Hello there, We are trying to automate KV Store backup/restore but there is something I do not understand yet. Prior 6.5.3, you had to stop the Search Head, then backup the KV Store directory. (https://docs.splunk.com/Documentation/Splunk/6.5.3/Admin/BackupKVstore) Now, there is an handy dedicated command for that which is great. (https://docs.splunk.com/Documentation/Splunk/7.2.8/Admin/BackupKVstore I am lost with the size difference thought. On our Search Head, KV Store directory weight ~1 GB. When I check our KV Store collections from the Monitoring Console, it weights less than 20 MBs total. When I try to backup using the backup command, the output weight a few MBs, which fits well with what I see from the Monitoring COnsole. So I am wondering why the size difference is so big between both methods. What would I loose if I restore the KV Store with the lightweight few MBs backup to a reconstructed Search Head? Any clue ? Thanks in advance! ... View more

Hello there! I am looking for a way to adjust multivalue choice box length to keep them on one line. I have already adjusted multivalue input box : <html> <style> #instance_id { width: 50%; } </style> </html> But I do have long string choices that get displayed on two lines (#2), so I am trying to adjust box choices length to have something like this (#3): Is there a way using css / simple xml? Thanks in advance for any hint! ... View more

Hello, In a particular TA, I had to use a standalone transforms.conf stanza : [standalone_stanza] REGEX = (.+?)\:\s(.+?)(?:\\r\\n|$) FORMAT = $1::$2 It is needed because I needed dynamic field name extraction (hence, FORMAT = $1::$2). The stanza is called directly in the search queries using the extract command and with the target passed as the _raw value : [...] | eval _raw=... | table _raw | extract standalone_stanza limit=1 clean_keys=false | fields - _raw [...] Everything is fine except I got the following warning in the splunkd.log : WARN SearchOperator:kv - buildRegexList provided empty conf key, ignoring. I believe it is due to the fact that the transforms stanza is not called in props.conf. Thing is I do not want it to be called automatically because of the way it works. So I guess I can just ignore the warning log. I am just wondering if there is a cleaner way. Maybe it is somehow possible to reference the transforms stanza in props and configure it to not be launched automatically. I have checked to documentation without luck so far. Thanks in advance for any hint! ... View more

We are indexing AWS data into Splunk using Splunk Add-on for AWS. We have configured inputs to retrieve data from AWS Config. AWS Config data should go in the sourcetypes 'aws:config' & 'aws:config:notification'. While we do get data in 'aws:config' we do not get any data under 'aws:config:notification'. The documentation (https://docs.splunk.com/Documentation/AddOns/released/AWS/ConfigureInputs) states that 'SQS-based S3' input type is supported for 'aws:config:notification'. However, we spotted the following message in the logs : 2019-06-07 07:55:02,631 level=INFO pid=26766 tid=Thread-5 logger=splunk_ta_aws.modinputs.sqs_based_s3.handler pos=handler.py:parse:149 | start_time=1559893993 datainput="config-sqs_s3", created=1559894102.63 message_id="58cee5d5-0b6b-46b7-af16-2e3ee2a2d22f" ttl=300 job_id=73693ed4-de47-4c5d-bd0f-3dbf11bcb5b6 | message="Ingnoring this config message." message_type="ConfigurationItemChangeNotification" And handler.py seems pretty clear about it: class ConfigNoticeParser(object): """ Wrapper class for easy accessing config dict based notifications. """ _SUPPORTED_MESSAGE_TYPE = [ 'ConfigurationHistoryDeliveryCompleted', 'ConfigurationSnapshotDeliveryCompleted', ] _UNSUPPORTED_MESSAGE_TYPE = [ 'ConfigurationItemChangeNotification', 'ConfigurationSnapshotDeliveryStarted', 'ComplianceChangeNotification', 'ConfigRulesEvaluationStarted', 'OversizedConfigurationItemChangeNotification', 'OversizedConfigurationItemChangeDeliveryFailed' ] def __init__(self, message, region_cache): self._message = message self._region_cache = region_cache def parse(self): message = self._message message_type = message['messageType'] if message_type in self._UNSUPPORTED_MESSAGE_TYPE: logger.info('Ingnoring this config message.', message_type=message_type) return [] if message_type not in self._SUPPORTED_MESSAGE_TYPE: raise TypeError('Unknown config message.') # for supported message types bucket = message['s3Bucket'] region = self._region_cache.get_region(bucket) key = message['s3ObjectKey'] if not isinstance(key, unicode): raise TypeError('s3ObjectKey is expected to be an unicode object.') return [self._make(region, bucket, key)] def _make(self, region, bucket, key): return S3Notice(region, bucket, key, None, None) inputs.conf: [aws_sqs_based_s3://config-sqs_s3] aws_account = <assume_role_name> aws_iam_role = <aws_account_name> disabled = 0 host = <host> index = main interval = 300 s3_file_decoder = config sourcetype = aws:config sqs_batch_size = 10 sqs_queue_region = <region> sqs_queue_url = https://sqs.eu-west-1.amazonaws.com/<aws_account_id>/<sqs_name>; Are we missing something here ? Thanks in advance for any hint! ... View more