cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
bailmon
Explorer
Member since: ‎04-21-2011
‎06-05-2020
Community Statistics
Posts 6
Solutions 0
Karma Given 6
Karma Received 6
Member Since ‎04-21-2011
Activity Feed

Re: Field extractions not creating fields at searc...

by in All Apps and Add-ons
‎03-20-2015 06:59 PM
5 Karma
‎03-20-2015 06:59 PM
5 Karma
Another possible solution (for someone else) is that the results selector right under the search (magnifying glass) is in 'Fast Mode'. This will turn off field discovery. If you want to get the most fields put it in 'Smart Mode' or 'Verbose Mode' ... View more

Re: License Violation Automated Alerts

by in Installation
‎02-18-2015 01:29 PM
1 Karma
‎02-18-2015 01:29 PM
1 Karma
Amen... Seconded ! ... View more

Re: Redirect to Null Queue is not working

by in Getting Data In
‎05-06-2013 05:11 PM
‎05-06-2013 05:11 PM
Hi Kristian, Sorry it took me so long to get back with you. 1.) I had to take in all of the information, and 2.) today was a crazy day. But Eureka... I think you've solved the problem. I did have it installed as a 'full install' on that server. I changed it to a 'light forwarder' and viola. The events have stopped coming. Also. The link you sent is like the Rosetta Stone for understanding the data life cycle. Thank You So much.. ... View more

Re: Redirect to Null Queue is not working

by in Getting Data In
‎05-04-2013 03:56 PM
‎05-04-2013 03:56 PM
Thank you Kristian, I'll read up on it. Just to clarify how the events are coming. I installed Splunk on the server that generates those events and set it to forward all of it's events to the collector (port 9997) ... View more

Re: Redirect to Null Queue is not working

by in Getting Data In
‎05-04-2013 12:17 PM
‎05-04-2013 12:17 PM
Hi Kristian, Thank you. It's well thought out, but unfortunately, the events are still coming in. I'm monitoring 30 seconds realtime and watching the 5145 events just pour in. I copied the [nulluser] and [nullseqid] directly into the transforms.conf and added the stanza in the props.conf. You are right about the 'LogName=Security' being redundant. Thanks for the information about the 'casesensitivematch' (I did not know that). I wish I understood the process (route these events take to get into Splunk) better. ... View more

Redirect to Null Queue is not working

by in Getting Data In
‎05-03-2013 11:35 PM
‎05-03-2013 11:35 PM
I'm trying to redirect all 5145 events (from WinEventLog:Security) and all Security events from 'SYSTEM' (or another account called digitalsender). I've tried several variations of the entries below, but nothing seems to work. Here is the relevant parts of my configs.. props.conf [source::WinEventLog:Security] TRANSFORMS-null = null_excluded_users, null_excluded_events transforms.conf [null_excluded_users] case_sensitive_match = false REGEX = (?m)LogName=Security[^$]+(Security ID:(.*)(AUTHORITY\\SYSTEM|digitalsender)|User=(SYSTEM|digitalsender)) DEST_KEY = queue FORMAT = nullQueue [null_excluded_events] case_sensitive_match = false REGEX = (?m)EventCode=(5145||) DEST_KEY = queue FORMAT = nullQueue ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:02 AM
Karma given to