"How are these transactions linked together... by a field called "ID"? If so.. just build them with the field ID, and then use one of the MV commands to extract a field with success or failure in it. Paste some samples and…"
The dojo of Splunk. Learn, share, teach, mentor.
Videos
Latest Activity
Nikita posted a discussionCount failures and success via transaction
Hi,I'm a new in Splunk so sorry for the stupid questions.I want to calculate failures in logs.For example we have request log and response log."request" OR ("fail" OR "response") |transaction startsWith=("request") endsWith=("fail" OR "response") maxpause=5s keepevicted=false maxspan=25s id |eval Failure=if(searchmatch("fail"),1,0)| eval Success=if(searchmatch("response"),1,0) | stats count(Failure) as FailureCount, count(Success) as SuccessCount | table FailureCount SuccessCountThat query…See More
Question about transform wmi on a heavy forwarder
Hi there,
I'm a new member of splunkninja and a splunk newbi. :-(
As you can see in the topic I have a question about a windows heavy forwarder.
I have installed a windows forwarder to collect all wmi data form our windows server. The indexer is a linux (ubuntu) server. The communication between the forwarder and indexer works fine.
Now I want to select on the forwarder only events with the severity of warning and error.
I configured the following props.conf and transform.conf but i still get the whole events like "Audit success"
props.conf
[host::*]
TRANSFORMS-events=only_error_warning
transform.conf
[only_error_warning]
REGEX = (?mi)Type=Audit
DEST_KEY = queue
FORMAT = nullQueue
Is it possible to transform data on the forwarder?
Do I have any mistakes in the conf files?
It would be nice if somebody can tell me whats going wrong.
Thanks in advance.
Views: 64
© 2012 Created by Michael Wilde.
