Hello, The table below are the results from a REST query that shows the installed Apps/TA's from various servers (4 in the example) at my site. | rest /services/apps/local | search disabled=0 core=0| dedup title |table label title version| collect index=test sourcetype=apps:installed The following search produces the table below with Version mismatches highlighted in red: index=test sourcetype="apps:installed" | fillnull value="None" version, title | table host label title version |rename label AS AppName | sort AppNam host AppName Label Version Server1 Add-on for VMware ESXi Logs Splunk_TA_esxilogs 4.1.0 Server2 Add-on for VMware ESXi Logs Splunk_TA_esxilogs 4.1.0 Server3 Add-on for VMware ESXi Logs Splunk_TA_esxilogs 4.0.0 Server1 Add-on for VMware Metrics Splunk_TA_vmware_inframon 4.1.0 Server1 Add-on for Virtual Center Splunk_TA_vcenter 4.1.0 Server2 Add-on for Virtual Center Splunk_TA_vcenter 4.1.0 Server3 Add-on for Virtual Center Splunk_TA_vcenter 4.1.0 Server4 Add-on for Virtual Center Splunk_TA_vcenter 4.1.0 Server1 Add-on for ontap Splunk_TA_ontap 3.0.0 Server1 Ansible Monitoring & Diagnostics Ansible_Splunk 1.2.2 Server1 Admin Authentication all_adminauth 0.1.0 Server2 Admin Authentication all_adminauth 0.1.0 Server3 Admin Authentication all_adminauth 1.0.0 Server4 Admin Authentication all_adminauth 1.0.0   There is no entry in the results for a server if the App/TA isn't installed. What I am asking for help on is a search that will show the entries that are mismatched on the "Version" field based on the "AppName" field. The rows where all versions match with the AppName can be ignored. Thank you.   ... View more

I have a coldToFrozenScript that controls all of the indexes at an installation. I want the data in the "main" index to simply be deleted when it's time to be frozen. My question is, if I set the coldToFrozenDir for the "main" stanza in indexes.conf to a blank, will it delete the buckets?  coldToFrozenDir =    Thank you.  ... View more

Hello, and I have another weird issue: When I execute a search on a SHC in the Search and Reporting App, getting data from 2025-02-27 index=test earliest=-7d@d latest=-6d@d I get zero events When I execute the search WITHOUT the earliest and latest time modifiers and use the Time Picker in the UI which results in "during Thu, Feb 27, 2025" I get around 167,153 results Specifying the time range with earliest and latest time modifiers is NOT giving me the "Your timerange was substituted based on your search string". If I use tstats, I get the correct number of events, the correct date, and the message "Your timerange was substituted based on your search string" is present | tstats count where index=test earliest=-7d@d latest=-6d@d by _time span=d I also made index=test earliest=-7d@d latest=-6d@d a saved search which executes every 10 minutes - zero events. Another bit of weirdness: If I run that search, and specify "All time", it will pull events ONLY for 2025-02-27. Nothing for other dates, and it has 12 months of events, populated for every day. So, it looks at both the time qualifiers and the time picker under that scenario. Any ideas what might be causing this? (I have several standalone searchheads that are working fine) ... View more

Hello. I noticed on a U/F, "Splunk destroying TcpOutputClient during shutdown/reload" as a level INFO and happens 4 or 5 times a minute for each of the 3 indexers. The U/F has been running for quite some time and is not in a shutdown/reload situation and I am receiving events both _internal and OS data from the TA_Splunk_nix  from it. Is destroying a connection a normal message and what would cause that? I can't seem to find anything online about this message. ... View more

Hello, I am attempting to make a KPI with the following search: index=demo sourcetype=access_combined action=purchase|bucket _time span=5m|stats count by _time I get the following results (In search) _time purchased 2017-08-09 17:10:00 75 2017-08-09 17:05:00 122 2018-08-09 17:00:00 89 When in ITSI with the threshold field as "count" , Calculating Average per entity, Average of aggregate over the last 15 minute(s) every 15 minute(s) - I get No Results Found... What am I doing incorrectly? Thanks in advance. ... View more

Hello (again), To go along with my previous question regarding using span=10 minutes using the following search: index=wineventlog user="*.ad" TaskCategory="Security Group Management" | timechart span=10m count |reverse I'm using "today" in the time-picker This works fine with searches that have data for today. However; some of my searches do not have any activity for today, so the search comes up with "No Results Found". I would like to replace "No Results Found" with "No Activity for Today". Is this possible and how is this done? Again, many thanks! ... View more

Hi, I am doing the following: index=wineventlog user="*.ad" TaskCategory="Security Group Management" |bucket _time span=10m| timechart count AS EventCount It is showing a report line for every minute - I would like for it to have a report line for every 10 minutes and I thought that the |bucket _time span=10m would do that. How can I get this to display results for every 10 minutes? Thanks in advance ... View more

Hello, I have a client that does not have the App for Unix/Nix and does not want to install it. Problem: I need to get the _time into this somehow so it can be used as Metrics in a Base Search for ITSI and the search below isn't recognizing it I need to track Indexer Disk Usage and took this from another app to attempt to get it adding |eval _time=now() | rest splunk_server="Indexer01" /services/server/status/partitions-space |eval _time=now() | eval free = if(isnotnull(available), available, free) | eval usage = round((capacity - free) / 1024, 2) | eval capacity = round(capacity / 1024, 2) | eval compare_usage = usage." / ".capacity | eval pct_usage = round(usage / capacity * 100, 2) | stats first(fs_type) as fs_type first(compare_usage) AS compare_usage first(pct_usage) as pct_usage by mount_point | eval OptMountUsage=(if(mount_point=="/opt/mount",pct_usage,NULL)), OptMountSplunkdata2Usage=(if(mount_point=="/opt/mount/splunkdata",pct_usage,NULL)) Is there any way of doing this and if so, what would the resulting search look like for the Base Search? Many thanks as always ... View more

Hello (again), I have the following search: index=perfmon host=(serverA OR host=serverB) (object="Processor" OR object="Memory" OR object="Network Interface") The Interesting Fields that I need to utilize are: cpu_percent Value The problem is that "Value" represents the memory percent and the network use in kb's My question is - how do I write the search to break the 2 fields out as value for Memory and value for Network Usage? Many thanks. ... View more