I believe you need to use the and filtercomp "&". Still learning myself, but might try: search=(&(CN=Patch*)&(OU=Wintel)) ... View more

Running 6.2 added the SEDCMD-shortern4624 = SEDCMD-shortern4624... to the /opt/splunk/etc/system/local/props.conf and it worked. Upgraded to 6.4 and it stopped working. In our case it was saving 4 GB/day. ... View more

I down voted this post because this deletes the event. What is needed is the ability to not index the comment. The comment on this event is not needed and just wastes the daily license. ... View more

Thanks for the reply and I will open a new question. ... View more

I keep seeing this or similar issues but have yet to find an answer. I have 2 ASAs forwarding their logs. I can search for one and find log data but the not the other one. I search thru metrics.log, license_usage.log, and splunkd.log. I find data about both of them in metrics and license, but only the one that works in splunkd.log. I find errors about events with no timestamp. And for both ASAs the license_usage.log file shows the same idx="xxxx" string. So I am confused as to why I can't find any events for the second ASA. ... View more

I have the same problem. Firewall on Splunk server is disabled, changed rp_filter to 0, I see the packets from both Cisco firewalls in tcpdump, but only see events from one firewall being indexed. ... View more