I am writing a custom search command that is quite performance sensitive. On every invocation the script is called twice and runs up to the prepare() method, which puts an unnecessary strain on the system. I could imagine that this is related to the command's general slowness, so the ability to disable it would be nice.

I am building a GeneratingCommand and even in the most basic version a lot of time passes between the invocation of prepare() (called after about 50ms after start) and generate() (called about 170ms after start). We plan to invoke this command frequently, so this gap matters. How can I reduce it?

The page About non-Python custom search commands mentions that it is possible to write v2 custom search commands in languages other than Python, but there is absolutely no information about how such a thing would be implemented. What's the protocol? The closest thing to an explanation of the protocol I've found is NDietrich's GitHub repo, and their accompanying talk which I find rather disappointing. How come there is no official information to be found about it?

Hi all, I am a very new Splunk admin, and am trying to peel back the onion on the previous admin's shenanigans in this Splunk environment. I have a "dashboard" that was created by a user in the "search" app, and they have requested that I delete the dashboard for them, as they cannot.  What is the proper way to do this? The only mention I can find of it is on all 3 search head peers under the path "/opt/splunk/etc/apps/search/local/data/ui/views/${dashboard_name}.xml" I cannot find it on the cluster master, either in /etc/apps or /etc/shcluster/apps.  Please help me figure out what to do next.  Is it as simple as just removing that xml from all 3 search heads at the same time?  Thanks in advance. 

Does anyone know when the next version release number will be, and what the timeframe for this will be? I have an offline instance which we are about to start updating, but I don't want to do it unless we have the most up to date version for a while. 

Hai All, Good day, we are using DB connect addon  to pull logs from multiple DB"s and created several inputs we want track activity  like If any user changes anything or creating new inputs in the DB Connect app or disabling inputs    any searches to check the activity for those

Up until a month ago, it was working perfectly, but for the past 2-3 weeks splunk dashboards are not showing any data and the mails we get as alerts are blank, they have no report in them. What is the possible cause? How to resolve this?

Hi guys. I was asking why my reports, using license_usage.log from LicenseMaster, for "LicenseUsage" sometimes do not log the "h" or "s" field (alias from host or from source). Doing so, i can have a full report for Indexers or Sourcetypes usage, but not for Host or Sources.   INFO LicenseUsage - type=Usage s="" st="MY_ST" h="" o="" idx="MY_IDX" i="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" pool="auto_generated_pool_enterprise" b=51331 poolsz=214748364800   May it be the origin forwarder version? I have forwarders from 6.x.x to 8.x.x version running. Any clue? Thanks.

Happy New Year to all of you. So I have syslog in which we have details of the devices and switches.  The requirement is to find the old and new ip address for the NetworkName which were recently added to a group.  To get this i have to follow below steps. 1. get the NetworkName which has been recently added to group. 2. than get the latest CallingStation for the NetworkName . # search for step 1 & 2 index=xyz NetworkGroups="Device Type#All Device Types#DNAC#SingleIONBranch" (Diag_Message="Authentication succeeded") NetworkName =USAZSLKRR01FIF0001 |stats latest(CallingStation ) as CallingStation by NetworkName 3. search in the index with the CallingStation  to get IPAddress(it has to ran for last 24 hours) index=na3rc Calling_Station_ID=B0-22-7A-32-32-26 | bin span=1d _time | stats latest(IPAddress) as IPAddress by _time CallingStation | eval IP=if(_time<relative_time(now(),"@d"),"Old","New") The problem here is that IPAddress field has both old and new IPAddress. I tried join but it is showing no results as it is being maxout and when i try to use it in same search it is only showing new IPAddress. Thank in Advance       index=xyz NetworkGroups="Device Type#All Device Types#DNAC#SingleIONBranch" (Diag_Message="Authentication succeeded") NetworkName=USAZSLKRR01FIF0001 | stats latest(CallingStation) as CallingStation by NetworkName | join CallingStation type=left [| search index=xyz | bin span=1d _time | stats latest(IPAddress) as IPAddress by _time CallingStation | eval IP=if(_time<relative_time(now(),"@d"),"Old","New")]      

Hi Experts,   I would like to compare values in same field (vlan_ids) for equality based on a machine serial (hyp_serial).   Would like validate whether the VLAN ID's are configured on both VM's under same hyp_serial are same or not equal.    There will be 2 VM's under the same serial.    Could you please help me with my requirement.   index=lab source=unix_hyp  | spath path=hyp_info{}{} output=LIST  | mvexpand LIST  | spath input=LIST  | where category == "hyp_vlan"  | table hyp_name hyp_serial vlan_ids    Table Output: ------------------ hyp_name     hyp_serial   vlan_ids hyp_vm1 AE12893X    5_767_285_2010 hyp_vm2     AE12893X5_356_375_2010 hyp_vm3    ZX87627J9_49_43_44_3120 hyp_vm4     ZX87627J9_49_43_44_3120 hyp_vm5 YG92412K5_767_285_2010 hyp_vm6 YG92412K 5_767     Expected Output: ----------------- hyp_name     hyp_serial   vlan_ids      VLAN CHECK hyp_vm1 AE12893X    5_767_285_2010    OK hyp_vm2     AE12893X 5_356_375_2010  OK hyp_vm3    ZX87627J 9_49_43_44_3120  OK hyp_vm4     ZX87627J 9_49_43_44_3120  OK  hyp_vm5 YG92412K 5_767_285_2010  MISMATCH hyp_vm6 YG92412K 5_767             MISMATCH

I install UF 8.2.4 for Windows and using default pem and CA certificate, I tried to connect UF to the indexer. However, the eventlog information cannot be sent to indexer with the error  ERROR TcpInputProc - Error encountered for connection from src=192.168.xx.xxx:65251. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol I search thru the /opt/splunk/var/log/splunk/splunkd.log and not much information can be found. How can I get more detail info to troubleshoot the problem ?  

I am using Splunk 8.2.1 with DB Connect 3.5.1 with OpenJDK 1.8.0.332 on Linux (RHEL), this is an airgapped system so I cannot paste the logs. After installing DB Connect and restarting Splunk, DB Connect fails to start on both dbxquery.sh and server.sh On both scripts, after TrustManagerUtil - action=load_key_manager_succeed it throws an ExceptionInitializerError for SplunkServiceBuilder.<clinit>(SplunkServiceBuilder.java:19) complaining about: Error setting up SSL socket factory: java.security.NoSuchAlgorithmException: SSL SSLContext not available   In my java.security i h ave:   jdk.disabled.namedCurves = secp256k1 i have commented out (for testing) jdk.certpath.disabledAlgorithms, jdk.jar.disabledAlgorithms, jdk.tls.disabledAlgorithms however I still get this error.   It's the first time i'm seeing this so looking for guidance. Thanks