I see from the latest release notes that the recommended sourcetype is ms:iis:auto and the others have been deprecated, presumably to go away at some future point. What I don't see is the reasoning behind this, in view of the known disadvantages of indexed inputs on the forwarder: --no further parsing possible --greatly increases storage requirements --others of lesser importance e.g. less flexible if the log is reconfigured Does anyone know of compelling reasons why this has been done? Personally I will always use search-time field extraction unless there is a really good reason not to. It seems to be a wrong turn, unless I've missed something. Charles ... View more

I am wondering why the search-time configurations for this app have been deprecated. You can't do additional parsing steps if needed once you use INDEXED_EXTRACTIONS, and also you will consume a lot of extra storage for many fields that simply do not need to be indexed. I would have thought that search-time extraction would be preferable. At the very least it should continue to be available, depending on the use case. Can anyone explain the reasoning behind this decision? ... View more

Good morning, I am having consistent trouble with UI in the editor in both firefox and chrome in that I cannot get the Dynamic Element selector to do anything. It displays the available options but I cannot select any of them. When I click on one, e.g. Background, nothing happens and it still says Select. Has anyone seen the before and have a workaround, or know what's causing it and how to fix it? Thank you, Charles ... View more

Just curious to find out if anyone has ever integrated Splunk Cluster with ITSI. Seems to me that SC certainly qualifies as a service with many dependencies, quite a few of which are not covered by the monitoring console. While comprehensive, it doesn't include many things which SC just assumes are working correctly, primary among these the networks on which everything relies. For instance, if you have flapping port on switch or a configuration problem with a switch or router, this could potentially cause many interesting issues with SC about which MC would have no clue. Anyone ever made any moves along these lines? Charles ... View more

Good morning, I am currently instructing the Cluster Admin course, and a student has asked a question which to my great surprise doesn't seem to covered anywhere. They have an indexer cluster and SHC on a single site, and they want to shut down everything for a planned power outage in their data centre.   What is the correct sequence and commands for doing this? My own guesses are: Shut down everything that is sending data to splunk first. Place the index cluster in maintenance mode Shut down the deployment server if in use. Shutdown the SHC deployer (splunk stop) Shut down the SHC members (splunk stop?) Shut down the indexer members (? not sure which variant of the commands to use here) Shut down the cluster master last. Restart is the reverse order. Correct or not? Thank you, Charles ... View more