Hi, I can't get my mind around this issue which is as follows: We have a syslog-ng which dumps data from 100+ network devices to a log directory which then Splunk is set up to monitor and it works perfectly. The problem is that if i disable the data input in Splunk gui it seems to continue indexing for up to an hour after, but it only does so with a few devices, not all of them. Could this be that the data format on certain hosts are unknown for Splunk and that it seemingly continues to log, and that the time stamp is being applied at index time such that it seems like it is still indexing while in reality it just running through the queue of events from before i disable the data input? Kind regards, Eirik ... View more

Hi, I seem to have a hard time to figure out the following: I want to be able to monitor deletion of GPO's and which person who did this. For now i'm able to get the event id's ok (5141), the problem is i only get the DN of the policy. Is there a way for AD to show me display name of the policy instead of only the DN when deleting a GPO? Kind regards, Eirik ... View more