Hello, I had the same issue. You and I forgot one of the most important thing. 😀 The main problem is related to app permission, after set permission on file and the definition, go through: Apps > Manage Apps > "The App that contains the specific target lookup" Set read permission for the role that contains the user trying to read the lookup file. ... View more

I had the same issue, in my case I solved after configure specific capabilities for this role. edit_search_scheduler I hope this will help. Rodrigo Ribeiro ... View more

I had the same issue, in my case I solved after configure specific capabilities for this role. edit_search_scheduler I hope this will help. Rodrigo Ribeiro ... View more

I had the same issue, in my case I solved after configure specific capabilities for this role. edit_search_scheduler I hope this will help. Rodrigo Ribeiro ... View more

I had the same issue, in my case I solved after configure specific capabilities for this role. edit_search_scheduler I hope this will help. Rodrigo Ribeiro ... View more

Maybe my understanding is wrong, this script can be used only in the period i dont have data... That's it? I thought this script to do a difference too and add fault data, but that does not seem to be the purpose, correct? Tks, Rodrigo Ribeiro ... View more

Thanks somesoni2, Exactly, I have a JOB that runs "yesterday" every day, but because an error in a search during execution: "Unknown error for peer server_splunk003. Search Results might be incomplete. If this occurs frequently, please check on the peer" I have this situation, example: My JOB scheduled returned 300; My query ad-hoc in the same period returned 400; This occurs because a error message, i need to reprocess this difference and add data in summary index... ... View more

I hope I can help you... I was thinking of something like: sourcetype="web_ping" title="" filter_inoperable | eval hour=strftime(_time , "%H") | eval minute=strftime(_time , "%M") | where (hour>01 AND minute>20) | stats count as count ( lists the failures over 24 hrs)* With some combinations and date and time tests you can "hide" this period. Rodrigo Ribeiro ... View more

Klaxdal, Can you share your Dashboard (Query)? Rodrigo Ribeiro ... View more

Hi klaxdal, If setting your queries with filter and comparatives in the window known (0100 and 0400), would it suffice? Please, share some queries with us. Rodrigo Ribeiro ... View more

Hi, Could you try the command with double quotes: $curl -k -u "user:password" https://localhost:8089/services/search/jobs -d search="search " What version of curl you use? Rodrigo Ribeiro ... View more

Hunk ceases to exist and gives way to Splunk analytics for hadoop. ... View more

Hi, The configuration is exactly the same, the VIP is managed by the balance not requiring extra configurations. Could explain better? Rodrigo Ribeiro ... View more

It would be simpler to adjust the input, avoid writing a regex... Example: Select `Severity Code` as Severity_Code, `Transition Code` as Transition_Code from [your_table] ... Tks Rodrigo Ribeiro ... View more

Perfect Cusello. As informed by our colleague cusello, can be done by indexers, but in fact can not be done in a universal forwarder 🙂 Tks Rodrigo Ribeiro ... View more

Exactly, this needs to be done on a heavy forwarder. If interested, I would adjust the regular expression: transforms.conf [setnull] REGEX = (\"proto\":\"UDP\") DEST_KEY = queue FORMAT = nullQueue [setok] REGEX = (\"proto\":\"TCP\")|(\"app_proto\":\"ssh\") DEST_KEY = queue FORMAT = nullQueue props.conf [your_sourcetype] TRANSFORMS-set = setnull, setok Rodrigo Ribeiro ... View more

Ok, this is good. Maybe you should try with an add-on: https://splunkbase.splunk.com/app/1852/#/overview Rodrigo Ribeiro ... View more

This is no problem, I use the following site to test my regular expressions: https://regex101.com/r/YNDBcR/1 So it should look something like this: (\s\d\d\d\d\d:\d\d\s(INFO|ERROR)) Note: It is worth noting that this is not a rule, it can be improved. This option (NO_BINARY_CHECK), according to the link: http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Propsconf NO_BINARY_CHECK = [true|false] * When set to true, Splunk processes binary files. * Can only be used on the basis of [], or [source::], not [host::]. * Defaults to false (binary files are ignored). * This setting applies at input time, when data is first read by Splunk. The setting is used on a Splunk system that has configured inputs acquiring the data. Tks Rodrigo Ribeiro ... View more