Hi all, is there a limitation in the combination of transforms on a source in props.conf? here is what i did and somehow I don't get any result. Whenever I delete the TRANSFORMS-reroute entry, data is received and hostnames are changed. Somehow I don't get the source with my regex rerouted to another index. props.conf:   [source::tcp:514] TRUNCATE = 64000 TRANSFORMS = newhost1 TRANSFORMS = newhost2 TRANSFORMS-reroute=set-index   transforms.conf   [newhost1] DEST_KEY = MetaData:Host REGEX = mymatchinghost1rex FORMAT = host::myhost1 [newhost2] DEST_KEY = MetaData:Host REGEX = mymatchinghost2rex FORMAT = host::myhost2 [set-index] DEST_KEY=_MetaData:Index REGEX= .+mymatchingrex.+ FORMAT=myindex WRITE_META=true     thanks for your help, kind regards, harald ... View more

Hello, Is there a way to count the series of consecutive identical events that are interrupted by another event? Something like that: data: seq#;Event 1;A 2;A 3;B 4;B 5;B 6;A 7;B 8;B 9;A 10;A 11;B the result should look like: consecutive Event | count A | 2 B | 3 A | 1 B | 2 A | 2 B | 1 thx ... View more

Hello, I'm using splunk universal forwarder version 6.1.2 on Windows Servers to index EventLogs. The Events are indexed (indexer version 6.1.2), however the message field contains following message: Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt. In the Event Viewer on the Windows Server the message field is displayed correctly. I couldn't identify a specific EventID nor Server version, it happens on win server 2003 and also 2008r2. However it seems to happen mostly in Security and Application Log. If found an article that describes the problem, however it addressed a bug in 4.3.x http://answers.splunk.com/answers/66436/splunk-could-not-get-the-description-for-this-event-4-3-2-universal-forwarder-server-2008-r2.html Any ideas or suggestions? Could it be the same bug? thanks! ... View more

Hi, is it possible to use satellite view in xml "map" element? thanks! ... View more

Hi, Is it possible that multiple indexers (same index) use the same shared NFS directory for colddb? For example: indexer1: indexes.conf [indexA] ... coldPath = /NFS/indexA/colddb ... indexer2: [indexA] ... coldPath = /NFS/indexA/colddb ... OR should it look like: indexer1: indexes.conf [indexA] ... coldPath = /NFS/indexer1/indexA/colddb ... indexer2: [indexA] ... coldPath = /NFS/indexer2/indexA/colddb ... thx ... View more

Hi, I got following behavior. An ldap user is member of two roles. (role A = ldap groupA & role B = ldap groupB) role A has properties set to srchIndexesAllowed = index1;index2;index3 role B has properties set to srchIndexesAllowed = index2;index4;index5 When searching for index=* the user only sees indexes from role A (index1;index2;index3). In Splunk manager the user has both roles assigned. What am I doing wrong? we are currently running on 4.3.3. thx, harry ... View more