Hi everybody! I currently monitor IIS web server logs from two different locations. the locations are D:\IISLOGS and E:\IISLOGS. I defined these two paths because some of my servers put the logs into D drive and the others put the logs into E drive. So I've faced errors in my splunk internal logs. The error is: WARN FilesystemChangeWatcher [3444 MainTailingThread] - error getting attributes of path "E:\IISLogs": The device is not ready.   I've created the following stanzas in my tranforms.conf and props.conf to set them to go to the null queue but it didn't work.   props.conf [source::C:\\Program Files\\SplunkUniversalForwarder\\var\\log\\splunk\\splunkd.log] TRANSFORMS-null= setnull   transforms.conf [setnull] REGEX = (.+error.+path.+[DE].+IISLogs.+) DEST_KEY = queue FORMAT = nullQueue   In my opinion, I made a mistake in my REGEX but I can't figure it out. Any suggestion would be appreciated ... View more

Hi everyone I have a lookupfile that contains a name and an ID   Brokers.csv Name ID Broker1 101 Broker2 102 Broker3 103 Broker4 201 Broker5 202 Broker6 203   I run this search query on my data.   index=SQL | fields BrokerID host | convert timeformat="%Y-%m-%d" ctime(_time) AS date | stats values(BrokerID) by date   and this is my results date BrokerID 2020-12-27 101   102 2020-12-27 201   202   203 2020-12-28 101 2020-12-29 101   102   103 2020-12-29 201   202   203   So What query I should run to get following result? 2020-12-27 Broker3 2020-12-28 Broker2   Broker3   Broker4   Broker5   Broker6   Thanks in advance. ... View more

  Hello everyone I want to add a constant prefix to all my indexes and then forward them this is my props.conf   props.conf [default] TRANSFORMS-index = rename-index     and here is my transforms.conf   transforms.conf [rename-index] SOURCE_KEY = _MetaData:Index REGEX = . FORMAT = foo-$1 DEST_KEY = _MetaData:Index     Actually, splunk rename all my indexes to foo-$1 while I want to rename my index to, for example, foo-eventlog, foo-iislog, and so on.   any help would be appreciated Thanks in advance ... View more

Hi everyone I do a search in Splunk and this is the results Name Price Date apple 23568 9/18/2020 apple 23346 9/18/2020 apple 22697 9/18/2020 apple 20 9/18/2020 apple 22674 9/19/2020 apple 25987 9/19/2020 apple 26796 9/19/2020 apple 25341 9/19/2020   I have a lookuptable file named apple.csv which is comprised of these contents. Name Date Max_Price Min_Price apple 9/18/2020 24250 22120 apple 9/19/2020 26920 24250   So I want to add the Max_Price and Min_Price to the main search something like this Name Price Date Max_Price Min_Price apple 23568 9/18/2020 24250 22120 apple 23346 9/18/2020 24250 22120 apple 22697 9/18/2020 24250 22120 apple 20 9/18/2020 24250 22120 apple 22674 9/19/2020 26920 24250 apple 25987 9/19/2020 26920 24250 apple 26796 9/19/2020 26920 24250 apple 25341 9/19/2020 26920 24250   and then I can determine the wrong result. I mean the following result is not acceptable to me and they're may be wrong or something else. apple 20 9/18/2020 apple 22674 9/19/2020   Thanks in advance ... View more