This is an old post so a known issue. I think folks using ES app or using Splunk as a SIEM and almost any US Govt supplier will need most of that 'extra' info for any IT sec forensic analysis. Most all US Govt suppliers are subject to NIST now and CMMC coming in 2024. I would imagine HIPPA, SOX, GDPR, GLBA, and CCPA companies systems will need that as well. It is noisy but attacks are very often using non-standard ports to transfer information/data to/from an outside host like ICMP, SSH, and RDP as most application level IDS/IPS are looking at 80/443 inspection. For general SMB and Small Enterprise this is probably viable in some respects though.

Based on the search given ycw will always have a value as it is derived from _time and every event has an _time. The second part is correct. I too noticed that and corrected the double quotes in the eval in my answer.

That will not show the source file lines surrounding the event. It will just change the time range. the base search will still apply and only show events with Error in them. You won't get the non-error lines before and after. Also, if the source and host are not specified in the base search you may get events from other sources and hosts.

When I come up on these kinds of situations I typically use a MutationObserver as opposed to setTimeout. With setTimeout you are just hoping the element exists when the JS is run. With the MutationObserver you can be certain your JS will not run until the element exists.

root@armor-index:/opt/splunk/etc/system/local# cat props.conf [armor_json_02] KV_MODE = json     root@armor-uf:/opt/splunkforwarder/etc/apps/armor/local# cat props.conf [armor_json_02] SHOULD_LINEMERGE = true LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true CHARSET = UTF-8 #INDEXED_EXTRACTIONS = json KV_MODE = json category = Structured description = JavaScript Object Notation format. For more information, visit http://json.org/ disabled = false pulldown_type = true AUTO_KV_JSON = false     set let me test getting same results  

before I go ahead, correct me if i don't understand correctly.   From the forwarder, props.conf > remove I_E and add KV_MODE = json THEN from the indexer, create same props.conf from above and keep KV_MODE = json OR delete one from forwarder and keep one from the SH (indexer)?

I have that sourcetype setup on the forwarder side.   on indexer/SH, can't find that specific sourcetype. Should I had to have the props.conf on the indexer too?   IF you mean to update the props.conf to show as KV_MODE = JSON and disable the I_E, iv'e done it on the fowarder side already. UPDATE jusdt found this * When 'INDEXED_EXTRACTIONS = JSON' for a particular source type, do not also set 'KV_MODE = json' for that source type. This causes the Splunk software to extract the JSON fields twice: once at index time, and again at search time. should I still not use IE?

I have a bucket in fixup tasks in indexer cluster-> bucket status, its been struck.  Both SF & RF. So, both SF and RF are not met in indexer cluster.  I tried to roll and resync bucket manually, that didn't work. There're no buckets in excess buckets, i've cleared them like more than 3hrs. Is there any way to meet SF & RF without loosing data or bucket ? Forgot to mention, i had a /opt/cold drive that has I/O error on an indexer. To get it fix i had stop Splunk and remove an indexer from indexer cluster, All other indexers are up and running since last night.  All 45 indexers in cluster-master are up and running and left it to bucket fixup tasks to fix and it also to rebalance overnight. When i check morning there're only 2 fixup tasks left one is in SF & one in RF.

1)  /opt/splunkforwarder/etc/apps/armor/local/props.conf [armor_json_02] /opt/splunkforwarder/etc/apps/armor/local/props.conf AUTO_KV_JSON = false /opt/splunkforwarder/etc/apps/armor/local/props.conf CHARSET = UTF-8 /opt/splunkforwarder/etc/apps/armor/local/props.conf INDEXED_EXTRACTIONS = json /opt/splunkforwarder/etc/apps/armor/local/props.conf KV_MODE = none /opt/splunkforwarder/etc/apps/armor/local/props.conf LINE_BREAKER = ([\r\n]+) /opt/splunkforwarder/etc/apps/armor/local/props.conf NO_BINARY_CHECK = true /opt/splunkforwarder/etc/apps/armor/local/props.conf SHOULD_LINEMERGE = true /opt/splunkforwarder/etc/apps/armor/local/props.conf category = Structured /opt/splunkforwarder/etc/apps/armor/local/props.conf description = JavaScript Object Notation format. For more information, visit http://json.org/ /opt/splunkforwarder/etc/apps/armor/local/props.conf disabled = false /opt/splunkforwarder/etc/apps/armor/local/props.conf pulldown_type = true   2) i'll try using KV_MODE for JSON isnetad of I_E now.