Can I use the same HEC token on all HF's which are behind a VIP and set up clients to send data to VIP ip? The purpose is to keep HF's conf the same and share the load. Is it a good idea? ... View more

I have this inputs.conf [ServerLogs] SHOULD_LINEMERGE = true TRUNCATE = 0 BREAK_ONLY_BEFORE = ^\d{6}\s+\d{2}\:\d{2}\:\d{2}\:\d{3}\s+ TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT =%m%d%y %H:%M:%S:%3N BREAK_ONLY_BEFORE_DATE = true and piece of my log looks like: <imagePath>C:\Fiserv\TCAP\bin\..\data\images\20160714222778400413_20160714141254232.img</imagePath> </imageObject> <itemUserFields /> <cpcsData /> 071216 09:36:03:364 4524/6.4.2.10/2 INFO CCaptureApiServerApp::InitInstance(): before requestProcessor.DoModal() Second piece of log was recognized correctly with property time format. however for the first piece, the line was also broken before, and a time was recognized from "20160714141254232", which I am confused that that's not the time format I defined. Anyone can shed some light here? ... View more

I have a situation to index batch output into Splunk. The output looks like: /data/20160711/file.log <---a /data/20160712/file.log <---b /data/20160713/file.log <---c Every day, the batch job copies the file.log into this subfolder under /data. But file.log is not rotated by date, but by size, which means if not rotated, file.log a,b,c could have duplicate data. Tight now I have a forwarder monitoring everything under /data, but it caused quite some duplication. What's the best way to just index the data for the day from each file? ... View more

In one set of our Splunkforwarders, we keep getting the following error msg: FilesystemChangeWatcher - error getting attributes of path "C:\pagefile.sys": The process cannot access the file because it is being used by another process. It only happens to this set of servers and every one of them. What could be the possible reason for it? thanks. ... View more