I've been noticing some bundle distribution errors recently on one of my search heads. This search head is part of a 3 server search head cluster connecting to an indexer cluster. The message I am seeing is this:     06-30-2020 08:04:57.184 -0400 ERROR DistributedBundleReplicationManager - HTTP response code 400 (HTTP/1.1 400 Bad Request). Error applying delta=/opt/splunk/var/run/searchpeers/CD224AB5-4AD5-4680-BA13-01234645B8B6-1593518595-1593518680.delta, searchHead=CD224AB5-4AD5-4680-BA13-01234645B8B6, prevTime=1593518595, prevChksum=730910445532009996, curTime=1593518680, curChksum=3452252417076391070: Error copying /opt/splunk/var/run/searchpeers/CD224AB5-4AD5-4680-BA13-01234645B8B6-1593518595/indexing_tokens to /opt/splunk/var/run/searchpeers/CD224AB5-4AD5-4680-BA13-01234645B8B6-1593518680.2346fcb2e8de1493.tmp/indexing_tokens. 1 errors occurred. Description for first 1: [{operation:"stat'ing source directory", error:"No suc... (message truncated, search splunkd.log for "distribution_error" to see it in full).       I haven't had much luck finding anything on this on Answers or just searching for the issue. I've gone to the splunkd.log to search for this message but it actually shows truncated at the source, so there isn't "seeing it in full" there. May need to turn up logging level for it. Just wanted to see if anyone had any thoughts or have run into this before? ... View more

I have a search being executed via script hitting the REST API. Occasionally it will return no results and looking for the associated events in _internal we get the below: Through this we can see that once it hits around 300000ms (5min) the search times out. Anything below it we get data returned as shown by the non-zero values after each 200 status code. I've been looking through the spec files for what setting might be imposing this limit but have not had any luck in finding one that changes this value. I've gone through looking via grep " 300 " /opt/splunk/etc/system/README/*spec as well as other variations of that time format. In addition to this, I have sent arguments with the POST for auto_cancel and ttl and it does not appear to affect this 5 minute timeout. Any thoughts as to where this limit is being imposed? ... View more

I've been looking at Answers posts on this and tried many things but haven't had any luck getting my custom app icons to appear. I have all named correctly and placed in app/static. Here is what I have tried so far: 1.) search-head/en-US/bump 2.) search-head/en-US/debug/refresh 3.) ./splunk restart splunkweb 4.) ./splunk restart 5.) I've looked at the endpoint for the image at search-head/en-US/splunkd/_raw/servicesNS/admin/my_app/static/appIcon.png and it shows the default image. Pulling the image from the app and opening it shows the custom image. 6.) Submitted it to the AppInspect API and the report came back that all permissions and images are proper size and name. 7.) Cleared browser cache and tried different Internet browsers with the same results. Opened on a colleagues system with their account and still shows default "App" icon. 8.) Updated app package and increased app.conf build number Anyone have other ideas? Not sure what the next step to troubleshoot this would be. ... View more