in the future, if an answer solves your problem, please accept it by checking the checkbox (i did it this time :)) ... View more

I have found the following errors in the splunkd log: 07-27-2011 13:44:36.939 -0400 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-regmon.exe" --driver-path "C:\Program Files\Splunk\bin"" splunk-regmon - GetDriverHandle: Unable to install driver. 07-27-2011 13:44:36.939 -0400 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-regmon.exe" --driver-path "C:\Program Files\Splunk\bin"" splunk-regmon - run_regmon: Failed to initialize Registry Monitor 07-27-2011 13:44:36.939 -0400 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-regmon.exe" --driver-path "C:\Program Files\Splunk\bin"" Using logging configuration at C:\Program Files\Splunk\etc\log-cmdline.cfg. 07-27-2011 13:44:36.939 -0400 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-regmon.exe" --driver-path "C:\Program Files\Splunk\bin"" Open SC Manager failed! Error = 5 07-27-2011 13:44:36.939 -0400 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-regmon.exe" --driver-path "C:\Program Files\Splunk\bin"" Open SC Manager failed! Error = 5 After restarting the service I still got these errors, and yet the CPU has not spiked yet. In my experience the CPU can take up a few hours before it spikes suddenly. Can someone explain what these errors are and if they are possibly causing my problem? ... View more

I would actually recommend making these routing decisions on the indexer w/ the configs specified above, especially if you are not using deployment server. ... View more

Thanks, that's got me working again. It's unfortunate that there's no backward compatibility because I had been planning to roll this out across my network when the splunk forwarders I was installing stopped doing anything after I began to reference teh new version. This has taken me a week to figure out so I appreciate your help. For anyone else installing splunkforwarders via Msiexec they may want to note the syntax change: msiexec.exe /i \dc1.butcher.localSplunkdsplunk-4.2.1-98164-x86-release.msi SPLUNK_APP="SplunkLightForwarder" FORWARD_SERVER="splunk.domain.local:9997" RBG_LOGON_INFO_USER_CONTEXT=2 IS_NET_API_LOGON_USERNAME="Domainsplunk-svc" IS_NET_API_LOGON_PASSWORD="Password1" WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 /quiet Since I'm already rolling out with this method I'm very curious to know why you don't recommend rolling out this way? ... View more

Thanks for the reply. I'll take a look at deployment services. I guess my real question is, since Splunk just monitors certain log files for changes and then forwards the changes to a central store (that's my understanding) is it even possible to modify the forwarder so that it only forwards errors? ... View more