Hi, I am ingesting a json data that has a property called "name". I could not figure out why I am not able to extract the "name" property as a field name. It also does not create the "name" field even if I use a filed extractor. I am how ever able to create a field called "name1" but if I change it back to "name" it again does not register the field. Regards, Edward

I'm new in Splunk and have a test environment contains search head cluster with three Splunk 9.0.1 instances: one deployer and two search heads. If it important a Deployer also have an indexer cluster master role. This is a fresh install without any specific changes.  Output of splunk show shcluster-status --verbose:   Captain: decommission_search_jobs_wait_secs : 180 dynamic_captain : 1 elected_captain : Tue Jan 24 17:57:01 2023 id : 17B17CF3-57A4-4F34-A943-835219C2DA41 initialized_flag : 1 kvstore_maintenance_status : disabled label : spl-sh02 max_failures_to_keep_majority : 0 mgmt_uri : https://spl-sh02.domain.com:8089 min_peers_joined_flag : 1 rolling_restart : restart rolling_restart_flag : 0 rolling_upgrade_flag : 0 service_ready_flag : 1 stable_captain : 1 Cluster Manager(s): https://spl-ms01.domain.com:8089 splunk_version: 9.0.0.1 Members: spl-sh02 kvstore_status : ready label : spl-sh02 manual_detention : off mgmt_uri : https://domain.com:8089 mgmt_uri_alias : https://172.28.56.104:8089 out_of_sync_node : 0 preferred_captain : 1 restart_required : 0 splunk_version : 9.0.0.1 status : Up spl-sh01 kvstore_status : ready label : spl-sh01 last_conf_replication : Wed Jan 25 10:52:26 2023 manual_detention : off mgmt_uri : https://spl-sh01.domain.com:8089 mgmt_uri_alias : https://172.28.56.100:8089 out_of_sync_node : 0 preferred_captain : 1 restart_required : 0 splunk_version : 9.0.0.1 status : Up   When i'm try to execute "apply shcluster-bundle" on deployer i'm see this error:   Warning: Depending on the configuration changes being pushed, this command might initiate a rolling restart of the cluster members. Please refer to the documentation for the details. Do you wish to continue? [y/n]: y WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Error in pre-deploy check, uri=https://spl-sh02.domain.com:8089/services/shcluster/captain/kvstore-upgrade/status, status=401, error=No error   How i can solve this problem? 

Hello Splunkers, I the following error on my Splunk HF which is listening to incoming data from F5 network appliance.   01-25-2023 08:06:56.794 +0000 ERROR TcpInputProc [2612981 FwdDataReceiverThread] - Error encountered for connection from src=<internal_ip_f5>:59697. Read Timeout Timed out after 600 seconds.   I am wondering what the number after the F5 IP is... I specified a unique port for the forwarding of data between f5 and the HF so I do not understand why I have number like 59697 (and many others). More generally I do not know how to troubleshoot this... Thanks for your help, GaetanVP

Hi community.  Some searches have: index="my_index" index=my_index I want to extract a new field named user_index but cannot figure out the regex capture group that may or may not contain quotes around the index name.    

I have a dataset with incident numbers and their associated Jurisdiction. It is possible that a incident will be listed in multiple jurisdictions.  I don't want to dedup(incident_number) globally. I need to count by jurisdiction, but the dedup or distinct count needs to be within each Jurisdiction.  Any suggestions?

We have a use case where we need to have an alert emailed if a user (under the field User) does not have an event of Activity="logged on" within the past 90 days within a specific sourcetype.   We have tried index=index sourcetype=sourcetype Activity="logged on" | chart count over Activity by User limit=0 But we can't seem to be able to filter to only specify a count of 0 over the past 90 days   Any ideas or leads as to what would get us in the right direction?

Hello Experts.. Configuring the inupts.conf file I am trying to send data from the same windows log to multiple index's for separate dashboards. I think some sort precedence is blocking some of the data. Here is what I was trying to accomplish. Is there a better way to get where I'm trying to go?   [WinEventLog://Application] disabled = 0 index = WINDOWS start_from = oldest [WinEventLog://System] disabled = 0 index = WINDOWS start_from = oldest [WinEventLog://Security] disabled = 0 index = WINDOWS start_from = oldest ######## Separate to send USB bus traffic ########## [WinEventLog://Security] disabled = 0 index = USB start_from = oldest whitelist = 1234,4321,5467, etc [WinEventLog:/Microsoft-Windows-DriverFrameworks-UserMode/Operational] disabled = 0 index = USB start_from = oldest interval = 1000,1001,1002,1003  

Given web access log data with following fields: _time,  http_status, src_ip, dest_ip After a bruteforce attack on a login page, where http_status of 200=success and 401=failure, how can I display the number of failures, plus earliest(_time) and latest(_time) by src_ip I've tried using streamstats like below, but do not get what I'm looking for index=myIndex AND status=* | table _time status src_ip dest_ip | sort + _time | streamstats reset_on_change=true count earliest(_time) AS ET latest(_time) AS LT by status | convert ctime(ET) ctime(LT)