Hello,   I have a backend implementation utilizing Java SDK. I execute a search that is finalized successfully (seach is limited to return first 10 records) as a 1st step of a overall logic. Based on this result set I execute another search in a loop that streams its results back to front end application once it gets data (one execution per each record returned by 1st search). In that part I am executing always exactly the same search but with different parameters (results of 1st search). After few executions in that loop, once standard timeout for one execution is reached (60 sec) I receive "...com.splunk.HttpException: HTTP 404 -- Unknown sid" exception. When I debug my code I can see that exception is thrown on a job in RUNNING state. All previous jobs in that loop are marked as DONE, all "ResultsReaders" are closed. It seems that expiration is evaluated on start time of first job in a execution, not based on the actual one (even if a job is in a Java code declared as a new job). How is the job expiration logic working? Note: I am not asking for "why you are calling it in a loop" I am asking for information how to properly close/finalize normal job execution so I reset timer for each execution of this normal job.  Thanks for your answers, notes, updates Jakub

I think savedsearches.conf contains information about alerts and reports. If you execute the following btool command and check the result, which is the report or the alert? I can't tell. if i use splunk btool savedsearches list <Question 1> From the btool results, what parameters can I look at to determine that the stanza is a report? <Question 2> From the btool results, what parameters can I look at to determine that the stanza is an alert?

  I ave a field "hostname" in splunk logs which is available in my event as "host = server.region.ab1dc2.mydomain.com". I can refer to host with same name "host" in splunk query. I want to extract the substring with 4 digits after two dots ,for the above example , it will be "ab1d". How my splunk query should look like for this extraction? Basically I have been given a string, and want to skip two dots and then take the four characters after that.  

Hi, I have a last run epoch time and a cron schedule (i.e. : "*/5 * * * *") in an _raw event and I'd like to parse these information to output the next run. Do you have any idea how to do this? I found this addon :https://splunkbase.splunk.com/app/4078/ but it does not allow me to use a custom "last run time" and always takes the earliest time of my search as an input. Thanks

Hello, I have one question about monitoring HF. I found many ways how to get outgoing data rate on HF (how mach data HF sends to IDX), but how to find incoming data rate on HF? In other words, how to find how many data coming from sources to HF (in total is enough for me)? Is any metric like this in Splunk log? Thanks for help in advance. Best regards Lukas Mecir

Hi All, We have a requirement to connect to Splunk and send the message logs from the integration flow(Cloud platform integration) in order to monitor/observe flows. For the POC purpose we have created a trail account in splunk and we are trying to connect to below URL. This URL points to collector services of splunk. URL: https://prd-p-rtdzg.splunkcloud.com:8088/services/collector/raw/1.0 While trying to connect to this URL we are getting an error stating "java.security.cert.CertificateException: No name matching inputs.prd-p-rtdzg.splunkcloud.com found". This error is due to URL is returning a certificate chain, that doesn't contain above URL itself (prd-p-rtdzg.splunkcloud.com). Kindly let us know if any of you have come across this scenario and let us know if we have a way to return a certificate chain containing its own URL (or at least in "Subject Alternative Name"). Thanks in advance. Regards, Caren  

Hello,  We have a CSV Lookup file that is getting populated by a saved search.  We are noticing there are lot of duplicate rows getting created every other day.   The file doesn't open in Lookup Editor App as its size is >  10MB.    Can someone pls advise how to delete duplicates via a query ?

Hi fellow Splunkers, Good day.  Would there be a way to configure a specific index to be searchable for a specific srchTimeWin? Say the example below. Scenario: Splunk User has a user role with a search time win of 1 yr for all non-internal indexes. We wanted a specific index to be searchable for 2 years only for the same user (the rest by 1yr searchable).   Test already done: Create a new role and assign to a test user (with the user role) with the new role being searchable to the index of concern with srchTimeWin of 2years. However, all indexes were made searchable to 2 yrs as a result. Thanks in advance. Kind Regards, Ariel

Hi please help here we are using below base search and we need to see all ssl certificates with days left in EST. index=ssl_certs |rex field=_raw "[^'\n]*'expires=\"(?<expires>[^\\\'\"]+)"| stats c by host expires cert | eval time = strftime( strptime( expires , "%b %d %H:%M:%S %Y %Z" ), "%Y/%m/%d %H:%M:%S %Z") need exact query for this we tried a lot actually. we are using ssl_checker app for this.

Hi, Is there a easy and straight forward way of extracting browser versions from access logs using Useragent string. I've a requirement where I have to list out top browsers and top versions of the browser. I was able to manage to extract the browser using the below eval expression  but getting the browser versions are tricky.       | eval browser = case(match(useragent,"Firefox"),"FireFox", match(useragent,"Chrome") AND NOT match(useragent,"Edge"),"Chrome", match(useragent,"Safari") AND NOT match(useragent,"Chrome"),"Safari", match(useragent, "MSIE|Trident|Edge"), "IE", NOT match(useragent, "Chrome|Firefox|Safari|MSIE|Trident|Edge"), "OTHERS")       Has someone done that before and help me steer into right direction. I can't install any app so it has to be done via some regex. Please let me know if someone can help. Very much appreciated in advance Some examples of Useragent Strings - Mozilla/5.0 (Linux; Android 9; ANE-LX1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.87 Mobile Safari/537.36 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Safari/605.1.15 Mozilla/5.0 (Linux; Android 9; ANE-LX1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.87 Mobile Safari/537.36 Mozilla/5.0 (iPhone; CPU iPhone OS 15_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/198.0.425262635 Mobile/15E148 Safari/604.1 Best Regards, Shashank