Hello everyone, currently our Indexers keep crashing randomly.  We're only running Linux OS, within Splunk 9.0.2. Any suggestions what the Crashing thread means and how to solve that? Thank you. Received fatal signal 6 (Aborted) on PID 235655. Cause: Signal sent by PID 235655 running under UID 1018. Crashing thread: FwdDataReceiverThread Registers: RIP: [0x00007F4A05C3E387] gsignal + 55 (libc.so.6 + 0x36387) RDI: [0x0000000000039887] RSI: [0x00000000000399C9] RBP: [0x000000000000008F] RSP: [0x00007F49E4FFE238] RAX: [0x0000000000000000] RBX: [0x000055B8710F5CA8] RCX: [0xFFFFFFFFFFFFFFFF] RDX: [0x0000000000000006] R8: [0x00007F49E4FFF700] R9: [0x00007F4A05C552CD] R10: [0x0000000000000008] R11: [0x0000000000000206] R12: [0x000055B870FE5A93] R13: [0x000055B8710F5D88] R14: [0x000055B872226488] R15: [0x00007F49E4FFE4E0] EFL: [0x0000000000000206] TRAPNO: [0x0000000000000000] ERR: [0x0000000000000000] CSGSFS: [0x0000000000000033] OLDMASK: [0x0000000000000000] OS: Linux Arch: x86-64 Backtrace (PIC build): [0x00007F4A05C3E387] gsignal + 55 (libc.so.6 + 0x36387) [0x00007F4A05C3FA78] abort + 328 (libc.so.6 + 0x37A78) [0x000055B86E1D4D26] ? (splunkd + 0x1A08D26) [0x000055B86EE39BD2] _ZN26HealthDistIngestionLatency29calculateAndUpdateHealthColorEv + 914 (splunkd + 0x266DBD2) [0x000055B86E744627] _ZN22TcpInPipelineProcessor7processER15CowPipelineData + 199 (splunkd + 0x1F78627) [0x000055B86E74CD57] _ZN14FwdDataChannel16s2sDataAvailableER15CowPipelineDataRK15S2SPerEventInfom + 167 (splunkd + 0x1F80D57) [0x000055B86F2B2255] _ZN11S2SReceiver11finishEventEv + 261 (splunkd + 0x2AE6255) [0x000055B86F059E48] _ZN18StreamingS2SParser5parseEPKcS1_ + 6520 (splunkd + 0x288DE48) [0x000055B86E73E004] _ZN16CookedTcpChannel7consumeER18TcpAsyncDataBuffer + 244 (splunkd + 0x1F72004) [0x000055B86E74055D] _ZN16CookedTcpChannel13dataAvailableER18TcpAsyncDataBuffer + 45 (splunkd + 0x1F7455D) [0x000055B86F592D03] _ZN10TcpChannel11when_eventsE18PollableDescriptor + 531 (splunkd + 0x2DC6D03) [0x000055B86F4D5BCC] _ZN8PolledFd8do_eventEv + 124 (splunkd + 0x2D09BCC) [0x000055B86F4D6B39] _ZN9EventLoop3runEv + 617 (splunkd + 0x2D0AB39) [0x000055B86F58D68C] _ZN19Base_TcpChannelLoop7_do_runEv + 28 (splunkd + 0x2DC168C) [0x000055B86F58D78E] _ZN25SubordinateTcpChannelLoop3runEv + 222 (splunkd + 0x2DC178E) [0x000055B86F59A16D] _ZN6Thread37_callMainAndDiscardTerminateExceptionEv + 13 (splunkd + 0x2DCE16D) [0x000055B86F59B062] _ZN6Thread8callMainEPv + 178 (splunkd + 0x2DCF062)

Hi Splunk community, I need to display data shown as table below Component Total units Violated units Matched [%] Type A 1 1 99 Type B 10 10 75 Type C 100 85 85 Total 111 96 86   In the total row, the matched value is the average of the column, while others are the sum value. Is it possible to insert the average value to the total row as shown? Here's my SPL:   index="my_index"source="*sourcename*" | stats count as total_units count(eval(isnull(approval_message))) as violated_units values(matched_percentage) as matched by component | addcoltotals total_units + violated_units labelfield=component | rename total_units as "Total Units", violated_units as "Violated Units", matched as "Matched [%]"      

Hi, I have 2 searches. 1st query: (100 results including duplicate number)     index="abc" message.appName=app1 "Description"="After some string*" | table _time Id number     2nd query:(80 results including duplicate d_number)     index="abc" message.appName=app2 "Description"="After some string2*" | table _time d_Id d_number      both d_number & number are matching How to get result-> only those number which are not matched with d_number I need only 100-80=20 number which may contain duplicate values from 1st query. (eg: query1-query2) Thank you in advance for your answer.

Hi All, I have enquired this problem earlier in older threads, however, could not get a working answer, thus, created a new thread to get wider visibility and response.  Resources in hand: - I have a lookup table which has many fields. I have two fields to consider: - index, host I have a list of indexes for which results need to be fetched.  Requirement: - I need to fetch list of those hosts for each index value whose records are fetched in index but not fetched from lookup table. For fetching the events from index, I need to get the list of index values from lookup table. I tried the below however, I am getting hosts which are fetched in both index and lookup table: -   |tstats fillnull_value="unknown" count AS event_count WHERE [ |inputlookup table1 |stats count BY index |foreach index [eval <<FIELD>>=replace(replace(lower(trim(<<FIELD>>)),"\s+",""),"\t+","")] |eval search_str="(index=".index.")" |stats values(search_str) AS search_str |eval to_return=mvjoin(search_str," OR ") |return $to_return ] BY index, host |search NOT ( [ |inputlookup table1 |stats count BY index, host ] )   Thus, I need your help to resolve the issue. Thank you

Hi,   If anyone can help me with this it would be truly helpful. I'm currently practicing to become a Splunk architect and I'm having an issue with file ownership on Linux Ubuntu. I changed Splunk's ownership to the dedicated Splunk account I created but it only changes that specific folder and not all the contents in it can anyone give me a cool little command to make everything under the Splunk folder owned by the Splunk account I created for Splunk management/ Regards,