Splunk calls that "filtering".  See https://docs.splunk.com/Documentation/Splunk/8.1.3/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues and https://community.splunk.com/t5/Getting-Data-In/Filtering-events-using-NullQueue/m-p/66392 ... View more

Hi! It's not working as expected. It gave me in results:  NbF=1 ; XXXRD.NN0015.67965.SERVER1; What I need is " NN0015". I will continue to search with your solution, I can maybe do something with it 🙂 ... View more

I'm not aware of apps for backing up Splunk, but there is at least one for backing up the KVStore in splunkbase. Yes, backing up etc and kvstore is enough. ... View more

Technically, a Splunk search head cluster is at least 3 nodes so no one server will be your SHC. Start by examining the server.conf file on each instance for a [shclustering] stanza.  That should be present only on SHC members. ... View more

Why can you not run the Rebuild Asset Table step?  Without this step, it sounds like nothing else will work. The app is supported by the developer.  Have you tried contacting them? ... View more

More details, please.  What problem are you trying to solve?  What queries have you tried so far?  Are you looking for the user-agent string from one of your Splunk indexes or from a Splunk user.  If the latter, then there is no query for it. Is your web server sending user-agent strings to Splunk for indexing?  If not then no query will find them and you should work on getting that data indexed.  If it is indexed then you should be able to search for it, assuming your role has access to the proper index.  Again, we'll need more information to be more helpful. ... View more

The key thing to know here is subsearches execute before the main search runs.  Search for the first party in the subsearch and the second party in the main search and it should work. ... View more

It's not clear what problem you are trying to solve.  Are you looking for data that is at least 2 hours old or a lack or events in the last 2 hours or something else? ... View more

See https://dev.splunk.com for ways to run Splunk searches externally. ... View more

That looks unusual.  Not only are zeroes added, but the '137' has moved position.  Please explain how the address is ingested by Splunk.  What are the props.conf and transforms.conf settings for that sourcetype? ... View more

Apparently, the iplocation command can't handle a multi-value field.  Try putting iplocation before stats. | search...... | iplocation remip | stats count(tunnelid) as sessioncount, values(*) as * by user   ... View more

Thats the thing. I am not able to install from Splunk web. I have no issues starting the service. It crashes when attempting to install add-on(s). Thanks ... View more

It should be possible.  What happened when you tried it? ... View more