See the link below with similar requirement (except that this post is filtering based on EventCode) http://answers.splunk.com/answers/47168/windows-event-log-filter-attempt-failing Also, note the fact that this changes have to be done on Indexer as you're using Universal Forwarder. ... View more

Take a look at the recipe and server.conf template: https://github.com/rarsan/splunk_cookbook/blob/master/recipes/server.rb#L117 https://github.com/rarsan/splunk_cookbook/blob/master/templates/default/server/server.conf.erb#L12 ... View more

GOOD POINT! Each indexer should be getting 5GB/day which is then duplicated 2x to 10GB/day. DERP. I fixed the math. Thanks @martin_mueller! ... View more

Hi ajaysamantbms, the problem with this kind of question is always the same: if this will work in your setup with your data must be tested by yourself and therefore only you will be able to answer if this will work for you or not. the conf files look ok and the regex matches your XML data. So go ahead and test it 😉 cheers, MuS ... View more

| rex field=params ".((\w+:\"(?.)\"^.*" ... View more

Er, well, no. Your events will be broken where you've indicated, i.e. like this; Event 1: <transaction>ffffff</transaction> ABCD EFG Event 2: <access></access> WERT SDF Thus you should consider whether these are the types of event that you want. Btw, do they even contain timestamps? As for the second part of your setup, the nullQueueing will work, but maybe not as you've expected. The ordering of the transforms is correct - all events (the regex dot) get queue=nullQueue in the first transform, but since all events (at least according to your sample events) will also match on the second transform, they get the queue set back to indexQueue . In short, the order of the transforms matters since each event for your sourcetype will pass through all transforms - in order - before being processed further. If you want to filter out parts of an event, you should probably look at some other options, like SEDCMD. Perhaps this can be of use; http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Anonymizedatausingconfigurationfiles Hope this helps, K ... View more

It works the other ways, it's a pull from the deployment-client to the deployment-server. so make sure that the forwarders can access the deployment server on management port (default is 8089 tcp). ... View more

Well, your search isn't filtering out anything, so it will certainly have all the events from gatewaylogs1. I have updated the search. But not sure yet if it will work. ... View more

well, if you only have two servers, it does not really matter which way you slice it. Either you have 2 apps; app1: c:\test1\ + perfmon app2: c:\test2\ + perfmon + registry or you have 3 apps; app1: perfmon app2: c:\test1\ app3: c:\test2\ + registry deploy them accordingly with serverclasses. ... View more