Hi there, Sorry I missed this post, because the notification for the tag did not work for me 😞 Let me know should you still need help with this. cheers, MuS ... View more

Hi there, Have you enabled debugging in the script? What does the log tell you? Using v3.x will not help, because v4.x was a complete re-work and works differently. cheers, MuS ... View more

HaHA, no reason to swear 😉 Glad you made it work for you in the end! Slàinte, MuS ... View more

The download works fine using http or https, to me it looks the post processing of the files fails in ES. For now I just use a work around and download the file by cronjob, put the csv into the lookup folder and use the lookup:// URL in ES. cheers, MuS ... View more

You're provided samples here that will never match the initial posted search For example you're doing a regex on source for ACK but provide source as ack_ above, the other thing is that REF should match another regex of 10 any word characters followed by 6 digits followed by one or more any word character but the provided sample contains 6 digits followed by 6 any word characters ¯\_(ツ)_/¯ You really should provide some real sample events, otherwise there is no way I can help you. cheers, MuS ... View more

Another issue could be the search mode: if you run your search in fast mode field extraction will only work for any field provided in the base search. Again see the docs https://docs.splunk.com/Documentation/Splunk/latest/Search/Changethesearchmode for more details on that topic. cheers, MuS ... View more

It sounds/look to me the regex does not match correct, can you add a list of some REF values here? ... View more

HaHA, nice played Sir 😉 ... View more

Please add your outputs.conf to this post. cheers, MuS ... View more

Hi rossparfect, give this a try: (index="sample_log" sourcetype="STAR:OUT:ALL") OR (index="sample_log" sourcetype="STAR:OUT:ACK" ) | rex field=source "ACK _(?<REF>\w+)_" | eval REF=case(isnotnull(Trans_Name), Trans_Name, isnotnull(REF), REF, 1=1, "unknown") | lookup REF APPL-FILENAME as Stream_Name | rex field=source "_(?<STP_Process_Time>\d{14})." | eval results = if(match(REF, "\w{10}\d{6}\w+"), "Success", "Failed") | table results If this still does not work, start removing | SPL from the back until you get the expected results. Otherwise provide some sanitised sample events and the expect result and it will be easier to help. Hope this helps ... cheers, MuS ... View more

Hi maniu1609, there is an app for this https://splunkbase.splunk.com/app/4395/ I use it not only as health check in the F5 but also as an option to manually add or remove Splunk instances from the F5 pool for maintenance work for example. Hope this helps ... cheers, MuS ... View more

Hi barriersbill, This is not an answer nor the requested input on this topic, more an advice 😉 If the docs do mentioned something like this so detailed, telling you should not do it, and all nodes must be the same version - then there is a reason for this! I'm pretty sure you cloud just try it, you might maybe succeed, or most likely just fail with it and just imagine what will happen if you raise a support case with Splunk on this? Me: I upgraded my index cluster to different versions, please help Splunk: Bold move, but we told you not to do this Hope this helps ... cheers, MuS ... View more

Yes, like any other deployment client that is phoning home every minute and polling for any configured app for them does. cheers, MuS ... View more

The original answer states you should not use it in prod environments 😉 Dev SH are best run with this settings in web.conf [settings] js_no_cache = true cacheBytesLimit = 0 cacheEntriesLimit = 0 max_view_cache_size = 0 auto_refresh_views = 1 Regarding the not documentation , you can find everything in the docs here https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTaccess#Usage_details every REST entity with a _reload endpoint will be reloaded by either using /debug/refresh or the | refresh command. cheers, MuS ... View more

Exactly, only that those buckets can be in a remote S3 storage now instead on a local disk. ... View more

Each one of them can use SmartStore for its own storage, but they will not be able to share those SmartStore buckets like the index cluster nodes could - if that makes sense. ... View more

Hi vonsolo29, The docs tell you how to enable SmartStore on a standalone indexer https://docs.splunk.com/Documentation/Splunk/latest/Indexer/DeploySmartStorestandalone this means it is possible. But I highly recommend to read this section of the docs as well https://docs.splunk.com/Documentation/Splunk/latest/Indexer/AboutSmartStore#Choosing_SmartStore when you consider to move to SmartStore. Hope this helps ... cheers, MuS ... View more

check for typos of the sourcetype name in the stanza in props.conf, because it is actually case sensitive in props.conf. cheers, MuS ... View more

are these typos? you wrote command.conf instead of commands.conf and filename = msgSend instead of filename = smgSend cheers, MuS ... View more

Hi summitsplunk, just try this: | stats dc(srcmac) this will give you a distinct count of srcmac Hope this helps ... cheers, MuS ... View more