Is the host name in the log directory or part of the file name? If so, here is the doco how to do that: http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/setadefaulthostforaninput Scroll down to "dynamic" to see how to dynamically set the host name dynamically based upon file or directory name. ... View more

Have you tried Report Acceleration? This feature will cache results in HDFS and run a cron job on the back end to update the data. ... View more

Shot in the dark here, but if you are trying to send data to a forwarder from more than 1 host, you can chain forwarders together, which allows you to send data from more than 1 forwarder to another, then send data to an indexer. Having said that, be careful: what you build you must also maintain. Simplicity rules! Here is a link that discusses this: http://answers.splunk.com/answers/129546/chaining-universal-forwarder.html ... View more

from the search, what happens when you run: sourcetype=pan_wildfire_report OR sourcetype=pan_traffic ? ... View more

@seanbrhn3: this sounds like a SharePoint thing. There are some security concerns with IFRAME so some CMS tighten the embedding rules on this. here is a link I found that may help. Please let us know if this works or not. It will not be the last time someone such as yourself runs into this issue: http://lennytech.wordpress.com/2012/10/18/html-field-security-and-usage-of-iframes-in-sharepoint-2013-preview/ ... View more

Here is the updated syntax and related doco link: /splunk search "index=_* audit" -output 'csv' > /var/share/splunk_output/20140724-audit.csv doco link: http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/CLIsearchsyntax ... View more

glad i could help a fellow splunk user! ... View more

Please keep us updated. ... View more

No, forwarders do not lock files. Please see this Answers: http://answers.splunk.com/answers/31301/does-forwarders-put-a-lock-on-a-log-file-while-forwarding Curious: does you script try to put a lock on a file? if the file is open by Splunk, it may be the reason your script is failing. Is this a bash, perl, or python script? ... View more

I have run into this a few times where someone was needing to load an EVT file into Splunk just as you described. The problem is that EVT files are binary. You will need to write some code to convert that file to text (or CSV). If these for one-off situations, such as doing forensics, here is a link I found to some code that will do the conversion; probably not what you were wanting to hear, but maybe others will in the community will have another solution. Here is the link to the code, written in C#: http://www.codeproject.com/Articles/15288/Parsing-event-log-evt-file. You may even try this utility: http://technet.microsoft.com/en-us/scriptcenter/dd919274 Hope this helps. Happy Splunking! --Barak ... View more

Could you please post your login code and maybe someone in the community can test it on their cloud? ... View more

Are you using Django bindings? ... View more

You can try: sourcetype=iis errors | stats count by host | sort -count ... View more