Hi As you can see, I use a first eval in order to rename the field "site" From the site renamed, I need to create a new field called "toto" in order to add new information for the field site. So I create an eval if command like below but it doesn't work. What is wrong please and is there another simple way to do this?   | eval site=case(site=="BR", "Espace Br", site=="PERI THEATRE", "Espace Périg", 1==1,site) | stats last(site) as "Espace BP" by s | eval toto=if("Espace BP"=="Espace Br", "4G") | table "Espace BPE" toto    

Hello, I am trying to find a native solution in order to monitor the execution of a Phantom Playbook. In case one of the actions fail, or a specific message/data is returned by a custom function, does anyone a possibility to make a general/native configuration, so that an admin will receive an instant email message with the error/playbook that ran/ etc? I am aware of the api 'error' and 'discontinue' methods, but it will mean to add this kind of checks at each step of the playbook ... Greatly appreciate your ideas!

Hi Community, I have a really strange issue and I'm wondering if this is not affecting quite everyone who is installing Splunkbase apps: It happens even on a clean and freshly started Splunk:   docker run -ti --rm -e SPLUNK_START_ARGS="--accept-license" -e SPLUNK_PASSWORD="<redacted>" -p 8000:8000 splunk/splunk:latest   When I log in and want to install an App from Splunkbase: Manage Apps -> Browse more apps -> Select ANY App -> Login to Splunkbase, Agree and Install I get the error message:   Invalid app contents: archive contains more than one immediate subdirectory: and timeline_app   As I said this happens with any app. Downloading the file from Splunkbase and installing it either in the UI or the command line yields the same error. Do you have any idea? Can you reproduce this behaviour? I don't know what could be special on my configuration.

Hello, In our environment we are dealing with hundreds of GB/day of logs coming from Firewalls. Despite having already fixed some noisy sources we are in difficulty to reduce the load. I was wondering if any of you have already tackled this problem. Our configuration is:     FW --> Load Balancer --> Syslog servers --> file --> Splunk HFs --> Splunk Indexer     The Splunk HFs are installed on the same servers where the syslog service is running. Syslog receives the data from Firewalls, write them into a file, then Splunk HF monitor those files. The idea is to use a component that every "n" minutes consolidate/summarize the information written into the file by the syslog server and produce an output with a summary. The summarized file is then read by Splunk HF.     FW --> Load Balancer --> Syslog servers --> file --> Summarization tool --> summarized file --> Splunk HFs --> Splunk Indexer     I can write a script for this use case, but do you know if there is already a tool that can do the job? I was checking logwatch, maybe you have a better suggestion.   Thansk a lot, Edoardo

How to disable deployment server temporarily ? After disable the DS temporarily, will the apps be deleted from client ? will there be any issues with the functionality  after enabling the DS ? and can we again push the apps normally after re-enabling the DS ?