Hi Splunk Community, I am having a problem with saved searches not saving the full results. I have a saved search that is supposed to be saving ~100k results. When I go to the saved searches tab and manually click run, it saves all 100k results. When it runs on its schedule, it only saves 50k.  Is there a setting I need to change in order for it to save all results? Thanks in advance!

I'm trying to do a little testing of our Splunk installation and I am looking at the Python SDK examples.  I've run the inputs.py script hoping it would get me a list of all the inputs defined in our inputs.conf but it only seems to return a small subset.  I don't see any logic as to why it is returning the subset it does.  I get about 30 records back from inputs.py. I expect well over 100.   Running "splunk btool inputs list" gives me the set I expect, but I don't want to have to run this locally.   Is there any rules or restrictions to the Python SDK API to get the list of inputs?  Maybe some options missing in the sample to get the defined inputs list? Thanks Rob. 

In our environment (Phantom version 4.10.3.x), the HEC (HTTP Event Collector) server name that is used as an "Indexer Host" (i.e. Phantom UI field label for the HEC server for a "Distributed Splunk Enterprise Deployment" ) was changed recently. The new server name was entered into the "Indexer Host" field, "Test Connection" was successful, and "reindex" was successful. However later it was noticed that no new event data was being ingested into the Splunk Enterprise phantom* indexes. The resolution was to restart Phantom and "reindex " again for the missing events in the phantom* indexes. It is suspected that the "process" for ingesting new events into the phantom* indexes is not updated with the changes to the  "Indexer Host" field until Phantom is restarted; however, the "processes" for "Test Connection" and "reindex" appeared to work without a Phantom restart. No references that a Phantom restart is required was found in the online documentation. Does anyone have more on this issue/bug/phenomenon and/or has anyone else experienced this issue/bug/phenomenon? 

I have a master dashboard with many icons that have drilldown settings enabled to open another dashboard in another tab. Recently, it has started this weird behavior of opening 2 tabs of the icon url I click on instead of one. My exact settings are > Drilldown settings / On click link to custom url / the url I have in is correct and opens the right url that I want / and the box is checked for Open in a new Tab. I am not doing any user error like clicking too many times. This issue occurs when opening any drilldown link and the master dashboard historically did work properly by only opening one tab of the new dashboard search. Has anyone seen this before? It is a Splunk Enterprise instance and I am looking at the dashboard from a Mac.  Note: This is an issue because the drilldown url is another dashboard - its loading the same dashboard twice so when I click around it uses a lot of resources loading many dashboards unnecessarily. 

This is the log i am getting in splunk msg: 2022-01-22 03:00:00.143 INFO 15 --- [ scheduling-1PurgeProcessCountTask : engine:Engine12 Cleanable Process Instance Count {"exception_management_workflow":{"finishedCount":6621,"cleanableCount":1113}}   i want output like Engine                              finishedProcessInstanceCount Engine12                              6621     Could you please help me on that, i am trying below query but not working index=abc cf_app_name="DEV" |rex field=_raw "engine.(?<pam>.........) ,finishedProcessInstanceCount...(?<sam>..\d+)" | table pam, sam  

I have multiple dropdowns with numerous (some 40+) selections per dropdown. What I would like to do is create a "Common KPI" dropdown with 3 choices to drive selections in the other dropdowns. I can make this work for a single value but not when there are multi-select values.   For example:  Common KPI dropdown - Choice "1" would select the following:  Dropdown 2 selections: Apple, Banana  Dropdown 3 selection: Golf   Common KPI dropdown - Choice "2" would select the following:  Dropdown 2 selection: Charlie Dropdown 3 selections: Echo, Foxtrot, Hotel         <fieldset submitButton="false"> <input type="dropdown" searchWhenChanged="true"> <label>Dropdown 1</label> <choice value="1">1</choice> <choice value="2">2</choice> <default></default> </input> <input type="multiselect" searchWhenChanged="true" token="bar"> <label>Dropdown 2</label> <choice value="a">Alpha</choice> <choice value="b">Bravo</choice> <choice value="c">Charlie</choice> <choice value="d">Delta</choice> <default></default> </input> <input type="multiselect" searchWhenChanged="true" token="foo"> <label>Dropdown 3</label> <choice value="e">Echo</choice> <choice value="f">Foxtrot</choice> <choice value="g">Golf</choice> <choice value="h">Hotel</choice> </input> </fieldset>    

Hello,   I have a not ideal log, looking like this, for example: "field1=value1"  "field2=val ue 2" "field3=value3"   And I want to exlude the key-value pairs at index time. Combinations like the first kv-pair is not problem. The second value however is a problem. With my extraction I can only get the "val" part, and the extraction stops at the whitespace.   My rule in transforms.conf looks like this:     [example] REGEX = (?<_KEY_1>([^=\"]+)=(?<_VAL_1>([^=\"]+)       To clarify, my results in splunk are looking like this: field1 = value1 field2 = val field3 = value3   I am not sure what I am missing.

Need to pass the result of query1 to as a input string for the second query. For the First query i'm getting output(x-corelation id) as a filed, that output field(x-corelation id) as a input for the second query to get errors. Attached both queries below, Please find the attachments and help me out with the requirement.  query 1:-  index=cloud_ecp sourcetype="prod-ecp-aks-cluster-logs" "bookAppointmentRequest" | fields data.req.headers.xcorrelationid   query 2 :-  index=cloud_ecp sourcetype="prod-ecp-aks-cluster-logs" <co-relationid of query1> "Error"   Note :- the co-relationid's are more than one, need to loop all those id's if any.

Hi all, so, on my es-security search head, this sourcetype is incorrectly parsing the user field. It is capturing all users correctly, but it's also capturing random stuff from the same log types where a username isn't present. I tried messing with the props.conf and transforms.conf but nothing seems to do anything. Does anyone have a good idea where to start? I tried to make a fresh field extraction also for just user field, but it made no difference. 

I'm having a list of serve down and need to notify once its back to normal (up),  This is the requirement, once the server is up, no need to consider the same server further, because its already up , need to check the remaining. Eg.., There are servers A,B,C,D and E are down, which will be there in lookup, Need to check those server every minute and notify once its up, if server A,B is up after some time,  then it should trigger an alert, already server A,B is up, and after next alert, server A,B should not be considered, only remaining servers like C,D and E should be considered further, Then it check and trigger alert when C, D and E or either one is up. index=linux sourcetype=df | lookup Hobbit_threshold_data host mount outputnew l_threshold as lower_value h_threshold as higher_value condition as Condition | where ((PercentUsedSpace >= lower_value) AND (PercentUsedSpace<higher_value)) | where Condition!="no" | eval hostname=mvindex(split(host,"."),0) [ | inputlookup Hobbit_Disk_Space_Warning.csv | fields host ] | stats host=lower(host) | stats count BY host | append [ | inputlookup KCI_Hobbit_Disk_Space_Warning.csv | eval host=lower(host), count=0 | fields host count ] | stats sum(count) AS total BY host | eval status=if(total=0,"Down","Up") (Bolded query part gives you server down list host) I just modified as per the query given by you,  It does not meet the requirement.

Hi, I am unable to log in to the SAAS platform using the trial account which I created today. below are the details I received the welcome details.  Account Name: [Redacted] Username: [Redacted] I think there is some option like local login if we click that we are getting this issue. please help resolve this issue at the earliest. ^ Post edited by @Ryan.Paredez please do not share your account name or email address on Community posts for security and privacy reasons.

Hi All, Need your support in resolving an issue in a pie chart. I can see the below-mentioned results in statistics and pie chat while running in a separate search window.  When adding the same pie chart to dashboard panel. Failed filed is missing in pie chart.  We have tried charting.chart.sliceCollapsingThreshold with 0 also. No luck. While dashboard is loading we can able to see the field Failed. But not able see it after job completes.   Please provide you inputs. Thanks in Advance  

Good morning, I have an app that is currently deployed in several servers via deployment manager. Recently we install a new server and I add it to a specific server class in order to receive a small app. For some reason, the app does not get deployed but others server classes do get deployed. The error in the splunkd.log file is the following 06-20-2022 12:08:43.952 +0200 INFO DeployedApplication [7180 HttpClientPollingThread_37C53C58-43DD-4D11-87C4-6C43DC08B1BB] - Checksum mismatch 0 <> 6534619572757127978 for app=Splunk_TA_windows - Process terminated. Will reload from='splunk.xxx.yyy.zzz:8089/services/streams/deployment?name=default:Process%20Termination:Splunk_TA_windows%20-%20Process%20terminated' 06-20-2022 12:08:44.154 +0200 ERROR HttpClientRequest [7180 HttpClientPollingThread_37C53C58-43DD-4D11-87C4-6C43DC08B1BB] - HTTP client error=Connection closed by peer while accessing server=https://splunk.xxx.yyy.zzz:8089 for request=https://splunk.xxx.yyy.zzz:8089/services/streams/deployment?name=default:Process%20Termination:Splunk_TA_windows%20-%20Process%20terminated. 06-20-2022 12:08:44.154 +0200 WARN HTTPClient [7180 HttpClientPollingThread_37C53C58-43DD-4D11-87C4-6C43DC08B1BB] - Download of file C:\Program Files\SplunkUniversalForwarder\var\run\Process Termination\Splunk_TA_windows - Process terminated-1655717532.bundle failed with status 502 06-20-2022 12:08:44.154 +0200 WARN DeployedApplication [7180 HttpClientPollingThread_37C53C58-43DD-4D11-87C4-6C43DC08B1BB] - Problem downloading from uri=splunk.xxx.yyy.zzz:8089 to path='/services/streams/deployment?name=default:Process%20Termination:Splunk_TA_windows%20-%20Process%20terminated' 06-20-2022 12:08:44.155 +0200 ERROR DeployedServerclass [7180 HttpClientPollingThread_37C53C58-43DD-4D11-87C4-6C43DC08B1BB] - name=Process Termination Failed to download app=Splunk_TA_windows - Process terminated 06-20-2022 12:08:44.174 +0200 WARN DC:DeploymentClient [7180 HttpClientPollingThread_37C53C58-43DD-4D11-87C4-6C43DC08B1BB] - Restarting Splunkd... could someone tell me what is happening? the same app is already deployed in other servers without any issue. thanks