We have migrated from Splunk 8.0 running on Windows Server 2016 to  Splunk 8.2.1 running on RHEL 8.  Trying to get Splunk DB Connect working again. On Windows it ran without incident, however on RHEL it continues to "Failed to restart task server". So far I have done the following to troubleshoot. Installed Oracle Java SDK 1.8.301 Set JAVA_HOME in the /etc/profile file Confirmed that port 9998 and 9999 are not currently used Confirmed ports are no blocked by any firewall Review the splunk_app_db_connect_dbx.log, only info in the file is "update java path file [/opt/splunk/etc/apps/splunk_app_db_connect/linux_x86_64/bin/customized.java.path]" Confirmed the java path file has correct info Confirmed there are no unusual details in the inputs.conf Confirmed SElinux is not blocking When running the command watch -n1 "ps -ef |grep java" , the java command is never executed.  However if I run the command watch -n1 "ps -ef|grep splunk"   when I attempt to save the setting in the app config I can Splunk attempting to run the command /opt/splunk/bin/python3.7 /opt/splunk/bin/runScript.py dbx_rh_proxy.ProxyManager

Hi all, I have the following command which produces a table with one fixed column (Artefact) and the remaining columns are dynamically produced (due to the second eval statement). Search: index="main" sourcetype="main" |eval ApplicationName = Application + "-" + AppID |table Environment,ApplicationName,Artefact,Version |eval {Environment}:{ApplicationName}=Version |fields - Environment,ApplicationName,Version |stats values by Artefact | rename values(*) as *   This produces the desired table format however some of the dynamic columns produced by "|eval {Environment}:{ApplicationName}=Version" line have multiple values within cells (I believe the multiple values are the previous 'Version's that have been recorded in the past). Is there a way to force the table to only show the latest Version value for each cell? Please let me know if further clarification of the question is required with examples.  Otherwise, thank you so much for any assistance. 

DB Performance Metrics was stopped receiving at AppDyanamics Controller for 2  Database at a particular date and time only while we are able to receive and view the DB server infra-related metrics.  DB collectors were working fine as we are able to receive metrics related to other Databases and Infra metrics. We have checked with DBA and Network Security if any change was implemented at their end but there was no change implemented. Please advise troubleshooting steps. Thanks Siva

Okay, so after the 60 days of Enterprise trial my license has expired. Now, how can I download the perpetual free license? Once I get into the store the only things I find require a payment, and the you have pricing questions we have answers website doesn't solve anything.

Hello, I am new too Splunk and am needing to split an Event at the Response Line.  Below is an example of an Event.   Request : August 17, 2021, 4:50 pm Data: {"requestNode":"Item","updatedBy":"WebServices_User","elements":{"typeOfItem":"Stock","country":"1",""baseUnitOfMeasure":"EA","IsItASerializedProduct":false,"currencyCode":"1","freezeCodeCorpLevel":98,"fractionalInventory":false,"isItADirectShippedProduct":false,"globalHold":false,"replacementCost":9.6,"productForm":"Non-Hazardous\/Transferrable","PrimaryVendor":"V9723","landedProduct":true,"standardCost":11.425,"status":"Inactive","priceGroup":"1N","invoiceCost":0,"listCost":11.99,"ueType":"Nursery","ueLine":"CNCO","ueDepartment":"EUONYMUS","taxCategory":"07"}} Response: {"success":false,"message":"No valid Item exists","code":"205"}   The purpose is, I need to create Fields for each parameter in the Response Line, and with this line being a part of the Data portion of the Event, which has varying number of fields, we can't get the regex working.  Support said we needed to break out the Response line, but wouldn't offer any recommendation on which line breaker I should be using. I've tried adding a BREAK_ONLY_BEFORE to the sourcetype in props.conf, but after a Splunk restart, we stop seeing events for this sourcetype. Below is what the sourcetype looks like in props.conf. [webservices_log-too_small] BREAK_ONLY_BEFORE = ^[a-zA-Z](?:[_-]?\w)*:\s+\{"[a-zA-Z](?:[_-]?\w)*": PREFIX_SOURCETYPE = True is_valid = True maxDist = 9999   Any help on this would be awesome, I really appreciate it.   Thanks, Tom  

Hi, I am trying to compare the between two events (json format), say, I can pipe with "head 2" to output only two events and then compare them and hight light what's changed, something like this: <search syntax> | head 2 event 1     {         value:  20          status: high          category: A    } event 2     {          value: 25          status: low          category: A    } Output after compare looks like this or anything that can highlight the changes:  changed         origin                new value                  25                     20 status               low                     high   category is unchanged, so won't have to be highlighted. any help is appreciated.