I setup splunk heavy forwarder and splunk indexer. I want to filter some event before indexed on splunk indexer. *** Example log, i want to filter 2011-02-05 00:02:00,018 INFO [Cron_SendFaxNTF] - <BEGIN Send Notification Fax...> 2011-02-05 00:02:00,034 INFO [Cron_SendFaxNTF] - <BEGIN Send Notifications...> I try to config both indexer and forwarder but not work!!! *** props.conf [iCIS_log] TRANSFORMS-icisLog = icisLog-null *** transforms.conf [icisLog-null] REGEX = ^\d+-\d+-\d+\s\d+:\d+:\d+,\d+\sINFO.* DEST_KEY = queue FORMAT = nullQueue Help me please !!!! ... View more

Refer splunk version 4.x not support window 2000. So, i installed splunk version 4.1.5 on window xp and config wmi remote monitoring to window 2000 server. I use local user to run splunk then it display error message after wmi query host. Then i use admin domain account to run splunk then i can wmi query host. But i can't found available classes of properties to choose from. after add wmi data input on splunk web. Is there any way to add wmi remote host on window 2000 ? ... View more