I have a very peculiar situation where my UF is sending data only to Lab Indexers where as it not been forwarded to Prod Indexers. Here are the details: UF monitors a syslog file in the same linux box . Inputs.conf is part of an app in the etc/apps directory. In inputs TCP routing is configured to send it to both lab and prod indexer groups as below [monitor:///xxx/xxx/xxx/xxx/.../*.log] _TCP_ROUTING=lab-indexers,prod-indexers host_segment=5 sourcetype=syslog blacklist = .log.1 disabled = false index = X outputs in etc/local which is common for all apps as below [tcpout] forwardedindex.0.whitelist = .* forwardedindex.1.blacklist = _.* forwardedindex.2.whitelist = (_audit|_introspection|_internal|_telemetry) forwardedindex.filter.disable = false defaultGroup = lab-indexers, prod-indexers [tcpout:lab-indexers] server = xx.xxx.x.xxx:9997, xx.xxx.x.xxx:9997, xx.xxx.x.xxx:9997 [tcpout:prod-indexers] server = xx.xxx.x.xxx:9997, xx.xxx.x.xxx:9997, xx.xxx.x.xxx:9997 Note : there many other inputs app which is routing data to both lab and prod indexers. so there is no problem with network related issues. Index is also created in prod So help me with troubleshooting steps to narrow down this issue Thanks in advance ... View more

I'm trying to compare Field X from Index A with Field Y from Index B. Though the field names are different, they store the same value. IF value matches I need result from field Z from index B Below is my search: index = A |fields X |rename X as Y |join Y [|search index= B] |stats values(Z) by Y Above search doesn't work. Is it because of subsearch result limitation? Help with the correct search to achieve it. Thanks in advance. ... View more

Hi I need a help with a Splunk search to find the number of users having access for each indexes. Thanks ... View more

I have a table like below Test_ID Test_Name Status 123 Test1 Passed 123 Test2 Passed 123 Test3 Failed 123 Test4 Passed 345 Test1 Failed 345 Test2 Passed 567 Test1 Passed 567 Test2 Passed 567 . Test3 Passed So above table has for each Test ID , there are multiple test name and results for each test name. Now i need to get the unique count of Test_ID only if all the all the test_name in each id are passed. So ideally from above table i should get count as only 1 ....because only Test ID = 567 has passed in all test. ... View more

Hi , I have dns file where i need to filter the junk data before indexing and extract hostname and IP fields at index time. Filtering logic works well Regex works well. It is tested in splunk search. I get only 1 field extracted (IP alone) and HostName is not extracted. Below are my configurations.Please review and let me know if something missing Props.conf [dig] TRANSFORMS-drop = delLines TRANSFORMS-dnsExtract = hostExtraction TRANSFORMS-dnsExtract = IPExtraction Transforms.conf [delLines] REGEX = ^;.*$ DEST_KEY = queue FORMAT = nullQueue [hostExtraction] REGEX = ^(?P[^\t]+) FORMAT = HostName::"$1" WRITE_META = true [IPExtraction] REGEX = (?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}) FORMAT = IP::"$1" WRITE_META = true ... View more