Hello.  I know there have been a few posts on this topic, but I've been messing with it most of the day and the other posts weren't able to help me reach a solution.  Hoping someone can provide some guidance. I'm looking to pull some aggregate information out of Splunk via API requests but wanted to pre-build the data set using a scheduled report in Splunk so that the API request will return faster just pulling the results of the last run vs running the search itself before returning results. In the UI I've created a report named test.  I've tried a few different schedules and it ran twice earlier today, but at the moment I have it on the cron schedule of 0 1 * * 4 (1 on Thursdays). Via the API I can fetch the saved report named test like this:   https://SPLUNKURL:8089/services/scheduled/views/test   but no matter what schedule I set or modify in the UI, the results always show    cron_schedule 0 6 * * 1 is_scheduled 0   with the same results when requesting   https://SPLUNKURL:8089/servicesNS/APP/search/scheduled/views/_ScheduledView__test   and when I try   https://SPLUNKURL:8089/services/scheduled/views/test/history   I simply receive    <response> <messages> <msg type="ERROR">Cannot find saved search with name '_ScheduledView__test'.</msg> </messages> </response>   even though I know it ran twice in the last day and I can see the results in the UI.  Similarly, I tried updating the schedule via the API with   curl -u user:password --request POST 'https://SPLUNKURL:8089/services/scheduled/views/test/reschedule/' --data schedule_time=2022-03-03T04:00:01Z   and I get the same result   <response> <messages> <msg type="ERROR">Cannot find saved search with name '_ScheduledView__test'.</msg> </messages> </response>    Am I missing something?  I see the scheduled view and it's scheduled in the UI but I can't figure out any way to see or access the schedule or history via the API.  Hoping someone can shed some light on things as it's not making sense to me at the moment.  Also if it's helpful I checked and I believe our Splunk server version is 6.6.7

I have configured Heavy Forwarder to collect and forward syslog data to our Splunk Indexers. We purposely don't wish to use syslog server for the log collection due to other reasons. Now we also have a requirement to forward the syslog data to Azure log analytics. Unfortunately, with log analytics, we must use log analytics agent (which is very similar to Splunk UF) to collect logs locally on the HF and forward to log analytics. I haven't found a way to forward logs from HF to log analytics directly.  Hence, just wondering if someone can advise if its possible to configure HF to write logs locally, just exactly how syslog does (like rsyslog) ?

New to splunk and been struggling manipulating search results into a final result that I am looking for. In powershell where I'm familiar, I would just use a series of variables and return a final result set. I am trying to accomplish the below. (each target_name has multiple disk_group) 1) i need to find the latest Usable_Free_GB for each disk_group in each target_name and sum them 2) i need to find the latest Usable_Total_GB for each disk_group in each target_name and sum them I can get #1 and #2 in different searches, but am struggling to get them together to return a result set like this: Target_Name UsableSpaceFree TotalUsableSpace Target_Name1 123 456 Target_Name2 234 567   This is the closest I can get. But I need to only have 2 rows returned with all three fields populated    Once I can get the result set grouped by Target_Name, I then need to use eval to create a new field like the below using the values from #1 and #2   eval percent_free=round((UsableSpaceFree/TotalUsableSpace)*100,2)   Target_Name UsableSpaceFree TotalUsableSpace percent_free Target_Name1 123 456 ? Target_Name2 234 567 ?  

I have a script that sends effectively yum outputs to receivers/simple.  props.conf says [yumstuff] DATETIME_CONFIG = LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true category = Miscellaneous pulldown_type = 1 I expect the each post to be one event.  But some posts get broken into multiple events for unknown reasons.  My guess is that those posts are longer, although I couldn't find any applicable limit in limits.conf.  The broken ones are not all that long to start.  I examined one that was broken into three "events ".  Combined, they have 18543 chars, 271 lines.  The closest attribute in limits.conf I can find is maxchars, but that's for [kv] only, and the limit is already high: [kv] indexed_kv_limit = 1000 maxchars = 40960 The way it is broken also confuses me.  My post begins with a timestamp, followed by some bookkeeping kv pairs, then yum output.  If this breakage is caused by limits, I would expect the event containing the first part to be the biggest, to the extent it exceeds that limit.  But in general, the "event" corresponding to the end of the post is the biggest; even stranger, the middle "event" generally is extremely small containing only one line.  In the post I examined, for example, the first "event" contained 6710 chars, the second, 71 chars, the last, 11762 chars.  The breaking points are not special, either.  For example, 2022-02-09T19:51:28+00:00 ... ... ---> Package iwl6000g2b-firmware.noarch 0:18.168.6.1-79.el7 will be updated ---> Package iwl6000g2b-firmware.noarch 0:18.168.6.1-80.el7_9 will be an update <break> ---> Package iwl6050-firmware.noarch 0:41.28.5.1-79.el7 will be updated <break> ---> Package iwl6050-firmware.noarch 0:41.28.5.1-80.el7_9 will be an update ---> Package iwl7260-firmware.noarch 0:25.30.13.0-79.el7 will be updated ...   Where should I look?