@Gr0und_Z3r0 Thanks for the support, much appreciated.  I ensured that all rest related capabilities were enabled, unfortunately still no dice.  What I did discover, though, was that I can list the licenser services no problem: I can even call some of them.  For example I can list the usage: I'll continue to investigate and update if I find anything. Best regards, Andrew ... View more

@Gr0und_Z3r0 Thanks again for the response.  I did not have that capability enabled for "admin" role, but after enabling it still didn't solve 😕 I tried debug/refresh as well, but no luck. Regards, Andrew ... View more

Thanks again @Gr0und_Z3r0.  I am running Splunk 8.2.6.  Also, I am running the search on the Search Head that is not used as License Manager.  I also have the same permissions for admin role: Any other ideas? Thanks! Andrew ... View more

@Gr0und_Z3r0 Thank you for the response!  Unfortunately this command does not return any results.  I am running it as local administrator in the search app.  Am I missing something?  Thanks! ... View more

Hello All, I am also facing issues post upgrade.  When trying to save via web UI after specifying to not save a backup I get the error "The lookup file could not be saved". One of the best apps for Splunk has effectively become useless 😞 Is this being investigated at all? Thanks! Andrew ... View more

Thanks for the input @PickleRick  ... View more

@Tom_Lundie Thank you again for the response, I appreciate you taking the time. I updated the sourcetype, deployed it, both problems solved: timestamp is no longer multivalue with "none" value and _time is associated correctly to the epochms value in the payload! Before making the change I ran the tstats search you provided and it returned value "none".  After I made the change and ran it again the value was null.  Then I tabled the results as before and the multivalue is no longer there (I also added timestamp_human and index_time to provide additional understanding): Thank you so much for the suggestions.  Accepting your response as the answer, specifically the sourcetype. Best regards, Andrew ... View more

More positive reinforcement from me!  Go team, let's reach the goal!  Always great to be part of something bigger and feel appreciated! ... View more

@Tom_Lundie Hello Tom, thank you for the response. You've hit the nail on the head, the badly associated _time is the problem I'm trying to solve.  When I started to investigate I noticed that the table produced a multivalue timestamp value where one value was "none".  That's what I assumed is causing the problem which is why I'm trying to figure out how to get rid of it. As requested: Entire JSON {    account_id: 1234567    dimensions: {      LoadBalancer: app/ingress/9c6692fe5eb2b0b8      TargetGroup: targetgroup/report-89f6283838/917587a99b43effd }    metric_name: UnHealthyHostCount    metric_stream_name: Cert    namespace: AWS/ApplicationELB    region: ca-central-1    timestamp: 1678214700000    unit: Count    value: {       count: 3       max: 0       min: 0       sum: 0    } } props.conf [sourcetype] SHOULD_LINEMERGE = false TRUNCATE = 8388608 TIME_PREFIX = \"timestamp\"\s*\:\s*\" TIME_FORMAT = %s%3N TZ = UTC MAX_TIMESTAMP_LOOKAHEAD = 40 KV_MODE = json   Search   index=index_name metric_name=UnHealthyHostCount namespace=AWS/ApplicationELB | table _time timestamp namespace metric_name   I don't have any additional config files, but I can tell you that the sourcetype is a slightly modified version of one of the sourcetypes contained in the Splunk Add-on for Amazon Web Services TA.   If it helps, I'm running Splunk Enterprise 8.2.6 with HF pointed to IDX cluster (3) and a single SH.  The sourcetype is located on all components in a specific sourcetypes app (it only contains sourcetypes that I deploy wherever I need them).   Thanks for taking the time.   Regards,   Andrew ... View more

@Jordan1 Unfortunately not. ... View more

@richgalloway Thank you for the response!  Am I correct in understanding that there's no way to accomplish what I'm doing while indexing, and instead I have to apply transformation at search time?  Thanks! ... View more

Adding the edit to mention that I figured out that in the inputs.conf file you can use a cron schedule for the "interval" parameter.  It's the TA UI that does not accept a cron value, which I think should be changed.  I see a new TA version was released in July, maybe it already accepts cron. Anyways, my solution was to spread the inputs across the following crons: 0-59/5 * * * * 1-59/5 * * * * 2-59/5 * * * * 3-59/5 * * * * 4-59/5 * * * * My assignment to these crons was based on which subscriptions send back the most data. So far I am not receiving any 429 Client Error. Regards, Andrew ... View more

@jconger I am facing this problem in 2022.  Using Microsoft Azure Add-on for Splunk 3.2.0 and Splunk Enterprise 8.2.6. I am using "Azure Metrics" inputs, there are 48 in total and they are scheduled to run every 300 seconds (5 minutes).  I have configured 1 thread per input, so technically I am making 48 calls every 5 minutes. I was hoping that I could modify the "Interval" parameter so it could be a cron job, which means I could run the inputs at different scheduled times, but that doesn't seem to be an option.  I was also hoping that there would be a "retry" option so that in case of Error 429 it would wait and retry, but this is not available either.  Are there any recommended approaches for solving this issue? The exact error I am receiving is the following: requests.exceptions.HTTPError: 429 Client Error: Too Many Requests for url: https://management.azure.com/providers/Microsoft.ResourceGraph/resources?api-version=2019-04-01   Regards, Andrew ... View more

@yannK After much suffering I have basically discovered that the problem is due to a "." (period) character in the Entity Title.  It gets more painful though.  In order for the Object Import search to work I have to create a separate Entity Type with the same name but with a " " (space) characted instead of a "." (period) character as well as create an Object Import search.  Once this has been done, both Entity Types get updated even though I have a single Object Import search. Using ITSI Version:4.11.5 Build:22263. ... View more