What search are you using to try to find the data? ... View more

You are correct. ... View more

The fillnull command does not support wildcards.  Try using foreach as a wrapper around fillnull. | foreach 20* [fillnull '<<FIELD>>' value="0.0"]   ... View more

The "no file found" message is excluded in the base search. index=mulesoft environment=* applicationName IN ("processor","api") message!="No files found for*" ... View more

I don't understand what is meant by "mvfind is not for interfacename".  The mvfind function can be used with any multi-value field (InterfaceName is multi-valued since it is created by the values function). The mvfind function can be used with multiple values in a regular expression.   | where isnotnull(mvfind(InterfaceName("ABC|ABCD|COP"))   ... View more

A Google search for "destructive configuration resync" finds this in Docs: https://docs.splunk.com/Documentation/Splunk/9.2.1/DistSearch/HowconfrepoworksinSHC#Why_a_recovering_member_might_need_to_resync_manually ... View more

The where command does not handle wildcards.  Instead, use the search command. The values function produces multi-value fields, which require special handling. Try  this query. index=mulesoft environment=* applicationName IN ("processor","api") message!="No files found for*" | stats values(content.InterfaceName) as InterfaceName values(content.Error) as error values(message) as message values(priority) as priority min(timestamp) AS Logon_Time, max(timestamp) AS Logoff_Time BY applicationName,correlationId | where isnotnull(mvfind(InterfaceName, "Test")) | table Status InterfaceName applicationName Timestamp "Total Elapsed Time" FileList "SuccessFile/FailureFile" Response correlationId   ... View more

Please show exactly what you tried and tell how the results were not what was expected. ... View more

Either regex should work.  BTW, it's not necessary to escape the colons. Any change to props.conf only affects new data.  Config changes made in the UI take effect immediately; changes made to .conf files take effect after a restart. ... View more

The OS requirement is somewhat flexible to allow for OS upgrades, patches, etc.  In my mind, it means Linux vs Windows more than Ubuntu vs CentOS.  That said, every effort should be made to have the CM and indexers on the same release. You should have no problems adding the Ubuntu indexers to the cluster. ... View more

Clicking on the triangle should display explanatory text.  Share that text here if you need help understanding it. ... View more

The LINE_BREAKER setting requires a capture group.  The group is where events will be split.  Try this LINE_BREAKER = ()\w{3}\s\d\d:\d\d ... View more

Splunk Works apps are unsupported.  They're created by Splunk employees contributing to the community in an unofficial capacity.  If the app is not updated it could be because the author has moved on to a different project or may have left Splunk. ... View more

If the left side is a subset of the right side then the left side will be the result of a Left Join. ... View more

If you need to preserve the original field then you aren't renaming.  Use the eval function to create a new field based on the old one. | eval NewIDs = case(OriginalIDs="P1D", "Popcorn", OriginalIDs="B4D", "Banana", OriginalIDs="O5D", "Opp", 1==1, OriginalIDs)   ... View more

Splunk heavy forwarders (and indexers) send data to third-party services in syslog format only.  They do not (and cannot) listen to data on a search head (SHs do not have data). Place heavy forwarders in front of your indexers to route data both to the indexers and to ELK.  See https://docs.splunk.com/Documentation/Splunk/9.2.1/Forwarding/Routeandfilterdatad#Replicate_a_subset_of_data_to_a_third-party_system for more information. Be aware that this is a bit of a Science Project.  Splunk does not make it easy to switch to a competing product. ... View more

That looks like 4 different events rather than 3.  Please confirm. Please share the props.conf settings for that sourcetype. ... View more

1. The transfer time is governed by two factors: 1) the speed of the network; and 2) the maxKBps setting in limits.conf.  The latter defaults to 256KBps (approximately), but setting it zero disables the limit and makes the network the limiting factor. 2. The EPS rate is the data transmission rate divided by the size of the events.  Both of those numbers are unknown in this thread so EPS cannot be calculated. ... View more

There is no out-of-the-box query for that.  You have to combine a query that returns all saved searches with a query that pulls run times from the logs.  These searches should get you started. | rest /servicesNS/-/-/saved/searches index=_internal source=*scheduler.log component=SavedSplunker status=success   ... View more

If the app is installed on the SH, it will be replicated to the indexer UNLESS it is excluded from the bundle.  To exclude files from the bundle, add entries to the [replicationDenyList] stanza in distsearch.conf and restart the SH. [replicationDenyList] MSbin = E:\Splunk\etc\apps\TA-microsoft-graph-security-add-on-for-splunk\bin\* ... View more

Your first error is deploying Splunk on Windows.   See https://community.splunk.com/t5/Getting-Data-In/What-are-the-pain-points-with-deploying-your-Splunk-architecture/m-p/650011 Please elaborate on "the search head is not working".  What about it is not working?  An error on an indexer does not necessarily mean there's a problem with the SH. One workaround is to rename the TA so it resides in a directory with a shorter name (by at least 8 characters).  Of course, you will have to maintain that forever. ... View more

Please share the query. Please tell us what "not working" means.  What results do you get and how do those results not meet expectations? ... View more