I have a distributed environment with 2 independent search heads.  I run the same search on both, and one shows a field that the other does not.  I can't figure out why.  I can't find any data models that mention the index or sourcetype I'm searching.  Is there a way to show me if a data model is being used in my search? The logs are coming from an IBM i-series system using syslog through sc4s.

hello all, I have an app that to perform an action I cant insert the required parameter as a list. but as a string. this is a bit issue because I am using data value from action results as the parameter to insert, for example:  "my_App_action:action_result.data.*.device_id" and as far as I understand, action_result.data collection is always an array. so I can not use directly this action results returned parameter as a parameter to insert to my action. the only workaround I found is to add a code block that gets the datapath-parameter as input, and outputs the value_name[0]. is there a better workaround for this?  

In previous versions of Splunk (at least up to 9.1.0), we could re-arrange the Apps menu by dragging the apps up or down in the Launcher app.  Now that Launcher seems to have been rebuilt with Dashboard Studio that capability is no longer present.  Is there a new way for users to re-arrange their Apps menu?

Hello, I'm looking to change our indexing architecture We have dozens of AWS accounts. We use the Splunk AWS app to ingest the data from a SQS queue. Currently, we have a single SQS-based input type for each individual AWS account that grabs all the data and applies the index and a catch-all sourcetype named aws:logbucket. From there, we route the data to a more specific sourcetype based on the type of data. aws:logbucket will be changed to aws:cloudwatch:vpcflowlogs, aws:cloudtrail, aws:config, etc. This has worked well enough for us, but I now have a new requirement. For each of these AWS accounts, I want a separate index for the specific AWS service by AWS account. ie) awsaccount1-vpcflow, awsaccount1-cloudtrail, awsaccount2-vpcflow, etc. We use S2, so storing aws:cloudtrail with aws:cloudwatch:vpcflow hurts the performance of aws:cloudtrail data. Searching for aws:cloudtrail data requires us to write back all aws:cloudwatch:vpcflow data back to disk. This has accounted for 120x more buckets required written to disk for aws:cloudtrail since it's stored with VPCFlow. Expanding these indexes to be more specific will have huge performance improvements for my Splunk environment I would like to use a lookup table to match the source of the SQS-based S3 to specify the index and sourcetype. I am unable to do this using regex and FORMAT, since the bucket names and index names are not a 1-1 match. ie) for s3://acc1/cloudtrail/..., I would like to have a lookup table that tells it to route to index account1 and sourcetype aws:cloudtrail, for s3://acc2/config/... I would like to have it route to index account2 and sourcetype aws:config. After that long summary... how do I technically implement this and how will a lookup with ~300-400 different rows affect performance? Thank you, Nate      

I am getting an error when installing PHP agent on the RHEL server.  PHP version id: 7.4 PHP extensions directory: /usr/lib64/php/modules PHP ini directory: /etc/ PHP thread safety: NTS Controller Host: https:\/\/xxxxxxxx.saas.appdynamics.com\/controller\/ Controller Port: 8090 Application Name: WebApp Tier Name: DemoWebTier Node Name: DemoNode Account Name: xxxxxxxx Access Key: xxxxxxxx SSL Enabled: true HTTP Proxy Host: HTTP Proxy Port: HTTP Proxy User: HTTP Proxy Password File: TLS Version: TLSv1.2 [Error] Agent installation does not contain PHP extension for PHP 7.4 i was installing the agent using shell script method. please let me know if someone has faced similar issue and how can we fix it. Thanks