Today I have change configuration of forwarder and restarted it, after restart it is forwarding previous events as well which forwarder has already forwarder. How I can make sure that after restart, forwarder will only send latest data not previous one. ... View more

I am setting up heavy forwarder on multiple machine, out of that one of them have below requirement, 1) Heavy forwarder should forward sub-set of events which match with given pattern and not all the events. I search over web, I found couple of Q&A regarding the same but it’s seem not working for me. First solutions I tried: http://answers.splunk.com/answers/9076/how-to-configure-a-forwarder-to-filter-and-send-only-the-events-i-want On the above solution, I can see in forwarder log, it’s continuously saying could not connect with 0.0.0.0:0 and connection failing but nothing is getting forwarded at Indexer side. Second solution: I tried with forwarding everything into NullQueue and forward only event which match with REGX by setting up two stanza into transforms.conf. Seems that above solution also does not work for me. Pattern which I want to match is following, oauth.googleusercontent.com, ssl.gstatic.com, fb.com, twitter.com Heavy forwarder should only send events to indexer if events matched with any of the above patterns. Please let me know, if you have any question regarding the same. I have already spend one full day in exploring above but could not find solution. Sorry to raise this question in that manner but i feel very sad after investigating over a day and could not find solution, Below are the configuration i am suing at my heavy forwarder side. props.conf [host:: ] TRANSFORMS-set =setnull, allowtheseevents transform.conf [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [allowtheseevents] REGEX = (?m)ssl.gstatic.com FORMAT = splunkindexer_9997 inputs.conf [monitor:///usr/local/logfilename.log] index = main sourcetype = filtersplunkproxy blacklist = .gz output.conf [tcpout] defaultGroup = splunkindexer_9997 [tcpout:splunkindexer_9997] server = :9997 [tcpout-server:// :9997] Please correct me if I am doing something wrong here. ... View more

All, I want to monitor Apache log and file name is appended with date, so it's dynamic file. eg, Log directory: /var/apache/logs/ File name is, apache_log.2014.02.20 apache_log.2014.02.19 apache_log.2014.02.18 apache_log.2014.02.17.gz apache_log.2014.02.16.gz Running log is coming into apache_log.2014.02.20 and I also want to ignore all the files with *.gz name, since old files are getting archived and present into same directory (/var/apache/logs/). Please some one can give details about stanza of input.conf and other details if required. ... View more

Hi Guys, I set-up Heavy forwarder at Machine-1 and wants to send data on Machine-2, since network in involve in between so i want to minimize the network traffic to prevent certain type of events and send the imp event immediately but less imp event per day or per hours. Many Places i read that using universal forwarder we cann't do filter as well as interval setting, that's why i moved to Heavy forwarder, I can able to filter out events in heavy forwarders but unable to set periodicity. It would be great help if some one can tell me stanza for setting interval of polling, lets say, I want to monitor, "testlog" all time and "testlog1" after every 30 mins and "testlog2" after every 1 hours. Right now my inputs.conf is below, [monitor:///usr/local/preview/splunk/testlog/*] index = main sourcetype = testlog [splunktcp://9997] connection_host = ip _TCP_ROUTING = splunkindexer_9997 ... View more

Hi, I have events which logging user agents information, USR_AGNT="Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36" In the above log events, we have browser information as well as OS information, How i can transform it while indexing into two different key such OS_INFO (operating system related information) and BRW_INFO (Browser related information) under USR_AGNT. ... View more

Hi Guys, My log message looks like below, Time message 10:00 AM “log message 1” 10:10 AM “log message 2” 10:20 AM “log message 2” 10:41 AM “log message 3” 10:45 AM “log message 4” 11:20 AM “log message 5” 11:21 AM “log message 6” 11:22 AM “log message 7” 11:25 AM “log message 8” 11:45 AM “log message 9” 11:55 AM “ ….” 12:28 PM “…..” I want above message to be grouped into 4 groups and print following, Start_time 10:00 AM count 5 Start_time 11:20 AM count 6 Start_time 12:28 PM count 1 We are splitting message based on the any two consecutive record having time difference of more than 30 min. Here, 10:45 AM and 11:20 AM is having 35 min, so breaking it and again we found at 11:55 AM, since difference between 11:55 AM and 12:28 PM is 33 Min. ... View more