I can double check and get back to you. Based on what you have mentioned, it looks like you are not getting any output in the AOB in Splunk Ver 9.0, correct? Also what version of AOB is it?  ... View more

That was the exact setting that I missed, after that rep_factor setting now I see all indexes. ... View more

Hi Splunkers, I have logs like <Header> <Product>Microsoft SQL Server Reporting Services Version 2011.0110.6615.02 ((SQL11_SP3_QFE-CU).180109-2116 )</Product> <Locale>English ()</Locale> <TimeZone>Central Daylight Time</TimeZone> <Path>D:\Program Files\Microsoft SQL Server\MSRS11.CTSSRS2012\Reporting Services\Logfiles\ReportServerService__11_05_2020_14_52_11.log</Path> <SystemName>Avotrix69901</SystemName> <OSName>Microsoft Windows NT 6.2.9200</OSName> <OSVersion>6.2.9200</OSVersion> <ProcessID>3296</ProcessID> <Virtualization>Hypervisor</Virtualization> </Header> <ProcessorArchitecture>AMD64</ProcessorArchitecture> <ApplicationArchitecture>AMD64</ApplicationArchitecture> processing!ReportServer_0-51!1ed8!11/05/2020-14:52:11:: v VERBOSE: Mapping data reader successfully initialized. library!ReportServer_0-51!2bc8!11/05/2020-14:52:11:: v VERBOSE: Transaction commit. processing!ReportServer_0-51!1ed8!11/05/2020-14:52:11:: e ERROR: Throwing Microsoft.ReportingServices.ReportProcessing.ReportProcessingException: , Microsoft.ReportingServices.ReportProcessing.ReportProcessingException: There is no data for the field at position 3.; runningjobs!ReportServer_0-51!2bc8!11/05/2020-14:52:11:: v VERBOSE: Thread pool settings: Available worker: 399, Max worker: 400, Available IO: 400, Max IO: 400 runningjobs!ReportServer_0-51!2bc8!11/05/2020-14:52:11:: v VERBOSE: Spawning new thread for a work item. runningjobs!ReportServer_0-51!2bc8!11/05/2020-14:52:11:: v VERBOSE: ThreadJobContext.EndCancelableState runningjobs!ReportServer_0-51!2bc8!11/05/2020-14:52:11:: v VERBOSE: ThreadJobContext.WaitForCancelException entered runningjobs!ReportServer_0-51!2bc8!11/05/2020-14:52:11:: v   And after indexing i am getting events like \x00c\x00h\x00u\x00n\x00k\x00s\x00!\x00R\x00e\x00p\x00o\x00r\x00t\x00S\x00e\x00r\x00v\x00e\x005\x001\x00!\x002\x001\x00d\x000\x00!\x001\x001\x00/\x000\x005\x00/\x002\x000\x002\x000\x00-\x001\x004\x00:\x005\x002\x00:\x001\x002\x00:\x00:\x00 \x00v\x00 \x00V\x00E\x00R\x00B\x00O\x00S\x00E\x00:\x00 \x00R\x00e\x00t\x00r\x00i\x00e\x00v\x00e\x00d\x00 \x00s\x00e\x00g\x00m\x00e\x00n\x00t\x00 \x004\x003\x00f\x00b\x000\x009\x009\x00d\x00-\x00c\x006\x006\x004\x00-\x00e\x00a\x001\x001\x00-\x008\x001\x002\x00d\x00-\x000\x000\x002\x001\x005\x00a\x009\x00b\x000\x008\x00a\x00c\x00 \x00f\x00o\x00r\x00 \x00c\x00h\x00u\x00n\x00k\x00 \x004\x002\x00f\x00b\x000\x009\x009\x00d\x00-\x00c\x006\x006\x004\x00-\x00e\x00a\x001\x001\x00-\x008\x001\x002\x00d\x00-\x000\x000\x002\x001\x005\x00a\x009\x00b\x000\x008\x00a\x00c\x00 \x00f\x00r\x00o\x00m\x00 \x00t\x00h\x00e\x00 \x00s\x00e\x00g\x00m\x00e\x00n\x00t\x00  I had solved this issue using the below settings in props.conf [MyOwnSourceType] CHARSET = UTF16-LE ... View more

I had a chance to speak to Mr. Vikram Kumar Yadav and he is a remarkable tutor.  Your continuous support, encouragement, and guidance as a Leader of "Splunk User Group Mumbai" have helped me reach many professional milestones. You are the mentor that every star-eyed new hire needs. My admiration and respect for you only grow each day for you. Your in-depth knowledge in Splunk is Stunning and it is evident from the Splunkbase app of yours. I admire and I am a fan of your great work in terms of the Splunk app, Blog posts,  Website, and many more.  Your website is evident that you always find out the best in anything that makes you unique. The miles you've crossed are too far, yet you have a long way to go. All the best. ... View more

Try This... | datamodel data_model_name root_object_name search | table _time, sourcetype, root_object_name.* Example: | datamodel Network_Traffic All_Traffic search| search All_Traffic.*="unknown" | dedup sourcetype | table _time, sourcetype, All_Traffic.* ... View more

At every execution you timerange is getting differed, so obviously if you stick to your earliest and latest of time, then your result will be constant. You can add the below in your query and see to yourself index=abc earliest=-2h@h latest=-1h@h | table _time, server, userdetails | timechart span=1h dc(userdetails) by server ... View more

Nothing is as fast as a simple query like tstats and for users who cannot go installing the third party apps can always use the below code for reference. Also this will help you to identify the retention period of indexes along with source, sourcetype, host, etc. | tstats earliest(time) as earliestTime latest(_time) as latestTime count as eventCount where index=* by source sourcetype host index splunk_server |eval" retention period days"=round((latestTime-earliestTime)/86400,2)|convert ctime(*Time) | dbinspect index=*  | stats count as bucket_count min(startEpoch) as earliest_event by index splunk_server  | eval earliest_event_human = strftime(earliest_event, "%c") Do also check out Avotrix app on splunkbase. ... View more

My problem was I had enabled SSL. ... View more