Below is teh query I am using to alert me of excessive hourly usage by a host. Is there a way to modify the first portion of the query "index=_internal source=*license_usage.log" to ignore a specific index? index=_internal source=*license_usage.log | eval lastReceived = _time | rename s as source st as mysourcetype h as host b as bytes o as originator | eval my_splunk_server = splunk_server | fields lastReceived source mysourcetype host bytes pool originator my_splunk_server | stats sum(bytes) as bytes max(lastReceived) as lastReceived by host | eval mbytes=((bytes/1024)/1024) | fields host mbytes lastReceived | stats max(lastReceived) as lastReceived sum(mbytes) as mbytes by host | stats max(lastReceived) as lastReceived first(mbytes) as MBytes by host | search MBytes > 25| sort by MBytes Desc I have tried: (index=_internal source=*license_usage.log) NOT index=other (index=_internal NOT index=other) source=*license_usage.log (index=* NOT index=other) source=*license_usage.log (index=* source=*license_usage.log) NOT index=other All of the above modifications have failed. None of them give any results. I am currently assuming this is because the index=_internal statement is covering all indexes and I am unable to create exceptions for that statement. Can anyone speak to this? thoughts? comments? questions? concerns? Any ideas are greatly appreciated. thanks! ... View more

Synopsis I need to monitor all DHCP and DNS logs on a server. In the DHCP directory I want to view both DhcpSrvLog-DAY.log and DhcpV6SrvLog-DAY.log files as they rotate weekly. In the DNS directory I am fine with reading all the files because it will show me debugging information as well as DDNS entries for each zone. What I've done I have created The below entries in the inputs.conf file on the server with the splunk universal forwarder. [default] host = DaHost [script://$SPLUNK_HOME\bin\scripts\splunk-admon.path] disabled = 0 [monitor://C:\Windows\System32\dhcp] disabled = 0 followTail = 0 index = dhcp sourcetype = ms_dhcpd _whitelist = Dhcp*.log crcSalt = <SOURCE> [monitor://C:\Windows\System32\dns] disabled = 0 followTail = 0 index = win_dns sourcetype = win_dns _whitelist = *dns* crcSalt = <SOURCE> What worked Currently the forwarder is reading my dns logs and the default assigned logs (configured during installation of the forwarder). What is broken There are no DHCP logs currently coming in. This was not always the case. This configuration file worked up until thursday of last week. guesses I am guessing that the regex line is not working for the DHCP files but i am not sure what to change to make it more accurate. Example file names Below are the contents of the directories i am reading in the custom monitor. C:\Windows\System32\dhcp>dir /B backup dhcp.mdb dhcp.pat DhcpSrvLog-Fri.log DhcpSrvLog-Mon.log DhcpSrvLog-Sat.log DhcpSrvLog-Sun.log DhcpSrvLog-Thu.log DhcpSrvLog-Tue.log DhcpSrvLog-Wed.log DhcpV6SrvLog-Fri.log DhcpV6SrvLog-Mon.log DhcpV6SrvLog-Sat.log DhcpV6SrvLog-Sun.log DhcpV6SrvLog-Thu.log DhcpV6SrvLog-Tue.log DhcpV6SrvLog-Wed.log j50.chk j50.log j5003B61.log j5003B62.log j50res00001.jrs j50res00002.jrs j50tmp.log tmp.edb C:\Windows\System32\dns>dir /B backup cache.dns dns.txt perf.qalab.local.dns qalab.local.dns samples sustain.local.dns ... View more