Hi - Recently we have upgraded splunk to version 9.1.3 . Noticed that I can not not start the splunk using :   "./splunk start --accept-licnese = yes" , forcing my to use "systemctl start Splunkd" to start splunk   Could you please let me know how to pass --accept-license=yes with "systemctl start Splunkd"

I'm trying to create a workload management rule to prevent users from searching with "All Time". After researching, it seems that best practice would be to not run "All Time" searches as they produce long run times and use more memory/cpu. Are there any types of searches, users or otherwise exceptions that should be allowed to use "All Time"?

Q: Given a "timechart span=1m sep='-" last(foo) as foo last( bar) as bar by  hostname", how would I get a unique value of the bar-* fields? This has to be a standard problem, but I cannot find any writeup of solving it... Background: I'm processing Apache Impala logs for data specific to a query, server, and pool (i.e., cluster). The data arrives on multiple lines that are easily combined with a transaction and rex-ed out to get the values. Ignoring the per-query values, I end up with: | fields _time hostname reserved max_mem The next step is to summarize the reserved and max_mem by minute, taking the last value by hostname and summing the reserved values, extracting a single max_mem value. I can get the data by host using: | timechart span=1m sep="-" last( reserved ) as reserved last( max_mem ) as max_mem by hostname which gives me a set of reserved-* and max_mem-* fields. The reserved values can be summed with: | addtotals fieldname=reserved reserved-* Issue: The problem I'm having is getting the single unique value of max_mem back out of it. The syntax "| stats values( max_mem-* ) as max_mem" does not work, but gives the idea of what I'm trying to accomplish. I've tried variations on bin to group the values with stats to post-process them, but gotten nowhere. I get the funny feeling that there may be a way to "| addcols [ values( max_mem-* ) as max_mem " but that doesn't get me anywhere either. A slightly different approach would be leaving the individual reserved values as-is, finding some way to get the single max_mem value out of the timechart, and plotting it as an area chart using max_mem as a layover  (i.e., the addtotals can be skipped). In either case, I'm still stuck getting the unique value from max_mem-* as a single field for propagation with the reserved values. Aside: The input to this report is taken from the transaction list which includes memory estimates and SQL statements per query. I need that much for other purposes. The summary here of last reserved & max_mem per time unit is taken from the per-query events because the are the one place that the numbers are available.

I'm using script interface for custom REST endpoints, and it uses: from splunk.persistconn.application import PersistentServerConnectionApplication I understand it's a package inside splunk enterprise, but is there a chance it is uploaded to PyPI?

The Cisco Networks Add-on for Splunk Enterprise is licensed under Creative Commons. This license does not allow for commercial use...I have been unable to track down a way to "purchase" a license that would allow me to utilize this Add-on legally. Is there any chance someone can point me in the right direction?