Don't know if this is the right location to ask this, but i do wonder .... I see that web_access.log is as described below: web_access.log =>> config location \Splunk\etc\system\default\web.conf # HTTP access log filename log.access_file = web_access.log # Maximum file size of the access log, in bytes log.access_maxsize = 25000000 # Maximum number of rotated log files to retain log.access_maxfiles = 5 But for the metrics.log, i only find this: [source::...\\var\\log\\splunk\\metrics.log(.\d+)?] sourcetype = splunkd [source::...\\token_input_metrics.log(.\d+)?] sourcetype = token_endpoint_metrics [source::...\\http_event_collector_metrics.log(.\d+)?] sourcetype = http_event_collector_metrics What and from where should i read more info? Thnx. ... View more

So i have this:     (index=* OR index=_*) (index="GA2014" EventCode=4625) | dedup RecordNumber | rename Account_Name AS EventObject.Account_Name EventCode AS EventObject.EventCode | stats dedup_splitvals=t count AS "Count of Event Object" by "EventObject.Account_Name" | sort limit=100000 "EventObject.Account_Name" | fields - _span | rename "EventObject.Account_Name" AS Account_Name | fillnull "Count of Event Object" | fields Account_Name, "Count of Event Object" | search NOT Account_Name="-"     Resulting into this:     +--------------+-----------------------+ | Account_Name | Count of Event Object | +--------------+-----------------------+ | SQLSERVICE | 1 | +--------------+-----------------------+ | STAFF | 1 | +--------------+-----------------------+ | STUDENT | 1 | +--------------+-----------------------+ | SUPORTE | 1 | +--------------+-----------------------+ | SUPPORT | 2 | +--------------+-----------------------+ | SYMANTEC | 1 | +--------------+-----------------------+     !!!!WITH!!!! These 3 over here:     +---------------+-----------------------+ | Account_Name | Count of Event Object | +---------------+-----------------------+ | АДМИН | 8 | +---------------+-----------------------+ | АДМИНИСТРАТОР | 8 | +---------------+-----------------------+ | ПОЛЬЗОВАТЕЛЬ | 8 | +---------------+-----------------------+     !!BUT!! When i do a search like this:     (index=* OR index=_*) (index="GA2014" EventCode=4625) | dedup RecordNumber | rename Account_Name AS EventObject.Account_Name EventCode AS EventObject.EventCode Workstation_Name AS EventObject.Workstation_Name | bucket _time span=1s | stats dedup_splitvals=t values("EventObject.EventCode") AS "Distinct Values of EventCode" by _time, "EventObject.Account_Name", "EventObject.Workstation_Name", "EventObject.EventCode" | sort limit=10000000 _time | rename "EventObject.Account_Name" AS Account_Name "EventObject.EventCode" AS EventCode "EventObject.Workstation_Name" AS Workstation_Name | fields _time, Account_Name, Workstation_Name, "Distinct Values of EventCode" | search NOT Account_Name="-"     I get this:     +---------------------+--------------+------------------+------------------------------+ | _time | Account_Name | Workstation_Name | Distinct Values of EventCode | +---------------------+--------------+------------------+------------------------------+ | 2020-02-21 01:03:48 | Demo | workstation | 4625 | +---------------------+--------------+------------------+------------------------------+ | 2020-02-21 01:05:57 | Reception | workstation | 4625 | +---------------------+--------------+------------------+------------------------------+ | 2020-02-21 01:09:06 | User11 | workstation | 4625 | +---------------------+--------------+------------------+------------------------------+ | 2020-02-21 01:10:34 | Ieuser | workstation | 4625 | +---------------------+--------------+------------------+------------------------------+     !!Without!!     АДМИН АДМИНИСТРАТОР ПОЛЬЗОВАТЕЛЬ     Nowhere to be seen in sight. Don't know right now if it applies only to these 3 or not, but i searched it with ctrl+f in browser and found nothing .... Honestly, i don't know what name to give to this thread/question. Maybe i can get some advice on this too, if i will be able to rename my thread/question .... P.S.: It's 2 in the mornin' over here, so if i have any typos, it must be the late hour ... ... View more

What i would like to do is to take this form from regedit, and splash it into Splunk. I have exported data from \WMI\Autologger level, put a sort of serial number at each "line" and tried to convert it into .csv When i Add Data and do a index once file, i get this My main request is to be able to do a table with all that information spreaded on multiple columns. Would help me alot. What can i do or moddify in my file so splunk could know what is what and what is going where. Should i leave it like this, or woud be better to be multiple info in the same "row"? Instead of this: I'm thinking more about at this example:  How can i tell Splunk to ket data like this?   Thanks for anyone who reads this time. ... View more

This is my current WMI setup:   [WMI:WinLogSysTst] disabled = 0 event_log_file = System index = winlogsystst interval = 5 server = localhost current_only = 0     How can i tell it to get older data than when i made the input. I get only recent data and not old one. Thnak you. ... View more

I have searched high and low for an answer here and on web, but seems that i can't find a suitable answer.   Did anyone got this error while tring to get data in?     Data could not be written: /nobody/search/inputs/WinEventLog://System/start_from: oldest     I played a bit with System log of windows and at first i used the "Local event log collection" but then changed my mind and changed it to "Remote event log collections". But yet again, first time, using "Local event log collection" i got older data too, second time using "Remote event log collections" i get only newer data. What can i do to reset it? In what file should i look? Thank you. ... View more