I am looking for a solution too,  But in the meanwhile you can do a restart of the deployment server which clears the old records.  ... View more

Even I am facing the same issue. Were you able to figure out anything ?    ... View more

pip install future  I cannot install this because I see that pip is not installed on the hosts and I don't have root access to the host.  ... View more

Traceback (most recent call last): File "etc/apps/splunk_app_cloudgateway/bin/drone_mode_subscription_modular_input.py", line 23, in <module> from spacebridgeapp.logging import setup_logging File "/opt/splunk/etc/apps/splunk_app_cloudgateway/bin/spacebridgeapp/logging/__init__.py", line 1, in <module> from spacebridgeapp.logging.spacebridge_logging import setup_logging File "/opt/splunk/etc/apps/splunk_app_cloudgateway/bin/spacebridgeapp/logging/spacebridge_logging.py", line 7, in <module> from spacebridgeapp.logging import setup_logging as itoa_logger File "/opt/splunk/etc/apps/splunk_app_cloudgateway/bin/spacebridgeapp/logging/setup_logging.py", line 3, in <module> from builtins import object ImportError: No module named builtins I am getting the above error , do you know how to solve it ? @casingc_splunk    Thanks,  ... View more

@casingc_splunk , please check  ... View more

 Unable to initialize modular input "drone_mode_subscription_modular_input" defined inside the app "splunk_app_cloudgateway": Introspecting scheme=drone_mode_subscription_modular_input: script running failed (exited with code 1)   What about this message ? How to resolve it ? @casingc_splunk  ... View more

Too many events (100K) with the same timestamp: incrementing timestamps 1 second(s) into the future to insure retrievability   Even I am having the same error but my data does not have a timestamp in the event, so I kept it to DATETIME_CONFIG=CURRENT .  How do I overcome this error ?      ... View more

Thanks @to4kawa ,    I was stuck at  (.) part.  what does (.) mean in regex , how did you manage to figure it out ?  do we need to always capture something in the LINE_BREAKER before we write the regex.    Thanks Nawaz.  ... View more

yes , the SPL seems fine.  But in reality , each event contains 50 different certificate tags and comes to 4096 lines in each event.  The main drawback is if we do spath and mvexpand the raw events view would be the same and confusing,  i.e, every event would have 4096 lines instead of just one certificate.,  And if we do spath and mvexpand on many events where each event has 50 different certificates , it would take a lot of time. and unclear.    That's why I was preferring to break the events at props level so that each certificate would go to each event and the raw events view would be easy to work with.  Anyways, thanks for the SPL  you deserve points.  ... View more

Hi @to4kawa ,   It didn't work . I want two separate events like this., I tried LINE_BREAKER and break only before in props.conf, to parse the data into individual events but still didn't work.  I was able to use regex101 and find a regex to break the event and applied the same regex in Splunk but its not taking  { "NotAfter": "2020-09-06T15:34:22-07:00", "NotBefore": "2019-09-07T15:34:22-07:00", "allowedOperations": [ "certificate_show", "certificate_der_download" ], },   { "NotAfter": "2020-10-07T10:51:40-07:00", "NotBefore": "2019-10-08T10:51:40-07:00", "allowedOperations": [ "certificates_show" ], } Thanks  Nawaz ... View more

Thanks for the reply, I see a bookmark button as well. If I bookmark a question , where can I find it in the profile ?  ... View more

So you mean we cannot perform search time extractions again on already search time extracted fields. ?? ... View more

I figured out the issue here. The SOURCE_KEY = list , the field list here is an already search time extracted field. And I am trying to apply one more search time field extraction or a search time multi value field extraction to it and so it could not work. If I change the SOURCE_KEY = _raw , it works perfect but does not solve my case. As I want the extraction particular only to that field. I did not change any other parameters in my settings shown in the question except for the source_key. ... View more

Thanks for the regex. I figured out the issue here. The SOURCE_KEY = list , the field list here is an already search time extracted field. And I am trying to apply one more search time field extraction or a search time multi value field extraction to it and so it could not work. If I change the SOURCE_KEY = _raw , it works perfect but does not solve my case. As I want the extraction particular only to that field. ... View more

I figured out the issue here. The SOURCE_KEY = list , the field list here is an already search time extracted field. And I am trying to apply one more search time field extraction or a search time multi value field extraction to it and so it could not work. If I change the SOURCE_KEY = _raw , it works perfect but does not solve my case. As I want the extraction particular only to that field. I did not change any other parameters in my settings shown in the question except for the source_key. ... View more

zsdfgdsgfgsdfg dfgkh sdfl;askgh a;sdfkghjak gah fkgakfgakgj ha;sdghkjasgh as;kgkahsjkghao[YOWERT [Y [OYTUWEH ASDGH IQHIWURHTGIWQUHO HEOW ROIouoasdfoutyet uertyuqewr tyouyqwrtuootptypowreqyturwet wqrtu8 sdfgsdfg sdfg w['aE QWE[T QWETJHTJKERHWTERHWKTH EJRTHKJEWRHTUII auioprtywerryweuortyew c=IN IP4 10.33.22.11ghghfjgfhj ghjgjedkj wrktjyhoe oqw4u5yohwueirthywi hqiuehrtqtp[[qh erhtjqehrtueqhrtuiqwyhtkjewhgiuhdefjkaslhguqirotuyqpuyt quywertuipyp y] oiq ytuoqerytu htuqerhuthuqeirhtuy4238[ ]2u5]r iuwifhdjgfhjrhgtu =-+c=IN IP4 10.44.33.22+t334543 34q535asdtesdft ... View more

I can understand what you mean but it does not effect anything , I use the same format for other field transforms as well in order to avoid confusion and it works well. ... View more

ok. But I made a change in the UI and I looked at the backend CLI and the parameter was marked as 1 instead of true . ... View more