Hello, I'm experiencing some issues on my Search Heads. I'm getting this error on the search heads: The searchhead is unable to update the peer information. Error = 'Unable to reach the cluster manager' for manager=https://hostname-cm1:8089. Could anyone recommend any fix or workaround?

Ehh, I have an annoying case. I'm monitoring a file over windows share (to make things even worse to troubleshoot is that I don't have direct access to the share from my administrative user; only the domain user the UF is running with has access). The file is a CSV, it's getting properly split into fields, the date is getting parsed OK. I have transforms for removing the header (and a footer - this file has some footer as well). And this works mostly well. Mostly, because every time there is data added to the file, the file is apparently getting recreated from scratch - new data is inserted before footer and I'm getting entries like 02-15-2022 10:55:23.008 +0100 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='\\path\to\the\file' Luckily, for now the file is relatively small (some 3k lines) and doesn't eat up much license compared to this customer's other sources but it's annoying that the same events are getting ingested several times during the day. The problem is that I don't see any reasonable way to avoid it. There is no deduplication functionality on input, I don't have any "buffer" I could compare it with using ingest-time eval or something like that. Any aces up your sleeves?

I am using the nginx app to ship nginx logs to Splunk, everything works well but intermittently I see a single event consisting of multiple nginx access loglines.  Nginx app itself has an EventBreaker=enabled and Eventbreaker=regex. (This doesn't work 10-20% of the time). Can someone please help or am I missing something? My inputs.conf : [monitor:///var/log/nginx-access.log] index = artifactory disabled = false source = nginx-access sourcetype = nginx:plus:kv [monitor:///var/log/nginx-error.log] disabled = false sourcetype = nginx:plus:error index = artifactory source = nginx-error. Nginx app has already created props.conf at Search head cluster.

Hi All, I have one dashboard with multiple panels and its taking too much of time to load. I am trying to implement base search and sub search. I have one doubt in implementing it. I have the queries with common until index,sourcetype and source....but i need to differentiate in one code assume its transaction id...and all the remaining query seems same. For ex: index=xyz  sourcetype="dtc:hsj" tcode="1324"  ----->for few queries index=xyz  sourcetype="dtc:hsj" tcode="1324"  OR tcode="234" ------>for few queries And the remaining part is same for all the queries..Is there a way that can i configure tcode in basesearch and used the same in subsearch Thanks in Advance

Hi, I have a column chart that shows 1 field, but filters by others. I want the columns to be different for each value of a specific selection field in the input, but I can not set for each value its color in the first place because I have something like 950 values (maybe more). So if the user chooses to look at 3 values in the filter, he will see each value in a different color and know the color of each value. I did not find anything like it, I just saw that the color should be set to each value from the beginning. Can you help me?

Here is the original log file: Host availabilty Hashmap is {HKL20167984SIT_13_8225=true, HKL20167984SIT_7_82FB=true, HKL20167984SIT_2_82F6=true, HKL20167984SIT_16_8228=true, HKL20167984SIT_1_82F5=true, HKL20167984SIT_11_8223=true, HKL20167984SIT_14_8226=true, HKL20167984SIT_4_82F8=true, HKL20167984SIT_12_8224=false, HKL20167984SIT_3_82F7=true, HKL20167984SIT_15_8227=true, HKL20167984SIT_8_8220=true, HKL20167984SIT_9_8221=true, HKL20167984SIT_6_82FA=true, HKL20167984SIT_5_82F9=true, HKL20167984SIT_10_8222=true} Here's my search command index="hkcivr" source="/appvol/wlp/DIVR01HK-AS01/applogs/wrapup.log*" | rex max_match=0 "_(?<port status>\d{4}\=\w+)" I hope to get the result like below: Time   2022-02-15 07:02 8225=false, 8228=false, 8223=false, 8226=false, 8224=false, 8220=false, 8227=false, 8221=false, 8222=false, 8225=false, 8228=false, 8223=false, 8226=false, 8224=false, 8220=false, 8227=false, 8221=false 8222=false

Hi, Trying to configure the Add-On for Microsoft Defender https://splunkbase.splunk.com/app/4959/ Can anyone confirm what settings are needed for: Login URL Endpoint Resource? Whichever I use, I'm getting 401 errors. Have followed https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api-hello-world?view=o365-worldwide and confirmed the permissions on the App registration are 100% correct.   Cheers  

Hi all, I have a query which gives this kind of table. Name        Date              Status           Task          SubGroup A             14-02-22         PASS                 a                  a1                                                                          b                  b1                                                                                               b2 The data will come together and which but i want separate rows for all the data. Also there are subgroup for some tasks but with this result it one cannot be able to differentiate between them. I have tried using mvzip like this, ...............| eval tmp=mvzip(mvzip(Name,Task,","),SubGroup,",") | mvexpand tmp | table Name Date Status tmp |eval Name=mvindex(split(tmp,","),0)|eval Task=mvindex(split(tmp,","),1)|eval SubGroup=mvindex(split(tmp,","),2) |table Name Date Status Task SubGroup I am not getting why a error comes in eval command as expected ). I don't know whether it is a small mistake, i have tried alot but not able to solve this.