Hi @andynewsoncap What about creating a custom app that executes: Linux: date +%Y-%m-%d_%H:%M Windows: Get-Date -format "yyyy-MM-dd_HH:mm" and have your splunk components send the output to your indexers?   ... View more

I am getting the same error on 7.1.2 ... View more

This is now possible to do in SimpleXML. Modify your input, and add a change action <default>1</default> <change> <set token="display">$label$</set> </change> The change your panel title to use the new token <title>Demand Billed - $display$</title> ... View more

Try adding "/jre" to your JAVA_HOME path. From what I have read, it requires a JRE, and not the JDK. ... View more

Try changing the trigger action to "For each result" to get more than the first row. ... View more

Have you tried to use the $result.fieldname$ token, and change the trigger to "For each result", otherwise you will just get the first row? ... View more

I was sort of able to do this myself. You may want to try Based on your example above: | spath input=some.request.complete actions{} | mvexpand actions{} | spath input=actions{} | stats sum("Bar.UPDATED") by "Foo.UPDATED" ... View more

If you are running under windows, change the forward slashes to back slashes for the [script] ... View more

Try this in your props.conf [your-sourcetype] KV_MODE = xml BREAK_ONLY_BEFORE = <ns0:MrmMessages_3_0 NO_BINARY_CHECK = 1 SHOULD_LINEMERGE = true ... View more

The Splunk App for Unix also installs "SA-nix" and "Splunk_TA_nix". Remove these as well, and your error should go away. ... View more

Search Head, one or more in a cluster. I am getting this error myself, also after installing the Splunk App for Unix and Linux. ... View more

I had the exact same issue. No matter what I changed the sourcetype to, unless it was "server", which is the default, I got those characters coming through. I even tried the charset suggestion from here http://answers.splunk.com/answers/24484/sql-server-errorlog, but then on one server I started to get even stranger results. Only seems to happen with the Cerberus FTP log file though. ... View more

It appears that limit only works for timecharts, but you should be able to get the answer you are wanting by doing a reverse sort, to get the "top" entries to appear first, and then do a head, to show only the first x rows. So your search string should be : index=foo | eval length=length(_raw) | chart eval(sum(length)/1024/1024) as MiB by application | sort -MiB | head 15 ... View more

I found that changing your timezone, and researching updates the extrapolated time, but I needed to logoff to have the histogram update to the correct time. ... View more

I have S.O.S. installed, but would not know where to start looking, as it looks like the agents are not reporting. ... View more