I have the same issues.  Issue is fixed by correcting the EntityID in my saml configurations.  ... View more

doing this using host stanza. ... View more

I tried the props stanza with index and it didn't work. Looking for other approach to achieve this. ... View more

For sourcetype: though they have the common sourcetype, PROD index is also using the same sourcetype. Hence, dropping the data using soucetype will drop the prod data with matching pattern. Hence this is ruled out. For host: the combination are too many and it is going very complex. ... View more

yes, to be more clear. I want to drop all the events with string ERROR in it from set of indexes whose starting string is QA ... View more

HI, I am facing the same issue. How did you solve this issue? ... View more

Exactly, I mean the first scenario. In this, there are two cases. User logged in and the mobile app is running on background. User logged in and after some time mobile session was killed either by users/system. Requirement: In both the cases user should receive notification. I tested the case one and the test was successful. I am able to get the notification alert. 2nd test was failed. When I killed the splunk background program/session on my mobile, Notification alerts were stopped. I am not sure if this has something to do with SSO. When I was checking the documentation for "Splunk® Add-on for Mobile Access Installation and Configuration" (http://docs.splunk.com/Documentation/MobileAddon/2.4.0/Install/SSOConfiguration) I ignored the SSO part and jumped into "configuring of mobile app". ... View more

Hi, I agree with your point. Let me re-phrase my question. I have some users who will be using the mobile app to check the business statistics through some measures. We have created dashboards for same. Users cannot keep on monitoring the mobile dashboards 24X7. And so, alert notifications should be sent in case of critical alerts even when they are logged out of mobile app. Can you guide me achieve this? ... View more

https://answers.splunk.com/answers/345937/how-to-transpose-a-table-to-make-the-values-in-col.html?sort=newest use transpose header_field= ... View more

Hi, Thank You Very much. "transpose header_field=a" worked. ... View more

for 6.4.2 version, following are the links. wget -O splunkforwarder-6.4.2-00f5bb3fa822-linux-2.6-x86_64.rpm 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=6.4.2&product=universalforwarder&filename=splunkforwarder-6.4.2-00f5bb3fa822-linux-2.6-x86_64.rpm&wget=true' wget -O splunk-6.4.2-00f5bb3fa822-linux-2.6-x86_64.rpm 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=6.4.2&product=splunk&filename=splunk-6.4.2-00f5bb3fa822-linux-2.6-x86_64.rpm&wget=true' ,For splunk 6.4.2 version following are the links. wget -O splunkforwarder-6.4.2-00f5bb3fa822-linux-2.6-x86_64.rpm 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=6.4.2&product=universalforwarder&filename=splunkforwarder-6.4.2-00f5bb3fa822-linux-2.6-x86_64.rpm&wget=true' wget -O splunk-6.4.2-00f5bb3fa822-linux-2.6-x86_64.rpm 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=6.4.2&product=splunk&filename=splunk-6.4.2-00f5bb3fa822-linux-2.6-x86_64.rpm&wget=true' ... View more