Hello, I recently upgraded our deployer/deployment server from 8.1.6 to version 9.0 and when I try to push configuration to our search head cluster i get an error that I have not seen before: [splunk@aa130XXXXX bin]$ ./splunk apply shcluster-bundle -target https://aa130XXXXX:8089  Warning: Depending on the configuration changes being pushed, this command might initiate a rolling restart of the cluster members.  Please refer to the documentation for the details. Do you wish to continue? [y/n]: y WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Your session is invalid.  Please login. Splunk username: XXXXX Password:  Error in pre-deploy check, uri=https://aa130XXXXX:8089/services/shcluster/captain/kvstore-upgrade/status, status=401, error=No error Our search head cluster is still on version 8.1.6 Thanks!

We recently rebuilt a server which had splunk UF installed. After the rebuild, the IP remained same but hostname changed. When we reinstalled the UF, pointed to the Deployment Server and added the Deployment Client to the serverclass, none of the apps were able to be downloaded due to checksum mismatch error. I tried everything from removing the DC from the serverclass and disabling the deploymentclient config on the DC and even reinstalled the UF but still nothing changed. Deployment server version - 7.3.6 Deployment client - 9.0 can someone please help fix this issue ?

Hi Community, I'm using Splunk Java SDK in my application, this version to be exact:   implementation group: 'com.splunk', name: 'splunk', version: '1.6.5.0'   In the app, I'm trying to get some stats on a metric from Splunk logs.  Here's the native search command in Splunk   `myapp` "Message of interest" | eventstats min(metricOfInterest) as ft_min max(metricOfInterest) as ft_max avg(metricOfInterest) as ft_avg stdev(metricOfInterest) as ft_stdev | fields ft_min, ft_max, ft_avg, ft_stdev   So this query would return a bunch of events and 4 additional fields  ft_min, ft_max, ft_avg, ft_stdev for each event. For the sake of the conversation, let's say there's 200 events matched the search. In my app, the `SplunkResponse` contains 200 Map<String, Object>, each map represents an event. What I want is a single entry that contains only `ft_min, ft_max, ft_avg, ft_stdev`. Right now, I can extract it from an event (among those 200),  but having all events is too verbose and unnecessary.  Is this achievable by twisting the query or using a particular SDK API ? Thanks, Tuan  

I have garbage collection event data in splunk. Below example line: 2022-06-26T21:47:53.142+0000: 8888.588: Total time for which process threads were stopped: 0.0015059 seconds, Stopping threads took: 0.0002620 seconds 2022-06-28T23: 2022-06-26T22:47:57.142+0000: 66666.588: Total time for which process threads were stopped: 0.0015059 seconds, Stopping threads took: 0.0002620 seconds 2022-06-28T23: I have to create splunk alert that parses this Java garbage collected data ingested in Splunk and send alert  when the value in the above highlighted log line for seconds highlighted in red is greater than certain threshold. I used splunk to create regex to extract the data (e.g. stopped: 0.0015059 seconds) as new filed.  I choose  auto regex as stopped: 0.0067871 seconds  The regex which was generated is ^(?:[^ \n]* ){9}(?P<pause>[^,]+) When I use the where condition -->pause > 0, no event data is returned. Any idea how to manipulate number inside extracted new field such as above? ...|rex field=_raw ^(?:[^ \n]* ){9}(?P<pause>[^,]+)|where pause > 0 Thanks

We have many Cisco Meraki devices sending data via syslog to Splunk. Is there an add-on for the Cisco Meraki devices, to extract the fields from the events. One more thing. do the Meraki devices support json? 

I want my search to consider a 5 minute timeframe. I have a stats with a bin for a span of 5 minutes but when running it sometimes it is split into two 5 minutes intervals. I want it to only consider 1 interval of 5 minutes. So right now I would snap to say 1:00-1:05 and 1:05-1:10. I would like it to just do something like 1:03-1:08; really whatever time it runs on I want that 5 minute span to be treated as one result set.  

My UF-HF-Indexers is working great however I need to add a HF-HF-Indexer as well The first HF sends to other HF but is not indexed and the UF attached to HF1 is not showing up at all    is there something different you have to do for a HF-HF-INDEXER than a UF-HF-INDEXER 

I'm using Splunk Python SDK to download a search result as a CSV file. The output file contains a header row if the search returns one or more events. When there is no events from search, the CSV file generated is empty, without hearder row. As a requirement, I need all generated CSV files to contain at least the header row even though the search does not return any events.  

Hi, I have mail server logs where each mail has the MID number as identifier (for that mailserver =host, for that day) MID 1234567 From:  someone1@domain.do MID 1234567 To: someone3@gmail.com MID 1234567 Subject: ... MID 1234567 ....  I'm trying to find the To with the subsearch and extract the host and MID values.  For using MID only it working perfectly, however it is not fail safe (it might happen that more than one mail server might have the exact same MID on the same day)   index="mail" "MID" [search index="mail" "MID" ("someone1@domain.do" OR "someone2@othdomain.nu")|rex "MID (?<MID>\d+)"|dedup MID|fields + MID|rename MID as query]   This works perfectly. Now I wanted to add the host variable for get string pairs to search for. Important that I want the result as string without variable names: This is what I've tried:    index="mail" "MID" [search index="mail" "MID" ("someone1@domain.do" OR "someone2@othdomain.nu")|rex "MID (?<MID>\d+)"|dedup host MID|fields host MID|format "(" "(" "AND" ")" "OR" ")"|rename output as query]   EDIT/REMARK: I've tried to combine the "host" and "MID" variables into "output" in some way, but it just did not work. that is the reason for this non-functioning rename at the end..  However seems the variable names are there. Could you please help how to remove both variable names or at least for the "MID" ? (Interested in both solution, but any good solution is perefectly fine) EDIT1: Checking the inner search result, because the whole search just not working due to this problem. EDIT2: Have tried to parse the whole output line to variable then replace with either "rex mode=sed" or with "replace" in two way, however seems I can't get the formatted output to variable anymore. (this is the inner query only)   index="mail" "MID" [search index="mail" "MID" ("someone1@domain.do" OR "someone2@othdomain.nu")|rex "MID (?<MID>\d+)"|dedup host MID|fields host MID|format "(" "(" "AND" ")" "OR" ")"|rex "^(?<output>.*$)"|eval output=replace(output,"MID=","") |rename output as query    

I was working in the MLTK, very new to it and exploring. I was working to establish a few searches where I will fit a algorithm and then apply it to identify if any values out of a set boundary and then alert on that. I have two question from this.   Is this a valid use case or not so much? I have a predicted value after my fit but, its too close to my actual values so I was thinking of doing something like(+ or - depending on need): eval bound = (predictedavg - (stdev * 3))  Would it be more beneficial to calculate this in the fit search or when applying the model?