Thanks this is what i came up with pivoting off the uberagent DM |tstats dc(host) AS "Distinct Count of host" from datamodel=uberAgent.Application_ApplicationUsage where (nodename = Application_ApplicationUsage) groupby Application_ApplicationUsage.AppName prestats=true | addinfo type=count label=prereport_events | fields keepcolorder=t "Application_ApplicationUsage.AppName" "host" "prestats_reserved_" "psrsvd_" | prestats dedup_splitvals=t distinct_count(host) by "Application_ApplicationUsage.AppName" Thanks all ... View more

Thanks all that makes sense now and I do see this in uberagent docs; Source type: uberAgent:Application:ApplicationUsage Field list: AppName, UserName, AppVersion, RemotingClientName Any tips on the query to run tstats against the DM? Thanks! ... View more

Using latest version I'm still having issues. Only seeing occasional logging to the correctly configured index on restarting the service. The interval is being ignored here. Looking at internal logs: Index=_internal source="C:\Program Files\Splunk\var\log\splunk\file_meta_data_modular_input.log" Seeing events like: INFO Completed retrieval of file data.... WARNING Unable to get the ACL data, reason=(5, 'GetFileSecurity', 'Access is denied.')... INFO Time is later than filter, st_mtime=1322859631.165719, must_be_later_than=None, path='... INFO Time is later than filter, st_ctime=1330974351.030764, must_be_later_than=None, path=... ... View more

https://answers.splunk.com/answers/492137/after-installing-the-filedirectory-information-inp-2.html This is still a problem, can you take a look please? ... View more

Is this resolved? Seeing similar behavior of false alerts in 6.4.5 ... View more

Looks good thanks! However Im seeing timestamps issue where in the events the leading zeros are trimmed off of the UTC_TIME field, so that midnight is represented as a single 0, 12:15 is represented as the 2 digit 15, etc ... View more

Is there any way to have this data straightened out with a props/transform search time or index time extraction? ... View more

NTP is working. ... View more

This is the app: https://splunkbase.splunk.com/app/2776/ This is the configured input: [file_meta_data://ACETestFolder] file_hash_limit = 500MB file_path = \\acetest include_file_hash = 0 interval = 15m only_if_changed = 1 recurse = 1 There is an initial pull of events seen in the main index, some 3k events similar to this: time="Tue Jan 24 16:37:39 2017" is_directory=1 file_count=0 directory_count=16 path=\\acetest atime="Thu Dec 22 12:52:26 2016" atime_epoch=1482429146.82 ctime="Thu Oct 15 16:15:49 2015" ctime_epoch=1444940149.33 dev=0 gid=0 ino=0 mode=16895 mtime="Thu Dec 22 12:52:26 2016" mtime_epoch=1482429146.82 nlink=0 size=4096 uid=0 owner=Administrators\BUILTIN owner...(lots more fields) All events have same timestamp time="Tue Jan 24 16:37:39 2017" which is correctly indexed in main. In the index= _internal source="C:\Program Files\Splunk\var\log\splunk\file_meta_data_modular_input.log" Events like: 2017-01-24 16:37:34,867 INFO Time is later than filter, st_mtime=1482429146.8163483, must_be_later_than=0, path='\\\acetest' Have second input: [file_meta_data://fileTest] file_hash_limit = 500MB file_path = \\someshare_archive06$ include_file_hash = 0 interval = 15m only_if_changed = 1 recurse = 1 disabled = 0 No events in main. index=_internal source="C:\Program Files\Splunk\var\log\splunk\file_meta_data_modular_input.log" 2017-01-24 17:35:24,240 INFO Time is later than filter, st_mtime=1333460403.592, must_be_later_than=0, path="\\\someshare_archive06$\~filedetails.xlsm3.xlsm" Also lost of these: 2017-01-24 17:29:38,009 ERROR Error when processing path="blah", reason="(1332, 'LookupAccountSid', 'No mapping between account names and security IDs was done.')" Traceback (most recent call last): File "C:\Program Files\Splunk\etc\apps\file_meta_data\bin\file_meta_data.py", line 381, in get_file_data windows_acl_info = cls.get_windows_acl_data(file_path, logger) File "C:\Program Files\Splunk\etc\apps\file_meta_data\bin\file_meta_data.py", line 254, in get_windows_acl_data sid_resolved = win32security.LookupAccountSid(None, sid) error: (1332, 'LookupAccountSid', 'No mapping between account names and security IDs was done.') ... View more

Different message. I will open another. INFO Time is later than filter, st_mtime=1459251861.8578942, must_be_later_than=None ... View more

im getting this message INFO Time is later than filter, st_mtime=1384897295.045503, must_be_later_than=None, path=' With latest version. No other errors seen. Seems to scan the path once but then does not continue on schedule. ... View more

Im also seeing the same message in _internal and no events in the latest version: INFO Time is later than filter, st_mtime=1384897295.045503, must_be_later_than=None, path=' ... View more

Not sure why i cant add to thread but this works.. This is not working. I have tried adding as a flat file and changing sourcetype to _json but still the events dont break as they do in data preview. ... View more

I tried adding as a flat file and still not breaking as it looks in previewer? ... View more

Tried changing to monitoring a flat file and still no change. ... View more

Thanks this is working well. ... View more

ah the page does not like the wild cards. common is the ny between the wildcards * ny * RAAG14*NY1234 RABHAG94NY1256 RACAG84NY1277 RADAGSS4NY1244 RAEAG14NY*9888 page keeps cutting my post, but i hope it makes sense.. ... View more

Thanks, looking promising. seems to struggle with hosts matching names in the middle so like ny ... View more