Thank you Steve. This helped greatly. ... View more

could you please share your WMI query with us? ... View more

try the inline regex, mysearch | rex field=hop "Error=(?<Error>([^=]*)$)" | table Error then once confirmed working, you can define an automatic field extraction see http://docs.splunk.com/Documentation/Splunk/4.2.5/Knowledge/Managesearch-timefieldextractions ... View more

Maybe you should have written a more detailed initial question 🙂 If you are talking WCF (of which I am no expert) then the retry queues are sub-queues which are just partitions of "real" queues. So you cannot, AFAIK, monitor the retry queues themselves, only the queue they are partitions of. ... View more

This one's pretty much the scripted input you might have written yourself, but with easier config. ... View more

But check for the running jobs, We used this module & could see no data in the dashboards bec of too many jobs running. I am not sure this is bec of the refresh module, but once I clear the jobs I could see the data. So we deleted refresh module, & now it is working very fine. ... View more

host is one of the very few fields assigned at index time, so it works a little differently than most field extractions. The link you already found is the right starting point, but maybe this will help clarify. transforms.conf: [override-hostname] DEST_KEY = MetaData:Host REGEX = ^(\S+) FORMAT = host::$1 props.conf: [ErrorMissingObject] TRANSFORMS-host = override-hostname In transforms.conf, we're telling it to match as many non-space characters as possible at the beginning of a line. Then, assign it to the hosts value. In props.conf, note that you need to use TRANSFORMS-xxx instead of REPORT-xxx , since this is happening at index time. Props.conf is what tells Splunk to actually apply the transform we defined to your data. I'm assuming from your current props.conf that ErrorMissingObject is the sourcetype for these entries. You can just add the TRANSFORMS-host line to what's already there. ... View more

I built an SQL query to load up all recently added cases from your CRM system, to be able to plot case activity in Splunk. I can tell you that it feels very very hard to get linebreaking to work properly for batched data output by custom scripts for some reason. 3 hours of trying, using all the tricks in the book, to no avail. I even went as far as to have my sqlcmd operation output newline separated items, but still proper linebreaking seem to refuse to occur (eventhough that is supposedly the default linebreaker). Ended up rewriting my SQL queries to output only one row per execution and thereafter tell Splunk to invoke the script once a second instead of the originally intended once a minute.... May work for some people. ... View more