Did you get a response on this? ... View more

I think a kvstore with json should do be what you want.. you can use collections.conf or the lookup file editor to define the non-json elements and type, and one for the array - then I would call them out explicitly in the transforms.conf file so you can play nicely with them using lookup and inputlookup>>> The structure you settle on will depend on how you analyze this going forward, but I'd be tempted to start with this (you can view it in https://jsongrid.com/json-grid) { "status": "finished", "duration_array": [ { "status": "A", "duration": 123 }, { "status": "B", "duration": 456 }, { "status": "C", "duration": 678 } ] } To use kvstore, you can define using the collections.conf, and lookup editor or the lookup file editor iin cloud I prefer using the structure I have suggested as you can easily insert new status values, becomes You should be able to refer to the data elements and do whatever you want - unless i'm missing the point ... View more

Ok found a bit more... 56 _userContext= nobody 08-19-2022 03:15:09.120 ERROR HttpClientRequest [13376 phase_1] - Caught exception while parsing HTTP reply: Unparsable gzip header in HTTP response 08-19-2022 03:15:09.120 ERROR KVServiceClient [13376 phase_1] - KVServiceClient transaction failed after 0 retries. uri = <blah> 08-19-2022 03:15:09.120 ERROR SSCInputLookup [13376 phase_1] - Failed to call KVServiceClient for Input Lookup: 08-19-2022 03:15:09.120 ERROR SearchOperator:inputcsv [13376 phase_1] - Error in 'inputlookup' command: External lookup table 'inputlookup' returned error code 0. Results might be incorrect. ... View more

Thanks but my starting point is not the time but the ip address -  | iplocation allfields=true src_ip Trying to build a table of people and offsets from UTC so I can decide - OK I'm going to send an alert at 10am for all people in Thailand ... or all people on Mountain time.  I know it won't be perfect - and I need to get rid of all the noise of VPNs and consider travellers but it's a lot better than sending emails at 2am in the morning ... View more

I found this web service which should get me what I want https://ipgeolocation.io/documentation/timezone-api.html - I'd have thought there is a way in Splunk - Basically my starting point is the iplocation -all and I need to interpret the Country/State timezone expression   # Get 'America/Los_Angeles' timezone information $ curl 'https://api.ipgeolocation.io/timezone?apiKey=API_KEY&tz=America/Los_Angeles' { "timezone": "America/Los_Angeles", "timezone_offset": -8, "date": "2018-12-06", "date_time": "2018-12-06 02:02:09", "date_time_txt": "Thursday, December 06, 2018 02:02:09", "date_time_wti": "Thu, 06 Dec 2018 02:02:09 -0800", "date_time_ymd": "2018-12-06T02:02:09-0800", "date_time_unix": 1544090529.989, "time_24": "02:02:09", "time_12": "02:02:09 AM", "week": "49", "month": "12", "year": "2018", "year_abbr": "18", "is_dst": false, "dst_savings": 1 }   ... View more

As before I just clicked on upgrade in the management of apps screen and it seems to have emptied the local directory ! restoring from a backup ... View more

I'm fairly sure by clicking on the update hint  from the manaagement screen /en-US/manager/launcher/apps/local ... View more

I got  an all-in one setup, and just download the app without pre-testing - my bad ... View more

Did you get this resolved?   I'm getting this ... View more

Ok I was able to get a work around of sorts...  I suspect it would be resolved if i used rest to create the item in the first place, as I then would be in charge of explicitly declaring that some of these fields are arrays ( and then I wouldn't have to rely on the magic of tojson to deduce what it can't possibly tell).  (I';m using outputlookup to populate the very simple structure) The workaround - was just to accept that the kvstore stores the values, but realizing that reissuing a stats(value) command generates true mv fields which tojson pays attention to allows me to force the array json generation in this context.. and it does that even if there is only one value in the field which is destined to be sent as an array (in this requirement) so before generating sending the json on it's way I issue a stats command for the record to be sent.... inputlookup kvstoreresource where .... stats latest(action_type) as action_type,latest(asset_plugin_count) as asset_plugin_count, values(asset_uuid) as asset_uuid... here I explicitly am giving the tojson command which follows a heads up which fields are to be treated as arrays (the ones where I uses an mv generating command like list, values) and the fields which are just to be treated as single values so when I issue a tojson auto(*) command it takes the queues from the stats command Not sure if this is ideal. but it works and the volume of the integration is tiny - one record per day if that 🙂  I was hoping that kvstore would have understood when it was populated with outputlookup that the single value fields generated with multi values were to be stored and exported as arrays avoiding this overhead ... View more

bit of an annoyance this one - hopefully there will be a new panel for the new dashboard emulation ... View more

sourcetype="0365:*" [ union [ ldapsearch domain=blah basedn="more blah "scope="sub" search="(&(objectCategory=person)(objectClass=user))" attrs="employeeID,mail,physicalDeliveryOfficeName" | eval email=lower(mail) | dedup email | fields + email | rename email as query | format] [ ldapsearch domain=blah basedn="more blah " scope="sub" search="(&(objectCategory=person)(objectClass=user))" attrs="employeeID,mail,physicalDeliveryOfficeName" | eval email=lower(mail) | dedup email | fields + email | rename email as query | format] ] | fields - splunk_server - src_ip - ClientIP - Senderip - SenderIP - host | eval user_id=lower(user_id) | eval src_user = lower(src_user) | eval user=lower(user) | search (user="*") (Operation="*") | fillnull value="Not Found" user Operation dvc | eval myfield = Operation + " | " + user | timechart count by Operation limit=0 ... View more

I'm getting the same ... View more

Ok my bad - I hadn't realized the tags are stored in tags.conf in the user directory under etc\local%username%\oldapplicationdir and they were still there... ... View more