Hi, My enterprise is using Mothership 2.0 and recently, mothership seemed to continue its collection of data, but a few are not uploading to their respective indexes and we are having trouble getting it to work. ... View more

good morning, I am in the process of breaking out data from a data source that in one field contains a list of similar data for a single device (example below). example: (app | version\napp |version\n....) I have been trying to use a split command using \n as the delimiter and that seems to be working, but when I try to expand the events, only a fraction of the events return. I have included a sample of the code i've been using for your review. .....|eval new=split(_raw,"\n") |mvexpand new This seems pretty straight forward, but it doesn't throw an error and it does bring back data, but a small fraction of the what the total should be. Any suggestions would be greatly appreciated? ... View more

I am trying to create a report that would tell me if an item that should be available within a certain timeframe (i.e. last 30 days) has not been available. Splunk feeds is a full set of results everyday, so although the _time would be different, then computername would have to be rid of duplicates before specifying a time. this example does not throw an error, but also does not provide content. from a manual review, I know that content exists. example: index=test sourcetype=computernames |dedup computername |search latest=-30d thank you in advance for your help. ... View more

I performed an upgrade from ver. 5.0.4 to 6 on a Window 2008 server and it seemed to be successful, but ever since I have been getting intermittent problems when trying to logon. I started to receive errors like: 1. Servername:port timeout 2. or after authenticating I receive “ResponseNotReady” and this will continue until I restart the Splunk DB service. what can I do to resolve without rebuilding. ... View more