I have installed my first splunk enterprise on a linux server and installed forwarders on windows workstations using the ports as instructed. Firewall is off and selinux off. The forwarders are calling in. Now perhaps I am missing something in that in splunk, I select search and enter * (or index=anything, there is a long list) and the error is; The transform ca_pam_login_auth_action_success is invalid. Its regex has no capturing groups, but its FORMAT has capturing group references. I tried another search, and saw another error; Error in "litsearch" command: Your splunk license expired (the license is new) or you have exceeded your license limit too many times. Renew your splunk license by visiting www.splunk/com/store or calling 866-GET-SPLUNK. The search job failed due to an error. You may be able to view the job in the job inspector. All I want is to understand why FORMAT has capturing group references, but the regex does not and to turn my paperweight into a thriving reporting tool. Can anyone help? Thank you!   ... View more

I hate to have a newbie question here but, I am deploying a Linux Splunk server with several windows workstations. The workstations show up in the forwarders area however, I cannot find the hostname of the Linux server I am on. Do I need to include a forwarder on the splunk server? I have never worked at the application level with splunk before so I apologize if this is a silly question. ... View more