This is a different error this time 😉 Try it like this: /full/path/to/splunk/bin/splunk rebuild app/splunk/var/lib/splunk/cisco_ios/thaweddb/rb_1513987154_1513901000_D4AJ321 Also, using the bucket path without leading / will assume the app directory is in the directory you are executing the command. Use full paths to be sure. cheers, MuS ... View more

Hi jaracan, you would find your image in $SPLUNK_HOME/etc/apps/search/appserver/static/ as your web.conf is using the search app context for loginCustomBackgroundImage . Hope this helps ... cheers, MuS ... View more

Hi Campbell04, Yes, and No. By default you will only get a message if the universal forwarder is sending events again. BUT, one can increase the logging for any tcpout* channels which would give you the messages you are after, BUT (yes, another but) this will be a lot of additional events and therefore network traffic). Hope this helps ... cheers, MuS ... View more

Hi petenetwork, Not a real answer that's why it is a comment 😉 The date can be fixed by using /en-GB/ in the URI of Splunk. Regarding the #NumberHere issue, why do you think this is Splunk? Actually this in Windows logging this way, and to make it even worth, as you can read here https://blogs.technet.microsoft.com/askperf/2010/03/29/perfmon-identifying-processes-by-pid-instead-of-instance/ , those numbers are not static. They can change dynamically, or at least back in the days it was like that ... if this is still the case, who knows ¯\_(ツ)_/¯ cheers, MuS ... View more

Hi RMoore01, I find the command multisearch really handy for this kind of comparison, also it is a very fast/efficient way to search two different time ranges. Although multisearch uses sub search syntax, it is actually not effected by any sub search limitations - from the docs http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multisearch With the multisearch command, the events from each subsearch are interleaved. Therefore the multisearch command is not restricted by the subsearch limitations. Okay, now for the example; take this run everywhere example to see how it can be done : | multisearch [ search index=_internal sourcetype=splunkd earliest=-2w@-24h@h latest=-2w@-0h@h | eval event="1", when="then" ] [ search index=_internal sourcetype=splunkd earliest=-24h@h latest=-0h@h | eval event="1", when="now" ] | chart sum(event) AS events over date_hour by when This will give you a chart with the sum of events over the last 24 hours (second search) and the same time range 2 weeks ago (First search). I had to use 2 weeks because it searches index=_internal 😉 If you add a where to the SPL, you can compare the events and show it in a graph like this: Hope this helps ... cheers, MuS ... View more