Apparently after years development, splunk supports your first idea now:
host=SOMEENV* Type=Error NOT EventCode IN (1234, 2345, 3456, 4567, 5678, 6789, 7890)
should work at in 6.5.
Correction: it works from 6.6.
... View more
your final solution did work for me too. I can't explain it and to be honest I don't want to now. fyi, we are using splunk 6.5.2 on CentOS7.
... View more
I got exactly the same problem after upgrading from 2.4.0 to 3.0.0. I just can't get the task server running. I have changed the port, tried different jdk/jre, it doesn't work.
... View more