Any update on this topic? I am facing the same issue. ... View more

Hi guys, I had the same issue with Splunk 9.3.0 and DB Connect 3.8.x. To solve this just has to clear the cashe of the browser. Regards, ... View more

Hi You could try MC (monitoring console) to look those possible errors in ingestion phase. Settings -> MC Indexing -> Inputs -> Data Quality There are some selections to try to find errors. Then just click those error counts and it will open you query which shows more information about that issue. You could also modify that query to get more information about that issue. r. Ismo ... View more

You can download several versions directly from Splunkbase. But if the data "is not sending" it means that it's actually not being ingested because otherwise, unless you're explicitly filtering it, it should be forwarded to your downstream receivers. So check your config, check your logs, check your metrics. There are no miracles - something must be wrong. ... View more

Hi @PickleRick,   That is indeed the set up I have.  That is correct there isnt a issue with connection between the HF and Splunk Cloud but rather my results from the DBconnect app not sending to Splunk Cloud.  I am more so looking to see if anyone else has faced this issue before because I have checked several things and all looks well but no real solution to get the data transferred  ... View more

Please change the sourcetype and try ... View more

+1 On the "forget the KVstore" part. Unless you have one of those strange inputs which insist on keeping state in kvstore, just disable the kvstore altogether and don't worry about it. ... View more

I want to calculate average count per day and maximum count per month. Like all the Mondays , Tuesdays of a given month combined and averaged  ... View more

See this app for an example of making tabs using the splunk linked list input type. https://splunkbase.splunk.com/app/5256 You can use simple html links in an <html> panel to do whatever you need, you cannot directly put a link in one of the tabs using the technique above ... View more

Apart from finding the information (the _internal index by default rolls after 30 days), the trouble with "index sizes" is that there are so many different parameters which can be meant as "index size". Even simple dbinspect has two different parameters (rawSize and sizeOnDiskMB). Add to this summary and datamodel_summary directories... ... View more

Hi @Strangertinz  I usually use INDEXED_EXTRACTIONS and not KV-Mode. then if you hav SHOULD_LINEMERGE=false you have an event for each row, maybe this is the issue. Try my configuration. Then, as @richgalloway is asking: how did you find that events are sporadically? then have y9u multiline events or single line events? they should be multiline but with SHOULD_LINEMERGE=false you have single line events. Ciao. Giuseppe ... View more

Hi @Strangertinz  Really!  It is being parsed correctly?  I've know idea how it could be based on your example sample data and the props.conf shown.  Using LINE_BREAKER=(<log_entry>) and SHOULD_LINEMERGE=FALSE would rip the <log_entry> line out of the XML which would break the XML structured data format.   This might explain why the data appears clumped as timestamp extractions would only work on events which had the log_time value in it.  Events without timestamps would have to full back on to other sources, such as the mod time of the source file, for example.  If you use the hidden _indextime metadata (you need to rename the field to see it, e.g. "rename _indextime to indextime) this will give you the time (in epoch seconds) the data is ingested by Splunk (written to index) and you can check if the event time and index time match or vary wildly. ... View more

HI @Strangertinz, Try this search:   | makeresults | eval _raw="{ \"Key1\": \"Value1\", \"Key2\": { \"subKey2_1\": \"sub value1 for key2\", \"Manifest\": [{ \"flight\": \"start\", \"City\": \"Los Angeles\", \"code\": 7870, \"Inventory\": { \"snacks\": 300, \"status\": \"full\" } }, { \"flight\": \"end\", \"City\": \"Las Vegas\", \"code\": 7470, \"Inventory\": { \"snacks\": 56, \"status\": \"near empty\" } } ], \"subKey2_3\": \"sub value3 for key2\" }, \"Key3\": \"Value3\", \"Key4\": \"Value4\"}" | fromjson _raw ``` Above is just to format the data into a JSON event``` ``` Get the JSON data from Key2``` | fromjson Key2 ``` Split out the origin and destination fields``` | eval Origin = mvindex(Manifest,0) | eval Destination = mvindex(Manifest,1) | fields - Manifest, _raw, _time, Key2 ``` Update the field names so we know which was Origin and which was Destination``` | rex mode=sed field=Origin "s/\"([^\"]+)\":/\"\\1_Origin\":/g" | rex mode=sed field=Destination "s/\"([^\"]+)\":/\"\\1_Destination\":/g" ``` Extract all the fields from the JSON array ``` | fromjson Destination | fromjson Origin | fromjson Inventory_Destination | fromjson Inventory_Origin | fields - Inventory_End, Inventory_Origin ``` Table everything out on one row ``` | table City_Origin, code_Origin, snacks_Origin, status_Origin, City_Destination, code_Destination, snacks_Destination, status_Destination I'm using rex mode=sed to update the JSON with more descriptive names for the duplicated fields. The output is: Is that what you were looking for?   Cheers Daniel ... View more

This was perfect! Thanks! ... View more

Hi I'm expecting that your Key3 is on one line. You could try something like this on transform.conf [extract-key3] REGEX = \"Key3\":\s*\"([^\"]+) FORMAT = Key3::$1 MV_ADD = 1  and props.conf [<your sourcetype here>] TRANSFORMS = extract-key3 If you want to take only that value from data to index it and remove other you should add needed transforms to take only Key3 and put that on index queue and other to nullQueue. You can found examples for that on Filter event data and send to queues r. Ismo ... View more

Awesome! Thanks for assisting with the search! ITWhisperer for president!  ... View more

This is awesome! Thanks !!! ... View more