Hi All, I am new to splunk clustering environment and i have few questions when i attend interview.Any one please help me on this question 1.Can we delete index folder ?will we have permission to delete the index folder Splunk\var\lib\splunk\TestDB. 2.Can we copy the Index folder and paste it in someother index folder will be able to search the logs? 3.Where can we install DB connect app and other apps in Search head cluster OR Indexer Server cluster? 4.What is the process name when we extract logs from props and transform.conf file? 5.Upgrade Splunk cluster enironment with simple steps? 6.What is the process of search head captain will do ? Thanks, Karthigeyan R

I have a splunk search that is returning the wrong results from a kvstore if the secondUID field is set to itself before doing the lookup. This is distilled from the actual search for simply showing the bug. Both secondUID  and uID should be represented as strings.  Does anybody know why  | eval secondUID=secondUID causes the lookup command to return the wrong results? When it is commented out the correct results are returned. The results are consistently the same wrong results when they are wrong and the errors are event count dependent. So for instance, if I switch the head command on line 4 from 4000 results up to 10000 results, the lookup wrong result rate goes from 4.3% to 11.83% given the lines I am passing in for this example. If I pass in a different set of events, the results would still be wrong and consistently the same results wrong, but not necessarily the same % of wrong results compared to the other starting events.  If you either comment out that eval on line 8 or do | eval secondUID=tostring(secondUID) then the correct results are returned from the lookup command. If you switch tostring() with tonumber() the number of wrong lookups goes up.  I don't think this is intended functionality because | eval secondUID=secondUID should not be changing the results IMO, and the % of errors depend on how many events are passed through the search. More events = higher % of errors. The string comparison functions in the wheres also show nothing should be changing.  | inputlookup kvstore_560k_lines_long max=10000 | stats dc(uID) as uID by secondUID | where uID=1 | head 4000 ```keep 4000 results with the 1=1 uID to secondUID relationship established``` | eval secondUIDArchive=secondUID ```save the initial value ``` | where match(secondUIDArchive, secondUID) and like(secondUIDArchive, secondUID) ```initial value is unchanged``` | eval secondUID=secondUID ```this line causes the search to return different results compared to when commented out``` | where match(secondUIDArchive, secondUID) and like(secondUIDArchive, secondUID) ```string comparison methods show they are the same still``` | lookup kvstore_560k_lines_long secondUID output uID ```output the first UID again where there should be a 1=1 relationship``` | table uID secondUID secondUIDArchive | stats count by uID ```the final output counts of uID vary based on whether the eval on line 8 is commented out.```        

Has anyone tried this add-on to pull the tfs commits into Splunk via Azure DevOps (Git Activity) - Technical Add-On. I tried installing this app on one of the heavy forwarder but inputs section of this add-on does not work.

I would like to predict memory ,cpu and storage usage of my splunk servers ( Indexers, search heads, )  step wise plan is to first do an analysis of current usage and then predict 6 months usage of my own splunk platform ( Like indexers , search  heads , heavy forwarders) 

Hello, I'm facing an issue with dashboards graphs. When checking the graphs from metric browser, all the data are showing fine. See below. But when we create an dashboard with same data, we see some gaps. See below. Could someone have an idea why this is happening?

I've been searching for awhile, but I haven't been able to find how to access an alert's description from within my add-on's alert action Python code. I'm using helper.get_events() to get the alert's triggered events and helper.settings to get the title of the alert. Both are from https://docs.splunk.com/Documentation/AddonBuilder/4.1.4/UserGuide/PythonHelperFunctions. That documentation page doesn't seem to list any way to pull an alert's description though. Does anyone know where it's stored/how to access it?

I am working on a playbook where there is a need to copy the current event's artifacts  into a separate open and existing case.  We are looking for a way to automate this through phantom.collect +  phantom.add_artifact or other means. We have a way to pass in the existing case id  and need a solution to duplicate atrifacts from running event into that case specified by case id.