We have a dashboard a user is having a problem with which I have been able to replicate some of the time. They have a link to a dashboard with selected values in the URL, however they get a 'Cannot create search' error on one of the dropdowns since it doesn't populate with the value assigned to the field in the URL.  When using debug I can see instead of having the selected value the field name is there ex: form.product_label.  Of course, if you select a value from the product dropdown then it properly populates the dashboard.  It seems like Chrome the dashboard properly auto populates when using the URL most often.   Since I have admin access and the issue happens for me about 60% of the time I don't think it's a permissions problem.    The user has read only access to the dashboard.  A colleague of theirs supposedly doesn't have any issues but haven't been able to confirm what browser they're using.   The user, with the issue,  states they're using Chrome and apparently, it's not loading for them at all.  I've asked them to try refreshing the page which they state hasn't worked either  Since there's no actual search ran I can't inspect the job because there isn't one. When checking console I can see this depreciation log.  Haven't found anything online to confirm if this would be the cause of the problem. [Deprecation] Listener added for a 'DOMSubtreeModified' mutation event. Support for this event type has been removed, and this event will no longer be fired. See URL for more information. My questions are if the Deprecation warning could explain why the dashboard isn't properly loading.  If that's not it, then what else could it be that I'm missing. thanks ... View more

Hello, We had an index that stopped receiving logs.  Since we do not manage the host sending the logs I wanted to get more information before reaching out.  The one interesting error that showed up right about the time the logs stopped was the following.  I have not been able to find anything useful about this type of error.  Also the error is being thrown from the indexer. Unable to read from raw size file="/mnt/splunkdb/<indexname>/db/hot_v1_57/.rawSize": Looks like the file is invalid. thanks for any assistance I can get. ... View more

I have a few scheduled jobs running from an TA.  Multiple ones have | collect index=summary at the end of the SPL.  For some of them when they run I get 0 results with a warning "no results to summary index".  I reran the job manually and can see the results.  I can see there's a macro error in the job that did not have any results but the other job that ran has very similar SPL and works fine. When I looked at search.log the one thing that stood out is for the one that ran with results. This was in the log user context: Splunk-system-user The job that did not return results did not have "user context: Splunk-system-user" my question is what sets the user context and what overrides it (if possible) to see if this is the cause of my problems. thanks ... View more

Hello, We had a customer stumble across this issue recently.  I tried changing the default_auto_cancel from 30 to 62 but after restarting splunkweb I could still pretty much consistently cause searches to be cancelled by switching tabs.   I checked Edge, Chrome, and Firefox.  On Firefox the issue did not occur.   My question is there another attribute I could try changing to fix this in Chrome and Edge?  If there isn't an attribute then what browser setting would need to be changed to correct this? thanks https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/Knownissues 2021-12-21 SPL-216787 Searches are cancelled or time out when the user leaves the browser window or switches tabs.   Workaround: In Splunk Enterprise 8.1.7, 8.2.4, and higher change the job_default_auto_cancel setting in $SPLUNK_HOME/etc/system/local/web.conf from the default value of 30 to 62     ... View more

I'm attempting to renew the certificate on a splunk proxy server.  According to our workflow after the certificate has been renewed I need to restart the nginx service.   My question is will restarting the nginx service on the Splunk proxy server end any sessions in-between the user and the POD or do they have some persistence through a restart.  Even if there is only a brief outage it needs to be known for our documentation. thanks!  ... View more

Hello, I had  PagerDuty App for Splunk | Splunkbase installed on our instance of Splunk and when I went to the setup page and put the API and integration url in and it confirm nothing happened. When I checked on the browser console I saw there were two 404 (not found) errors.   splunkd/__raw/services/properties/alert_actions/pagerduty/param.integration_key?output_mode=json&_=23232443242   When I tried clicking confirm I receive another 404 error.   There there's no alerts_actions.conf in the pagerduty local folder and there is one in default I checked the security rights and they all seem fine.  I tried making a local dev instance to see if I could break the permissions and replicate the error but it worked fine everytime and created a alerts_actions.conf in the pagerduty app local folder.   If anyone knows a solution to this problem I'd greatly appreciate the help.  My current theory from the initial 404 error and URL chunk I included, is it keeps looking for the alerts_actions.conf in the local folder.  So if I manually created it with the proper stanza and fields that might let me setup PagerDuty.  As to why it's not actually creating it I'm not sure since the permissions all look good. thanks ... View more

Hello, I'm using an App which is listed as a visualization.  With it I can go into a dashboard and create a panel with it.   My question is because I don't have to copy and paste in XML code myself for a panel does that mean if the App updates then any related panels would automatically update as well.  If not do I need to recreate it as I would for a panel I'd manually create.   thanks ... View more