Hi All,  is there a way to query the API just to return custom metrics that have been setup in an application/tier/node? Use Case: We would like to know how many custom metrics have been created per Application and understand if this metric is actually useful and being used. Having 100,000's of custom metrics sitting on the controller is not good practice I would imagine. We are using a SaaS controller.  Thanks if anybody has an answer or suggestion.

I am trying to enable Server Certificate Hostname Validation in the server.conf file and I literally cut and pasted the command  sslVerifyServerName = true # turns on TLS certificate host name validation from the Splunk documentation and when I restart Splunk on this on prem deployment server it says : WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details.   now I get the CLI command is cliVerifyServerName instead of sslVerifyServerName, but I even tried having both lines there and it still does not like it I have issued an Enterprise web certificate to this server, it is still valid for two years, so I am at a total loss here please help  

Hello,  I have several events in the _raw field that add a unique identification number. I would like to replace these with something standard to aggregate counts on.  Example Data: fi/transaction/card/purchase/tx_2994882028948/refund fi/transaction/card/purchase/tx_3920496893002/void fi/transaction/card/purchase/tx_2930540482198/refund   I'd like these all to read:  fi/transaction/card/purchase/trans/refund fi/transaction/card/purchase/trans/void fi/transaction/card/purchase/trans/refund   So replace the unique identifier, but maintain the verbiage at the end.  I've tried a few of the other methods noted in other threads, but to no avail. Some don't work at all, some run, but don't replace the values. Thanks!!

Hi all. I want to create an alert for hosts file modification. Found the build in one here on the forums but I would like to add a filter that can read inside the file and when it's being modified by Docker, it would ignore and won't activate the alert.   Appreciate the assistance!

I uploaded a new version of my app to splunkbase.  It passed validation, and I was able to update successfully from my splunk enterprise test instance.  However, my splunk **cloud** instance is not detecting the new version and offering to update.  It did pull the new version if I uninstalled and reinstalled the app, it just isn't detecting it as an update from the older version to the latest version.  The is a problem since my current customers aren't receiving this bugfix release.  Any help is appreciated.

Hi, For testing purposes, we are trying to use the Logstash client command line to send data to a Splunk server instance. The client configuration is the following (based on the steps found in https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/Data/UsetheHTTPEventCollector) and it uses an HTTP Event Collector token:   input {       stdin       {             codec => json       } }   output {       http       {             format => "json"             http_method => "post"             url => "https://prd-p-kz4cj.splunkcloud.com:8088/services/collector/raw"             headers => ["Authorization", "Splunk 26c964a2-c1e8-46e8-96ca-679d3b7542bd"]       }              stdout       {       } }     However, it fails with the following error:   [ERROR] 2022-07-01 14:28:12.794 [[main]>worker5] http - Could not fetch URL {:url=>"https://prd-p-kz4cj.splunkcloud.com:8088/services/collector/raw", :method=>:post, :message=>"Connect to prd-p-kz4cj.splunkcloud.com:8088 [prd-p-kz4cj.splunkcloud.com/54.167.42.214] failed: connect timed out", :class=>Manticore::ConnectTimeout, :will_retry=>true}   And updating the url above to https://prd-p-kz4cj.splunkcloud.com/en-US:8088/services/collector/raw produces a different error:   [ERROR] 2022-07-01 14:34:26.702 [[main]>worker4] http - Encountered non-2xx HTTP code 404 {:response_code=>404, :url=>"https://prd-p-kz4cj.splunkcloud.com/en-US:8088/services/collector/raw", :event=>#<LogStash::Event:0x199312cb>}     Also, we have noticed that a ping to the Splunk server instance does not return a reply:   ping prd-p-kz4cj.splunkcloud.com PING prd-p-kz4cj.splunkcloud.com (54.167.42.214) 56(84) bytes of data.     Could it be that a server configuration setting is missing? Kind regards,       Moacir Silva

Let's say we have bunch of frozen bucket files (db_<newest_time>_<oldest_time>_<localid>) on filesystem. How do we we find out which indexes these frozen buckets belong to? I looked into the files, some are text files which don't seem to have strings or fields that could tell which index it is.

Hello, I have an index that looks like that :     Server Month Number of connexions --------------------------------------- A January 10 B January 12 C January 7 A February 5 B February C February 0     Let's say I sum the Number of connexions by Month, is there a way to raise an alert if a value is missing (here Server B in February) ?

Hi,  How can i delete the data in index after every one week? I came across Splunk answers and documents it is mentioned that we cannot completey clear index data as it depends on two attributes maxTotalDataSizeMB and frozenTimePeriodInSecs . I am confused So i am using this index data in dashboard and basically i don't want to show the old data(P.s dealing with millions of user data so sorting/deduping is not an option).Now every week new data comes to the index so when it happens i have to clear the old data existing in my index . Irrespective of whether index has reached max default size or Frozen time period or maxHotSpanSecs  has reached its value how can i set the attributes in the index so that index data is empty every week? Thanks!

Hello,   I am getting error below when trying to search the data in Splunk SearchHead: ERROR SearchScheduler - The maximum number of concurrent historical searches for this user based on their role quota has been reached I tried to change the parameters as below scheduler max_searches_per_cpu from 25 to 50 search max_searches_per_cpu from 6 to 10 But too seems not working and even generating high LOAD. Could you please suggest how I can fix this issue? I am using Splunk Enterprise 8.0.5 version (I know its out of date  but still need help to figure out issue to plan upgrade)

Hi all, I have a set of data and i used stats(max) to get the maximum task number of every group. But the maximum number are not proper for most of the groups. I used the following query, | stats max(task_no) as "Latest Task " by group Can anyone tell is there anything should i add to get the maximum value?