Hello, any news from anyone about this subject? Your Microsoft ticket maybe, snrlopez? ... View more

Oh, it works! If I get it right: this is permitting to change ALL services into their uppercase writing, and so resolving my problems, and you're just having "count(service)" as "count" so you don't have to rewrite "count(service)" in the sort...? Thanks a lot for your help!! (one "L" only to my nickname - no offense, I say it to absolutely everybody 😛 ) ... View more

Centos 5.5 GNU/Linux 64bits (a virtual machine), using splunk 5.0.2 ... On a side note, I've installed a local pdf printer so I can print webpages into PDF documents, and it won't print the timecharts at all. If your solution can work, I'll look into it starting today. (I was sick the days before, sorry) ... View more

Well, if you're talking about this one : http://splunk-base.splunk.com/apps/22348/pdf-report-server-install-on-linux-only then I've been told yesterday by splunkers on the IRC channel that this app' was a nightmare to debug, and was often having glitches, so, "a last resort solution", they said. Anyway, I already have it installed for months, and it's not permitting anything... If not talking about this one, then I'm very eager to hear your solution. This would simply permit me to use advanced XML, so... would be excellent! ... View more

So both answers to my 2 first questions are "no" ? And there is NO way to print PDF from Advanced XML? ... View more

Thank you for your answer, jonuwz. I've tried to apply what you linked me. But when I change the < dashboard> to a < form>, I can't print a PDF anymore. And of course it seems I can't put a < form> into a < dashboard>, nor keep it a < dashboard> with this < input> in it. If anyone knows what I could do to solve that... I don't know why, but when I tried to show you the problem of displaying the 31 days at once, it didn't happen... Considering it solved until it happens again, then I'll compare (again) the XML. ... View more

Thank you for your answer, jonuwz. I've tried to apply what you linked me. But when I change the < dashboard> to a < form>, I can't print a PDF anymore. And of course it seems I can't put a < form> into a < dashboard>, nor keep it a < dashboard> with this < input> in it. If anyone knows what I could do to solve that... I don't know why, but when I tried to show you the problem of displaying the 31 days at once, it didn't happen... Considering it solved until it happens again, then I'll compare (again) the XML. ... View more

Just to get it very clearly; does it mean that processing 501M in a day is exactly the same to license violation than processing 50G ? So, it means that lancealotx in his case, and me in mine, should start processing all the data at midnight of a day and hope it processes it fast enough to eat all the 36G (in his case) in the same day, so that only 1 license violation occurs? If that's not how it works, please explain, I will then need help on this. Thanks for any answer! ... View more

Well, I've commented using "#" ; ILOVEPANDA point convinced me. I tested with other sources; no data duplication today... And, more importantly, I've let the previously duplicated data come in again : it's not duplicated anymore now. I'm starting to think this was an attack on our customer... But if anyone has any idea of what ELSE it could be, maybe any error from my configuration of splunk, just tell me, please! ... View more

Dave > I had the impression that yes, it's sending from the start again, but from what I see, it's just duplicating the events happening at the very moment they appear... Yes, it's UDP sent on port 10000, for the example I've tried and shut off as soon as I discovered I was at 89% of the licence usage. The events received by splunk are syslogs. kristian > well, sorry to ask, but: why? It seems ";" is working; any side effect I wouldn't have noticed? edit : yes, sadly, this is the exact SAME event the 335 times. I'm trying with other sources now, to see if it's gonna happen again... ... View more

Let me sum up a second; I thank dmaislin_splunk for his answers, now I know "where Splunk for Fortigate gets his data". My problem now is that I don't know how to both get my data in the index I want AND force their type to fortigate (with those conditions: all my sources come from the same host, on the same port, I separate them with the device_id). My configuration of transforms.conf seems bad, and I can't get it right, even after tons of tests. I need something that would be like [force_fortigate_sourcetype] DEST_KEY = MetaData:Sourcetype, _MetaData:Index REGEX = [device_ID]|[TheOtherDevice_ID] FORMAT = Sourcetype::fortigate, Index::index3 ... View more

Hello, I'm on the sleeping IRC channel. All my sources are coming from the same host, I cannot index them using host; so I'm using device_id. I'm testing tons of transforms.conf configurations to set the sourcetype to fortigate AND the index to index3. I've not found how to do it yet - and I now perfectly know this splunk documentation page: http://docs.splunk.com/Documentation/Splunk/5.0.1/Admin/Transformsconf I'd need something like [force_fortigate_sourcetype] DEST_KEY = MetaData:Sourcetype, _MetaData:Index REGEX = [deviceID]|[OtherDeviceID] FORMAT = Sourcetype::fortigate, Index::index3 ... View more

Okay, now I got a little result; I removed "index3" from the list under stanza [fortigate] in props.conf, now I receive data from source3 in index "main", which actually sounds logical as in transforms.conf there is nothing in stanza [force_fortigate_sourcetype] to precise where to put the data. How would I put it again in index3? I don't get much how those "DEST_KEY" and "FORMAT" work (yes, AFTER reading documentation), as they can define sourcetype or index... I guess not both..?.. ... View more

So, here is what I changed; removed the 2 stanza [index3] in transforms.conf, put the stanza [force_fortigate_sourcetype] with what you said, but REGEX = [aDevice_ID]|[anotherDevice_ID] . Added in props.conf : [syslog] TRANSFORMS-force_sourcetype_for_fortigate = force_fortigate_sourcetype By the way, another thing: the source1 and source2 are fine with Splunk for Fortigate dashboards, but of type fortigate_traffic too (just like source3) in my Search examples. ... View more

I'm sorry to use "answer question" as a way to post, but this wouldn't fit in a "comment". So, here I am; I did the change in transforms.conf, I receive the logs in the right index, then, It's not found by Splunk for Fortigate, for example in Traffic dashboard. Let's say this : I got 3 types of fortigate data coming into port 514. Source 1, source 2, source 3; they are separated into index1, index2, index3. Index1 and index2 are perfectly working, and Splunk for Fortigate shows their results in its dashboards. Data of index3 should be shown as well, and it isn't. When I go in "full report" in Splunk for Fortigate, then change the search into "index=index3", it finds the data, which has the type "fortigate_traffic" by the way. When I do sourcetype="fortigate_traffic" , it shows only data from index1 and index2. If i do sourcetype="fortigate_traffic" AND index="index3", it shows the same result than index="index3". Here is how my files look. The setnull is used because there are 2 other sources I'd like not to index, otherwise the 500 Mb/day would be blown up. The first [index3] you see is the one I just added according to the documentation I read that you headed me to. props.conf : [fortigate] TRANSFORMS-fw_index = index1, index2, index3 TRANSFORMS-null = setnull transforms.conf : [setnull] REGEX = [hereisaDevice_ID]|[hereisanotherDevice_ID] DEST_KEY = queue FORMAT = nullQueue [index3] FORMAT = sourcetype::fortigate DEST_KEY = MetaData:Sourcetype [index1] DEST_KEY = _MetaData:Index REGEX = [hereisanotherDevice_ID] FORMAT = index1 [index2] DEST_KEY = _MetaData:Index REGEX = [yetanotherDevice_ID] FORMAT = index2 [index3] DEST_KEY = _MetaData:Index REGEX = [hereisagainaDevice_ID]|[anotherDevice_IDagain] FORMAT = index3 (There are even more things I could explain that are related to this, but it would be seriously even longer and more complicated, and I think the problem I showed here is "enough" already.) So, what am I doing wrong? I seriously don't get it. edit : oh. Time for me to post, you posted already. Reading and trying what you said. Thanks! ... View more

Maybe I expressed myself in a wrong way, so, 1. I cannot and must not change the port for any data incoming on splunk, 2. This sounds like a solution, I'm going to try to apply this right now. Thanks a lot for your help! ... View more

Thank you for your answer. But with such a configuration, isn't ALL the data coming to the set port going to be recognized as sourtype=fortigate? If yes, it will be a problem, because one of the obligations I got is: all data is received on port 514, and some of the data isn't only of fortigate type. So far, I used props.conf and transforms.conf to index my data using the device_id of each firewall, successfully. ... View more

Well my enterprise cannot and doesn't want to access to the clients' servers, in (very) short. This might change in the future though, so, I'll use this "question" again here if needed. Thanks for the information, you've been much help! ... View more

And with such configuration, I would be able to use some parts of the menus and such with graphical statistics and reports? Very little question, by the way : would the PDF reports have any chance to work? (I know the little trick with XML file and autoRun="true" to put in) Thank you a lot, I will post again here in next days if needed. ... View more

Oh my, it works. Wonderful job, Kristian. Thanks so much! ... View more