Did you get an answer for this?  I think we're running into the same thing ... View more

@chandvit and @dm1  Did either of you figure this out?  I'm trying to remove an idx peer from my cluster and it seems to be getting hung up on these messages. ... View more

Thanks for the suggestion, I'll try that out.  Not sure how much control I have over the dynamic creation of the curl commands generated though to know whether or not I can send events that need it and not for those that don't. In my case, I'm using Splunk Connect for Syslog (SC4S).   ... View more

I don't know how to fully solve the OP's issue, but I did figure out how to do it with an epoch that's showing up in the event. Using an IDX transform on the sourcetype.   (For me, I had the epoch time at the start of _raw. [set_x-balancer_time] SOURCE_KEY = _raw REGEX = ^(\d{10}\.?\d*)\s FORMAT = $1 DEST_KEY = _time DEST_KEY = _time  - requires the timestamp to be in epoch format, so in order to get that to work with another timestamp you'd have to find a way to change it into epoch.   ... View more