We have the following command that works well -    | transaction job_name startswith=STARTING keeporphans=true   Is it possible to convert it to the stats command? ... View more

The Monitoring Console is very slow, the Overview page takes five to load to report about 150 indexers. Any other page takes a couple of minutes to load. What can it be? ... View more

We have the following -    <input type="dropdown" token="Status" searchWhenChanged="false"> <label>Job Status</label> <choice value="*">ALL</choice> <choice value="SUCCESS">SUCCESS</choice> <choice value="FAILURE">FAILURE</choice> <choice value="RUNNING">RUNNING</choice> <default>*</default> <initialValue>*</initialValue> </input>     In the code the following works just fine -   | where STATUS = "$Status$"     Except for the ALL token as the code would be -   | where STATUS = "*"   Instead of -   | where STATUS = *     What can be done? ... View more

How can we ensure that the HTTP Event Collector works correctly? without dropping connections on the HEC endpoint, solid flow of data, batching that is implemented correctly etc. What are the best practices around it? ... View more

We are quite close to reach the license limit, data wise, about 2 TBs off the 20 or so TBs allowed. What can we do to insure that we don't breach the license limit? ... View more

Is there a way to add an index to the underlying Oracle table behind the Unified Audit Trail view? We have performance issues and we thought about making the rising column an index. ... View more

Between these two locations -   $SPLUNK_HOME/etc/apps/TA-eStreamer/data $SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform/tmp   30 GBs are taken for files as old as one and half years. Are there any configurations in these Add-ons to clean after themselves? ... View more

The case at https://community.splunk.com/t5/Getting-Data-In/Issue-on-file-monitoring-using-forwader/m-p/478063#M82045 is similar. When files are being ftp'ed to the location we see in _internal errors that the file can't be read. Comes the weekend and this host is being rebooted and the files are being ingested. We looked at MonitorNoHandle that allows reading while the file is being written on Windows but MonitorNoHandle only allows one such file per stanza. We asked the customer to ftp the files to another directory and move them later via a script but the customer wasn't thrilled about this idea. We also thought that maybe there is a way to have the UF check for new files multiple times before putting them in the black list and it doesn't seem to be possible. What can we do?       ... View more

I was asked to ask - Our alerts are relying on various lookups, lookup generators, and other searches. If anything about these underlying layers fail, we have an alert with failing SPL, and these failures are silent, so the alert fails, and we have no idea that it’s because an error in SPL not because there are no events generating them. Would you ask Splunk Support groups, do we have any option to create an alert action to send us an email whenever a scheduled alert SPL fails due to errors in that SPL? We really need that.   ... View more

I got the following error when a setting a data input in DB Connect - java.lang.NullPointerException at java.net.URLDecoder.decode(Unknown Source) at com.splunk.dbx.utils.PercentEncodingQueryDecoder.decode(PercentEncodingQueryDecoder.java:20) at com.splunk.dbx.command.DbxQueryCommand.getParams(DbxQueryCommand.java:274) at com.splunk.dbx.command.DbxQueryCommand.generate(DbxQueryCommand.java:350) at com.splunk.search.command.GeneratingCommand.process(GeneratingCommand.java:183) at com.splunk.search.command.ChunkedCommandDriver.execute(ChunkedCommandDriver.java:109) at com.splunk.search.command.AbstractSearchCommand.run(AbstractSearchCommand.java:50) at com.splunk.search.command.GeneratingCommand.run(GeneratingCommand.java:15) at com.splunk.dbx.command.DbxQueryCommand.runCommand(DbxQueryCommand.java:256) at com.splunk.dbx.command.DbxQueryServer.lambda$handleQuery$1(DbxQueryServer.java:144) at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source)   Has anybody seen it before? ... View more

With our cyber data, we have cases when streams of data stop, due to a down forwarder, bad DB connection etc. and cases when the streams suddenly increase in volume such as bluecoat cases, dns attack and more. We would like to alert on these cases without hardcoding the various indexes or sourctypes. We also wonder whether there is a good way to do it in ITSI. ... View more

We would like to be alerted when an alert has been changed. We use -     | rest /servicesNS/-/-/saved/searches   This call brings back the owner but not the recent modifier id. Is there any way to get the modifier id?   ... View more

When ingesting csv files we get the warning and error in _internal - ERROR TailReader [5588 tailreader0] - error from read call from <file name> WARN FileClassifierManager [5588 tailreader0] - The file <file name> is invalid. Reason: cannot_open. It happens when the new file, placed in the directory has the same 70 or so characters as an existing file. Shorting the file name and the ingestion worked just fine. Is there a limit for comparison? ... View more

Wondering if anybody is aware of any existing Splunk App or connector that has the ability to write Splunk query results out to an Oracle database Instance? ... View more