I confused it with the previous upgrade readiness app 🙂 I'll check this out in the lab, but the app has been blessed by cloud and that wouldn't be possible if it wasn't py3 compat. ... View more

V3.0.2 is fully cloud compatible and couldn't be if it wasn't python3 supported. The upgrade readiness app has been deprecated and is not reliable anymore as far as I know. ... View more

Yes, the solution is to use SPL commands to extract the fields from the curl_response field.   if it's json response, try | spath if it's csv, try | kv try | rex field=curl_response "(?<extractedFieldName>REGEXHERE)" ... View more

The latest version forces verify=True on ALL connections and can't be overridden.  That's so we could obtain cloud compatibility. you can use an older version of the app if you're not in splunk cloud.  If you are in splunk cloud, and perhaps even if you're not... another fix (perhaps better idea) is to setup proper TLS/SSL on the host you're attempting to connect to. ... View more

You could do this using the urifield option and eval.  Here's an example below: Using the urifield option | makeresults count=1 | eval uri="https://localhost:8089/services" | curl method=get urifield=uri   no reason you can't do something like | makeresults count=3 | streamstats count  | eval uri="https://abc.com:8089/app".count."/report".count"     ... View more

Glad I could help, what was "RR" though? ... View more

I agree!  Nicely explained! ... View more

Except that it doesn't apply RBAC view of the indexes. Except that it doesn't work if you can't reach indexers on 8089 and don't have indexes configured on your SH. Except that it's not as fast as eventcount and probably shouldn't be used in dashboard drop downs. ... View more

Hear me out... if you run a query that generates more events than the limit, it will not matter how often or even when you run that query. so what you have to do, is change your query or increase the limit.   ... View more

Does the query pull all the data every 10 minutes?  Instead of getting data for last 10m? If you run it every 5 minutes will it help? Please note the size limitation is not from my app, it's the limit on the azure API.  You have to reduce the results your query returns or it will always have this error. you should appeal to azure support if can't figure out how to reduce the size of your query, and can't increase the limit on the API. There's literally nothing I can do on my end to fix this issue.   ... View more

I'm not super familiar with log analytics queries. can you limit the time frame of the query? in splunk you have earliest, latest, etc.  can you grab half the data with one query and the other half with another? ... View more

Correct, I keep mixing up the name of the app. Which version of ssl checker are you using?   I will test this week and let you know if I have the same issue or not. ... View more

Does the slave-apps cert exist on the search heads?  If not; that explains why the code can't find it. ... View more

Ok, in the example ssl.conf you shared, it was directories, not paths to pem files.   Can you share ssl.conf, the version of ssl checker you're using and the version of splunk you are using so that I may try to replicate on my end? ... View more

Did you have the full file paths in the local ssl.conf? ... View more

i see, so then you'll have to manually drop the ssl.conf file in local or log into each SH individually and configure them via the configuration page. ... View more

Ok i see the issue. The app expects you to provide full file paths to the certs if you're using the manual mode. You're giving it directory paths instead. (add the file names to your paths) ... View more

Ok how about ssl.conf? ... View more

What is in inputs.conf? ... View more

Which is it? Deployer = for SHC Deployment Server = for UFs and sometimes HFs     ... View more