These sort of messages generally points to bad install of forwarder. such that Splunk is installed/owned by Root, but running account is different. Therefore, you internally get these sort of messages as access denied,or can't rename etc. ... View more

If you are new to Splunk software and don't know how searches, reports, and dashboards work, your best first step is to go through the Search Tutorial. It walks you through the entire workflow with sample data. ... View more

MuS, you are amazing. 🙂 ... View more

Do click "Accept" on the answer that you judge is the best. ... View more

see the section Create advanced filters with 'whitelist' and 'blacklist' in http://docs.splunk.com/Documentation/Splunk/6.2.6/Data/MonitorWindowsdata for details ... View more

Here is an example of filtering out events that include the string 'Teardown' 12:26:35.000 PM 2015-08-10T12:26:35-04:00 host-706-zz-ASA5520-A : %ASA-6-305012: Teardown dynamic UDP translation from inside:10.1.1.1/51971 to outside:x.x.x.x/51971 duration 0:00:31 on your heavy forwarder: $SPLUNK_HOME/etc/system/local props.conf [host::xyz] TRANSFORMS-null = nullteardowns transforms.conf [nullteardowns] REGEX = Teardown DEST_KEY = queue FORMAT = nullQueue restart heavy forwarder after the change. Note: if this is syslog data , and you are filtering on host , use the host name of the syslog server itself as this will be processed before the actual host name of the sending device is assigned. ... View more