName\">domain</Data> <Data Name=\"MemberName2\">member</Data> </EventData> </Event>" | xpath outfield=MemberSid "//*[local-name()='Data' and namespace-uri()='http://schemas.microsoft.com/win/2004/08/events/event' and @Name='MemberSid']" ... View more

This is not possible but it is very easy to do a scripted input (or scripted lookup ) and call them from there completely bypassing DB Connect entirely. ... View more

Hi! We have written the procedure on oracle db named TEST1 its working fine while we run in on Oracle SQL developer. But when trying to run it on Splunk DB connect as EXEC TEST1; or EXEC TEST1 it gives below error. Invalid Query External search command 'dbxquery' returned error code 1. Script output = "RuntimeError: Failed to run query: "EXEC TEST1;", params: "None", caused by: Exception(' java.sql.SQLSyntaxErrorException: ORA-00900: invalid SQL statement\n.',). " Could you please help. ... View more

Hi i am facing the same issue . When i do telnet its showng the connection but not forwarding the data. Below is my error The TCP output processor has paused the data flow. Forwarding to output group default-autolb-group has been blocked for 6200 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data. ... View more

This worked for me. Thanks for your help. ... View more

Greetings from the future ... Yes, you can specify a host name to be used in props.conf see the docs for more details https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf#GLOBAL_SETTINGS cheers, MuS ... View more