I found a couple of things you can do here 1. Add the Entity Lookup Field from your correlation search here: That will give you whatever you evaluate entity_title too in your search as the impacted entity in your KPI 2. Just add the entity_key field to your lookup, this automatically adds any entities to the impacted entities for the KPI, though it won't add pseudo entities such as a combined field like host:disk ... View more

I was having the same trouble, even after adding the entity_title field to my correlation search. I fixed it by also adding the entity_key field. ... View more

I'm a beginner, can you be more specific? I'm having the same problem. I'm looking forward to your reply. ... View more

You might check out https://splunkbase.splunk.com/app/2949 "Meta Woot!". It's not nearly as robust or customizable compared to TrackMe, but it appears to be a simpler alternative that shows latency and lag.  ... View more

@merrelr You can make that object visible in all apps by exporting it to system     ... View more

I had the same issue setting up an Azure App Account. Turns out it was due to having mgmtHostPort = 0.0.0.0:8089 vs the default of mgmtHostPort = 127.0.0.1:8089 in web.conf/[settings]. ... View more

I saw this error/typo in the startup log          Checking conf files for problems...                 Invalid key in stanza [feature:admission_rules_check] in D:\Splunk\etc\system\default\health.conf, line 251: friendly_description (value: Notifies if the workload management admission rules configuration on this node is valid.).   So I removed line 251 of Splunk\etc\system\default\health.conf and it seemed to fix the problem       ... View more

Edit: This one should be more accurate and will also let you use the date picker.   index=_internal host="SPLUNK_DS_NAME" component=PubSubSvr event_message="Subscribed*" | eval hostname=mvindex(split(connectionId, "_"), 4) | search hostname!="direct" | eval guid=mvindex(split(connectionId, "_"), 5) | dedup guid sortby +_time | join guid type=inner [search index=_internal host="SPLUNK_DS_NAME" component=PubSubSvr event_message="Subscribed*" earliest=1 | eval hostname=mvindex(split(connectionId, "_"), 4) | search hostname!="direct" | eval guid=mvindex(split(connectionId, "_"), 5) | eval h_time=_time | dedup guid sortby +_time | fields guid, h_time] | addinfo | eval firstSeenDiff=_time-h_time | eval pickerDiff=now()-info_min_time | where pickerDiff>=firstSeenDiff | eval lastSeen=strftime(_time, "%Y-%m-%d %H:%M:%S") | eval firstSeen=strftime(h_time, "%Y-%m-%d %H:%M:%S") | table lastSeen, firstSeen, guid, hostname   This seems to be the earliest date stamp of events, not the forwarder check-in.   index=_internal source=*metrics.log group=tcpin_connections | dedup guid | table _time, guid, hostname   (Simplified version of Solved: Re: Listing forwarders - Splunk Community) I then realized this was just for forwarders sending data. Although it would be strange, you can have forwarders connected to just the DS.   index=_internal host="SPLUNK_DS_HOSTNAME" component=PubSubSvr event_message="Subscribed*" | eval hostname=mvindex(split(connectionId, "_"), 4) | search hostname!="direct" | eval guid=mvindex(split(connectionId, "_"), 5) | dedup guid sortby +_time | table _time, guid, hostname     ... View more

@tomasmoser  I'm having this same issue, but I don't quite understand your solution. I'm running splunk locally and logging in as admin which has all REST permissions.    ... View more

Hi @merrelr  Could be a possible storage issue - https://jira.mongodb.org/browse/SERVER-9439 This indicates a possible problem with the underlying file system or disk, which prevented Mongo from committing a write. Errno 5 is EIO, which normally indicates bad blocks, transient or permanent file system errors. It is not typically used to indicate lack of free space, but I wouldn't rule it out, either. If this is an EBS or other network backed instance, it could also indicate network problems. --- Hope it helps! ... View more

Did you ever solve this? If so what was the solution? ... View more

I had to update the props to use 127.0.0.1 instead of it's actual IP. I'm not sure what changed since yesterday with my testing. I left the endpoint as /services/collector/event and my props/transforms are working. props.conf [host::127.0.0.1] TRANSFORMS-$hostname_rename = host_rename_$hostname transforms.conf [host_rename_$hostname] REGEX = (.*) DEST_KEY = MetaData:Host FORMAT = host::$hostname ... View more