Hello Splunkers! I am having difficulties with my nullQueue configuration when trying to exclude rows with JS, CSS, and images. Trying the regex in the Splunk search works fine, but the events are still indexed by Splunk. My setup is a single Splunk instance and the conf files are in /etc/system/local. Inputs.conf [monitor://C:\Users\admin\Desktop\test.log] disabled = false host = bla sourcetype = Transform_Test TRANSFORMS-null= setnull Transforms.conf [setnull] REGEX = (?m)^.*(gif|css|js|jpg|png|ico)\s.*$ DEST_KEY = queue FORMAT = nullQueue What to exclude: 192.168.1.3 - - [09/Sep/2015:09:35:46 +0200] "GET /work/js/abc.js HTTP/1.1" 200 41162 392 192.168.1.3 - - [09/Sep/2015:09:35:46 +0200] "GET /work/images/test.gif HTTP/1.0" 200 135 20 What to include: 192.168.1.3 - - [09/Sep/2015:09:35:44 +0200] "POST /bla/abc.jsp?target=layout!ba!searchForm&eventName=Search HTTP/1.1" 200 184359 1832621 When changing the regex to \[sshd\] and make an event [sshd] in the logfile, the event isn't excluded as well. So it doesn't look like an problem with the regex. Does someone have any idea? ... View more

Hello Splunkers, We have a problem with our Splunk installation. Its a simple platform, Splunk 6.2 on one computer running Ubuntu Linux. The problem we are experiencing is that its not possible to read out license usage report. Daily usage and percentage is working correctly. Even if we show the license report the today tab is working, but when we switch to the Previous 30 days tab its not generating anything. I've looked up the _internal index, but it's empty. Also I tried the following steps: Installed new version of Splunk and copied etc settings needed to run with the same settings as before We have the Splunk database on a different location, after new installation switched to the new location the indexes started with an underscore were disabled, so we enabled them again After that we cleaned the _internal and _audit database from the CLI But still there is no data in all the indexes starting with an underscore. Does anyone have a clue? ... View more

Hello Splunky's, I'am working on a project and want to correlate a couple of id's on different logs and got the time it has taken from earlest event to latest event. This is the input: SMTP 2013-12-04 09:00:00 Verwerking SMTP id=1203 2013-12-04 09:00:20 Verwerking SMTP id=1205 2013-12-04 09:00:21 Verwerking SMTP id=1503 CORE 2013-12-04 09:00:01 Verwerking CORE IN=1203, OUT=adf 2013-12-04 09:00:21 Verwerking SMTP IN=1205, OUT=sda 2013-12-04 09:00:25 Verwerking SMTP IN=1503, OUT=yuis POP3 2013-12-04 10:00:50 Verwerking POP3 id=adf 2013-12-04 09:00:26 Verwerking POP3 id=sda This is the search query I fire at this moment. host=SMTP1 OR host=CORE1 | eval sameID=coalesce(SMTPID,IN) | stats latest(_time) as lt earliest(_time) as et by sameID | eval durationIN = lt - et | appendcols [SEARCH host=CORE1 OR host=POP3 | eval sameOUT=coalesce(pop3ID,OUT) | stats latest(_time) as lt2 earliest(_time) as et2 by sameOUT | eval durationOUT = lt2 - et2] | eval durationTotal=durationOUT+durationIN | table durationTotal durationIN sameID durationOUT sameOUT Problem with this is that when POP3 hasn't a id witch CORE does have there's a 0 reported witch actualy should not show 0 but NULL. In one short centence: I want to have the avarage lead time from the first step to the latest. Other problem is that it does not give one number, I want to have an average number for al the steps. Who can help me with this problem? ... View more