Thanks a lot for your help.. I will do that. Regards, Abilan ... View more

Hi , I have installed lookup editor app and created a sheet with only 4 hosts. Now I am getting the host which are having Total =0. But however If I check for >0 then am getting all of my hosts not only the ones which are only in input lookup file. csv file has 2 below columns. am keeping the Total column blank and host column contains host names. host Total Thanks a lot for your help! ... View more

Hi , I understand that but when we search for forwarder logs to fetch the host list but in this case the host which is down already won't be in the host list. Please correct me If I am wrong. Thanks for your help! ... View more

Hi , Column names are looking good. If I search with Total >0 then I can see all the hosts but not that one forwarder which is down. Just ran only initial part of the query. Even in this am not having that host in this list. | metasearch index=_internal | eval host=upper(host) | stats count by host I think we cannot achieve the requirement using this lookup or else I have to put the lookup for every host. Regards, Abilan ... View more

Hi, I didn't change anything on the lookup which you have given. I am just simply using that. Still one of forwarder is down, I am not getting that host name in result. If I remove where Total=0 from search, I can see all other hosts but not the one which is down. Thanks again! ... View more

Hi . To test this scenario, I have just brought down one of the forwarder. I didn't see that forwarder in my search result. do you want me to add the hostnames anywhere? Thanks for your help! Regards, Abilan ... View more

Thank You! one final question if I use Total = 0 then it's not working as expected. Because if there is no event for any forwarder it is not showing it's name in the output. Can you help me here? ... View more

Hi , This query is working fine, but I would like monitor only for 20 hosts out of 30. Is there anyway I can do that. Also if you just give me some idea about the lookup that will be helpful for me. Thanks for your help. ... View more

Hi , Thanks for your response. We are in Splunk 6.2, I don't see any alert in DMC by default to monitor the forwarders. I will try the other solution and get back to you. ... View more

Hi , correct name is sched. Just for example I have given it as test. ... View more

Hi , Thanks again for your help. I have executed the query on my forwarder. Please find the output below. sourcetype is empty here. /u01/SplunkCloud/splunkforwarder/etc/apps/search/default/props.conf [scheduler] /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf ANNOTATE_PUNCT = True /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf AUTO_KV_JSON = true /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf BREAK_ONLY_BEFORE = /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf BREAK_ONLY_BEFORE_DATE = True /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf CHARSET = UTF-8 /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf DATETIME_CONFIG = /etc/datetime.xml /u01/SplunkCloud/splunkforwarder/etc/apps/search/default/props.conf EXTRACT-fields = (?i)^(?:[^ ]* ){2}(?:[+-]\d+ )?(?P[^ ]*)\s+(?P[^ ]+) - (?P.+) /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf HEADER_MODE = /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf LEARN_MODEL = true /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf LEARN_SOURCETYPE = true /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf LINE_BREAKER_LOOKBEHIND = 100 /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_DAYS_AGO = 2000 /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_DAYS_HENCE = 2 /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_DIFF_SECS_AGO = 3600 /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_DIFF_SECS_HENCE = 604800 /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_EVENTS = 256 /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MAX_TIMESTAMP_LOOKAHEAD = 128 /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MUST_BREAK_AFTER = /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MUST_NOT_BREAK_AFTER = /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf MUST_NOT_BREAK_BEFORE = /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION = indexing /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-all = full /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-inner = inner /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-outer = outer /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-raw = none /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SEGMENTATION-standard = standard /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf SHOULD_LINEMERGE = True /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf TRANSFORMS = /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf TRUNCATE = 10000 /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf detect_trailing_nulls = false /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf maxDist = 100 /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf priority = /u01/SplunkCloud/splunkforwarder/etc/system/local/props.conf sourcetype = ... View more

Hi , Yes, I have tried with Brazil Time zone still it is not working! ... View more

Hi , I have updated this for UTC in my props.conf on forwarder machine. [sched] SHOULD_LINEMERGE=false TIME_FORMAT=%Y-%m-%d %H:%M:%S,%f TIME_PREFIX=^ TZ=Africa/Abidjan MAX_TIMESTAMP_LOOKAHEAD=25 Still it is not working as expected. Logs are still coming in Brazil Time Zone. Regards, Abilan ... View more

Hi , I have updated the below in my props.conf on forwarder machine. [ sched ] SHOULD_LINEMERGE=false TIME_FORMAT=%Y-%m-%d %H:%M:%S,%f TIME_PREFIX=^ TZ=UTC-3 MAX_TIMESTAMP_LOOKAHEAD=25 And restarted the splunk forwarder service, but still I don't see any change in time from Splunk web. Regards, Abilan ... View more

Hi , My Indexer is in GMT. but all my forwarders are in Brazil time zone. I didn't change anything in props.conf file after installation. Also please let me know which timezone I need to add and any standard format for the same? Thanks for your help! Regards, Abilan ... View more

Hi, Hi, Yes I see that logs are indexing, but If I want to search for current log then I have to search for last 4 hours. I mean indexing time stamp is 4 hour behind. If I search for last 4 hours in the search, I can see the latest logs there. We have the same forwarder on linux machines and that is giving proper time stamps. This is happening on windows server's universal forwarder. All our universal forwarder machines are in same time zone but not indexer. Thanks , Abilan ... View more

Hi , Permission looks good, that is not the issue. ... View more

Hi , Thanks for your reply, I have verified the permission it looks fine. Also If I create any other test file in that folder that is getting indexed properly. so it doesn't seem to be a permission issue. Checked the tail-processor's status, it says finished reading. No errors related to CRC. Regards, Abilan ... View more