[blacklist:<path>] * Protects files on the file system from being indexed or previewed. * The input treats a file as denied if the file starts with any of the defined deny list <paths>. * Adding a file to the deny list with the specified path occurs even if a monitor stanza defines an allow list that matches the file path. * The preview endpoint returns an error when asked to preview an excluded file. * The oneshot endpoint and command also returns an error. * When a denied file is monitored, using monitor:// or batch://, the 'filestatus' endpoint shows an error. * For fschange with the 'sendFullEvent' option enabled, contents of denied files are not indexed. It is explicitly described. The only thing which is not there is if/that it supports wildcard/regex. ... View more

@livehybrid Boom!  Learn something new every day. ... View more

The allowedDomainList setting can be in any alert_actions.conf file on your search head(s).  Precedence rules apply, however.  See https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Wheretofindtheconfigurationfiles ... View more

As @bowesmana exemplifies, putting your complete set of values in a lookup is one way to count "missing" values.  Another way to is to put them in an multivalued field and use this field for counting.  Here is an example   index=idx1 host=host1 OR host=host2 source=*filename*.txt field1!=20250106 (field2="20005") OR (field2="20006") OR (field2="20007") OR (field2="666") | eval field2prime = mvappend("20005", "20006", "20007", "666") | mvexpand field2prime | eval field2match = if(field2 == field2prime, 1, 0) | stats sum(field2match) as count by field2prime | rename field2prime as field2   Here is an emulation you can play with and compare with real data:   | makeresults count=16 | streamstats count as _count | eval field2 = round(_count / 😎 % 3 + 20005 ``` the above emulates index=idx1 host=host1 OR host=host2 source=*filename*.txt field1!=20250106 (field2="20005") OR (field2="20006") OR (field2="20007") OR (field2="666") ```   Mock data looks like this: fiel2 20005 20005 20005 20006 20006 20006 20006 20006 20006 20006 20006 20007 20007 20007 20007 20007 If you count this against field2 directly, you get field2 count 20005 3 20006 8 20007 5 Using the above search, the result is field2 count 20005 3 20006 8 20007 5 666 0 ... View more

I know this is ancient, but I had the same issue with blank results because of this: https://community.splunk.com/t5/Splunk-Search/What-would-intermittently-cause-less-events-to-return-the-raw/m-p/490525 ... View more

1. This is a quite old thread. You'd be better off by starting a new one (possibly putting link to this one for reference). 2. Generally speaking, as a good practice:  - don't mix management with package manager with manually dropping in files. It can end badly. - If you have a package for your system it's often (although not always; there are sometimes very badly built packages) a better solution I'm not sure about Splunk but depending on how/where you installed your software before, the RPM might not fit exactly that layout. So while you can try to install RPM package over a tarball-based /opt/splunk, I think I'd try to go for backup/remove/install/restore. Oh, and don't try to mess with your production server without testing it in dev environment. ... View more

Things don't happen by themselves usually. You must have sone something as root so that resulting files ended up being owned by root. ... View more