Hello Experts, I am facing difficulty at index time fields extraction. My sample log file format: Time stamp: Fri Mar 18 00:00:49 2022 File: File_name_1 Renamed to: Rename_1 Time stamp: Fri Mar 18 00:00:50 2022 File: File_name_1 Renamed to: Rename_1 Time stamp: Fri Mar 18 00:00:51 2022 File: File_name_1 Renamed to: Rename_1 Time stamp: Fri Mar 18 00:00:52 2022 File: File_name_1 Renamed to: Rename_1 Time stamp: Fri Mar 18 00:00:53 2022 File: File_name_1 Renamed to: Rename_1   props.conf [ demo ] CHARSET=AUTO LINE_BREAKER=([\r\n]+) MAX_TIMESTAMP_LOOKAHEAD=24 NO_BINARY_CHECK=true SHOULD_LINEMERGE=true TIME_FORMAT=%a %b %d %H:%M:%S %Y TIME_PREFIX=^Time stamp:\s+ TRANSFORMS-extractfield=extract_demo_field TRUNCATE=100000 transforms.conf [extract_demo_field] REGEX =^Time stamp:\s*(?<timeStamp>.*)$\s*^File:\s*(?<file>.*)$\s*^Renamed to:\s+(?<renameFile>.*)$ FORMAT = time_stamp::$1 file::$2 renamed_to::$3 WRITE_META = true   ... View more

Hi Experts, I am getting error during I tried to create new ms-sql connection on my Splunk server (i.e Amazon Linux 2). Connection Type: MS-SQL Server Using MS Generic Driver With Windows Authentication JDBC URL : jdbc:sqlserver://xx.xx.xxx.xx:1433;databaseName=master;selectMethod=cursor;integratedSecurity=true ERROR : This driver is not configured for integrated authentication. ClientConnectionId:d3c9028f-187a-492f-89da-68dfceadceb1 Java version on my splunk server : java version "1.8.0_201" Splunk DB Connect version: DBX:3.1.4 Splunk Server OS: Amazon Linux 2 AMI The driver present in my machine are:   ... View more

Hi Experts,   Please suggest where I can downloaded Splunk Universal forwarder for Window server 2008 (Window version 6.0 Build 6003 Service pack 2).   In https://www.splunk.com/en_us/download/universal-forwarder.html the oldest version is Windows 8.1, and 10 Windows Server 2008 R2, 2012, 2012 R2, and 2016   Thanks in advance.  ... View more

Hi Experts, I am new in SNMP / snmp_ta app. I am facing difficulty to convert MIB to python module. build-pysnmp-mib: command not found libsmi2pysnmp: command not found  My OS details: NAME="Amazon Linux AMI" VERSION="2018.03" ID="amzn" ID_LIKE="rhel fedora" VERSION_ID="2018.03" PRETTY_NAME="Amazon Linux AMI 2018.03" ANSI_COLOR="0;33" CPE_NAME="cpe:/o:amazon:linux:2018.03:ga" HOME_URL="http://aws.amazon.com/amazon-linux-ami/" and  in my system I have pysnmp.__version__ 4.4.12   ... View more

Hi Experts, My splunk indexer server are running out if memory, its main reason are  /opt/splunk/var/run/searchpeers /opt/splunk/var/lib/splunk/_introspection /opt/splunk/var/lib/splunk/_internaldb /opt/splunk/var/lib/splunk/kvstore  Indexer _introspection, _internaldb,  kvstore have default setting, its data are not move in cold and frozen bucket. Please suggest what can I do to create space at my server ?     ... View more

Hi experts, I try to restart our splunk server, but its not start. Earlier I try to start from UI, but it not start. I also try to reboot if using CLI, but dont see any thing on console I am using Splunk 7.2 in AWS EC2 instance (Amazon 1) , I am using splunk on that environment from last one year. $SPLUNK_HOME/bin/splunk -version $SPLUNK_HOME/bin/splunk -version Splunk 7.2.6 (build c0bf0f679ce9) uname -a Linux abcdXyz 4.14.123-86.109.amzn1.x86_64 #1 SMP Mon Jun 10 19:44:53 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux strace /opt/splunk/bin/splunk start execve("/opt/splunk/bin/splunk", ["/opt/splunk/bin/splunk", "start"], [/ 50 vars /]) = -1 ENOEXEC (Exec format error) write(2, "strace: exec: Exec format error\n", 32strace: exec: Exec format error ) = 32 exit_group(1) = ? +++ exited with 1 +++ ... View more

Hi Experts, I try to ingest data from a mount point, in that path all files are log rotate and moved to .gz format on daily basis. But my splunk ingest only that file that already converted into .gz file. So before 24 hours I don't find latest logs. Please suggest how i get latest logs in the Splunk. Sample conf files are : inputs.conf : [monitor:///data/production/logs/JobBatch/documents] disabled = false index = logs_jobbatch sourcetype = JobBatch whitelist = (zipDocument_[\d]+.log.gz|zipDocument_[\d]+.log) props.conf : [JobBatch] DATETIME_CONFIG = LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = false category = Custom disabled = false pulldown_type = true BREAK_ONLY_BEFORE = ^\d{4}-\d{2}-\d{2}\s{1}\d{2}:\d{2}:\d{2}.\d{3}\s{1} HEADER_FIELD_LINE_NUMBER = 9 TRUNCATE = 750000 MAX_EVENTS = 1000 BREAK_ONLY_BEFORE_DATE = SHOULD_LINEMERGE = false ... View more

Hi Experts, Please suggest how to join two Splunk index output. I have two indexes in first index i want to fetch only that data that occurred in holiday list occurrence-date field index=monitor index=holiday_list earliest=0 latest=now| dedup OCCURRENCEDATE| table OCCURRENCEDATE ... View more

Hi Experts, Please suggest how to connect splunk_app_db_connect (i.e present in a Splunk-HF) with db instances of Oracle-11g and Oracle-12c both. Its working fine with 12-c instances but show error while connect 11-g instances. Error: java.sql.SQLException: ORA-00604: error occurred at recursive SQL level 1 ORA-01882: timezone region not found ... View more

Hi Experts I am getting below error : java.sql.SQLException: ORA-00604: error occurred at recursive SQL level 1 ORA-01882: timezone region not found Its working fine for oracle 12c servers but show below error while execute on 11g servers. ... View more

Hi Experts, I try to automate db_inputs.conf files entries. For this I try to copy DB_inputs.conf file of one env to another env and update its two fields of each stanza (input). That two fields are: connection = NewConnection host = new:host:IP But the new db_inputs.conf are not visible from Splunk UI. Please suggest what I need to correct ? Do I need to make any entry also in /metadata/ local.meta ? ... View more

Hi Experts, In my NFS server, Splunk UF is installed. That NFS server is basically a log storage server, log rotation daemon also running on that server that convert file to gzip file after 24 hours, in same location. NFS server is a single server, and it have really big amount of data. But some time my UF don't forward some files data from NFS server to my Indexers server. Many files remain missing in my Splunk indexers. Following parameters are same for many of the sourcetype in props.conf ( Yes, many events are really big) TRUNCATE = 20000 MAX_EVENTS = 512 BREAK_ONLY_BEFORE = < [Set] > Please suggest how I improve my UF performance. ... View more

Hi Experts, In my tabular dashboard i want to redirect into another URL in row click. index = generic| table resource , owner, results_link , date, timeHMS I want to redirect my page that come in results_link, and I result_link field not visible in table dashboard. for this i try: <dashboard> <label>xyz</label> <row> <panel> <table> <search> <query>index = generic| table resource , owner, results_link , date, timeHMS</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">50</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <fields>["resource" , "owner", "date", "timeHMS"]</fields> <drilldown> <link>$click.value2|n$</link> </drilldown> </table> </panel> </row> </dashboard> ... View more

Hi Experts, I want to store alert search result and the following token in Lookup file app = $app$ description = $description$ name = $name$ owner = $owner$ results_link = $results_link$ search = $search$ trigger_date = $trigger_date$ trigger_timeHMS = $trigger_timeHMS$ trigger_time = $trigger_time$ severity= $alert.severity$ ... View more

Hi Experts, How to make any Splunk app visible to only for certain group? For example Splunk DB connect app visible only for DBA or monitoring openshift visible only for devops ... View more

Why I am getting invalid Stanza error in SplunkEnterpriseSecuritySuite, its *.conf.spec file is present in README sub-folder ? I downloaded this app from splunkbase. Checking conf files for problems... Invalid key in stanza [app_imports_update://update_es] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 8: app_regex (value: (appsbrowser)|(phantom)|(search)|([ST]A-.*)|(Splunk_[ST]A_.*)|(DA-ESS-.*)|(Splunk_DA-ESS_.*)). Invalid key in stanza [app_imports_update://update_es] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 9: app_exclude_regex (value: sideview_utils). Invalid key in stanza [app_imports_update://update_es] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 10: app_include_list (value: Splunk_DA-ESS_PCICompliance,DA-ESS-ContentUpdate). Invalid key in stanza [app_imports_update://update_es] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 11: apps_to_update (value: (SA-.*)|(Splunk_SA_.*)). Invalid key in stanza [app_imports_update://update_es_da] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 22: app_regex (value: (appsbrowser)|(phantom)|(search)|(SA-.*)|(Splunk_SA_.*)|(DA-ESS-.*)|(Splunk_DA-ESS_.*)|(SplunkEnterpriseSecuritySuite)). Invalid key in stanza [app_imports_update://update_es_da] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 23: app_exclude_regex (value: sideview_utils). Invalid key in stanza [app_imports_update://update_es_da] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 24: app_include_list (value: Splunk_DA-ESS_PCICompliance,DA-ESS-ContentUpdate). Invalid key in stanza [app_imports_update://update_es_da] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 25: apps_to_update (value: (DA-ESS-.*)|(Splunk_DA-ESS_.*)). Invalid key in stanza [app_imports_update://update_es_main] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 34: app_regex (value: (appsbrowser)|(phantom)|(splunk_instrumentation)|(search)|(DA-ESS-.*)|(Splunk_DA-ESS_.*)). Invalid key in stanza [app_imports_update://update_es_main] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 35: app_exclude_regex (value: sideview_utils). Invalid key in stanza [app_imports_update://update_es_main] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 36: app_include_list (value: Splunk_DA-ESS_PCICompliance,DA-ESS-ContentUpdate). Invalid key in stanza [app_imports_update://update_es_main] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 37: apps_to_update (value: SplunkEnterpriseSecuritySuite). Invalid key in stanza [dm_accel_settings://Application_State] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 61: acceleration (value: false). Invalid key in stanza [dm_accel_settings://Authentication] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 65: acceleration (value: true). Invalid key in stanza [dm_accel_settings://Certificates] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 69: acceleration (value: true). Invalid key in stanza [dm_accel_settings://Change] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 73: acceleration (value: true). Invalid key in stanza [dm_accel_settings://Change_Analysis] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 77: acceleration (value: false). Invalid key in stanza [dm_accel_settings://Domain_Analysis] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 81: acceleration (value: true). Invalid key in stanza [dm_accel_settings://Email] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 85: acceleration (value: true). Invalid key in stanza [dm_accel_settings://Endpoint] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 89: acceleration (value: true). Invalid key in stanza [dm_accel_settings://Incident_Management] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 93: acceleration (value: true). Invalid key in stanza [dm_accel_settings://Intrusion_Detection] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 97: acceleration (value: true). Invalid key in stanza [dm_accel_settings://Malware] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 101: acceleration (value: true). Invalid key in stanza [dm_accel_settings://Network_Resolution] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 105: acceleration (value: true). Invalid key in stanza [dm_accel_settings://Network_Sessions] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 109: acceleration (value: true). Invalid key in stanza [dm_accel_settings://Network_Traffic] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 113: acceleration (value: true). Invalid key in stanza [dm_accel_settings://Performance] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 117: acceleration (value: true). Invalid key in stanza [dm_accel_settings://Risk] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 121: acceleration (value: true). Invalid key in stanza [dm_accel_settings://Splunk_Audit] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 125: acceleration (value: true). Invalid key in stanza [dm_accel_settings://Ticket_Management] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 129: acceleration (value: true). Invalid key in stanza [dm_accel_settings://Updates] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 133: acceleration (value: true). Invalid key in stanza [dm_accel_settings://Vulnerabilities] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 137: acceleration (value: true). Invalid key in stanza [dm_accel_settings://Web] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 141: acceleration (value: true). Invalid key in stanza [configuration_check://confcheck_app_exports] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 147: default_severity (value: INFO). Invalid key in stanza [configuration_check://confcheck_app_exports] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 148: required_ui_severity (value: WARN). Invalid key in stanza [configuration_check://confcheck_app_exports] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 149: suppress (value: ). Invalid key in stanza [configuration_check://confcheck_app_exports] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 150: debug (value: False). Invalid key in stanza [configuration_check://confcheck_es_deprecate_apps] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 154: default_severity (value: INFO). Invalid key in stanza [configuration_check://confcheck_es_deprecate_apps] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 155: required_ui_severity (value: WARN). Invalid key in stanza [configuration_check://confcheck_es_deprecate_apps] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 156: suppress (value: ). Invalid key in stanza [configuration_check://confcheck_es_deprecate_apps] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 157: debug (value: False). Invalid key in stanza [configuration_check://confcheck_es_identity_correlation] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 161: default_severity (value: INFO). Invalid key in stanza [configuration_check://confcheck_es_identity_correlation] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 162: required_ui_severity (value: WARN). Invalid key in stanza [configuration_check://confcheck_es_identity_correlation] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 163: suppress (value: ). Invalid key in stanza [configuration_check://confcheck_es_identity_correlation] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 164: debug (value: False). Invalid key in stanza [configuration_check://confcheck_es_correlationmigration] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 168: default_severity (value: INFO). Invalid key in stanza [configuration_check://confcheck_es_correlationmigration] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 169: required_ui_severity (value: WARN). Invalid key in stanza [configuration_check://confcheck_es_correlationmigration] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 170: suppress (value: ). Invalid key in stanza [configuration_check://confcheck_es_correlationmigration] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 171: debug (value: False). Invalid key in stanza [configuration_check://confcheck_es_migrate_investigations] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 175: default_severity (value: INFO). Invalid key in stanza [configuration_check://confcheck_es_migrate_investigations] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 176: required_ui_severity (value: WARN). Invalid key in stanza [configuration_check://confcheck_es_migrate_investigations] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 177: suppress (value: ). Invalid key in stanza [configuration_check://confcheck_es_migrate_investigations] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 178: debug (value: False). Invalid key in stanza [configuration_check://confcheck_es_migrate_reviewstatus_transitions] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 182: default_severity (value: INFO). Invalid key in stanza [configuration_check://confcheck_es_migrate_reviewstatus_transitions] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 183: required_ui_severity (value: WARN). Invalid key in stanza [configuration_check://confcheck_es_migrate_reviewstatus_transitions] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 184: suppress (value: ). Invalid key in stanza [configuration_check://confcheck_es_migrate_reviewstatus_transitions] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 185: debug (value: False). Invalid key in stanza [configuration_check://confcheck_es_sync_investigation_xrefs] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 189: default_severity (value: INFO). Invalid key in stanza [configuration_check://confcheck_es_sync_investigation_xrefs] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 190: required_ui_severity (value: WARN). Invalid key in stanza [configuration_check://confcheck_es_sync_investigation_xrefs] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 191: suppress (value: ). Invalid key in stanza [configuration_check://confcheck_es_sync_investigation_xrefs] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 192: debug (value: False). Invalid key in stanza [configuration_check://confcheck_es_app_version] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 196: default_severity (value: INFO). Invalid key in stanza [configuration_check://confcheck_es_app_version] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 197: required_ui_severity (value: WARN). Invalid key in stanza [configuration_check://confcheck_es_app_version] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 198: suppress (value: (Splunk_TA_|TA-)). Invalid key in stanza [configuration_check://confcheck_es_app_version] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 199: debug (value: False). Invalid key in stanza [configuration_check://confcheck_es_conf_cleanup] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 203: default_severity (value: INFO). Invalid key in stanza [configuration_check://confcheck_es_conf_cleanup] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 204: required_ui_severity (value: WARN). Invalid key in stanza [configuration_check://confcheck_es_conf_cleanup] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 205: suppress (value: ). Invalid key in stanza [configuration_check://confcheck_es_conf_cleanup] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 206: debug (value: False). Invalid key in stanza [configuration_check://confcheck_es_event_seq_running_templates] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 210: default_severity (value: INFO). Invalid key in stanza [configuration_check://confcheck_es_event_seq_running_templates] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 211: required_ui_severity (value: WARN). Invalid key in stanza [configuration_check://confcheck_es_event_seq_running_templates] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 212: suppress (value: ). Invalid key in stanza [configuration_check://confcheck_es_event_seq_running_templates] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 213: debug (value: False). Invalid key in stanza [add_to_investigation] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/workflow_actions.conf, line 12: link.ir_override (value: #add_to_investigation). Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug' Bad regex value: '(?<queries_in_queue>[\.\d]+) queries \in queue', of param: props.conf / [mysql:errorLog:mysqld_safe] / EXTRACT-queries_in_queue; why: unrecognized character follows \ One or more regexes in your configuration are not valid. For details, please see btool.log or directly above. Done Checking default conf files for edits... Validating installed files against hashes from '/opt/splunk/splunk-8.0.1-6db836e2fb9e-linux-2.6-x86_64-manifest' All installed files intact. Done All preliminary checks passed. ... View more