Hi, I was able to resolve the issue. The issue: You are probably trying to perform vetting in a windows environment. This is causing the file & directories to have improper accesses which do not comply with the App inspect procedures in splunk as they are built around NIX OS. Solution: 1. Dowload CYGWIN (https://www.cygwin.com/setup-x86_64.exe), and install it in your windows machine, and open CYGWIN. 2. Go into /cygdrive/<your app location> and run the following commands: find <your app> -type f -exec chmod 644 '{}' \; find <your app> -type d -exec chmod 700 '{}' \; (Make sure to check the permissions by running the command: ls -lR) 3. Create the .spl file also by using cygwin terminal: tar -zvcf <your_app_name.spl> <app_name> 4. Now try vetting procedure, I did it using postman, and this time it worked. ... View more

Hi,   ere you able to resolve this on windows?   thnxx ... View more

Hi,   were you able to resolve it? ... View more

| fieldsummary | search values=*\"value\":\"<what value you exactly want to check>\"* | table field ... View more

| stats max(avg_io_wait_time) as avg_io_wait_time by host | sort avg_io_wait_time | streamstats c as severity | eval host = printf("%*s", len(host) + severity, host) | stats max(avg_io_wait_time) as avg_io_wait_time by host ... View more

This worked smooth: | stats max(avg_io_wait_time) as avg_io_wait_time by host | sort avg_io_wait_time | streamstats c as severity | eval host = printf("%*s", len(host) + severity, host) | stats max(avg_io_wait_time) as avg_io_wait_time by host     ... View more

This is a query which can get you the cpu core for both nix and win servers:   | mstats avg(Processor.*) as * WHERE (index=win-metrics) instance!="_Total" host="***" by host instance span=5m | table _time, host, instance, "%_Processor_Time" | stats max(instance) as "cpu_core" by host | eval cpu_core=cpu_core + 1 | append [| mstats avg(cpu_metric.*) as cpu_* WHERE (index=nix-metrics) host="***" by CPU, host | table CPU, host | eventstats max(CPU) as cpu_core by host | stats max(cpu_core) as cpu_core by host | eval cpu_core=cpu_core + 1 ] ... View more

This is what I found and it worked! First of all the message, "Can not communicate with task server......" is vague and does not give a clear idea so it can be so many reasons, few of them are 1. Updating the java_home path 2. checking the jre version 3. Checking if the HF has approved license or is connected to the License Manager (its no longer the license master) 4. Change the task server port to 9995 or 1025, instead of 9998 What I Did was this: in the SPLUNK_HOME/var/log/splunk/splunkd.log  is showed some error for dbx-migration.conf so i added these lines by creating dbx-migration.conf in /etc/apps/splunk_app_db_connect/local [encryption] disabled = 0 upgrade = DONE   Then a restart of splunkd. Works super smooth ... View more

This will do the trick: | mstats avg(cpu_metric.*) as cpu_* WHERE index=<your_metrics_index> by CPU, host | table CPU, host | eventstats max(CPU) as cpu_count by host | table cpu_count, host | eval cpu_count=cpu_count+   the data being used is from the add on Link to the splunk add on for Splunk Add-on for Unix and Linux docs  ... View more

Hi, can you help me know what were you running on port 8088 except the HEC? ... View more

Oh yeah I did that. also, I was making use of REPORT instead of TRANSFORM in props.conf this is what worked: Props.conf [source::ping] TRANSFORMS-add_static_fields = mystaticFieldValue Transforms.conf [mystaticFieldValue] SOURCE_KEY = _raw WRITE_META = true REGEX = (.*) FORMAT = item::31 Fields.conf [item] INDEXED = true ... View more

This does create the field. However, it doesn't seems to be a metatag, as the field is not working with tstats for example: |tstats count where index=main location=* by sourcetype   Following error appears: When used for 'tstats' searches, the 'WHERE' clause can contain only indexed fields. Ensure all fields in the 'WHERE' clause are indexed. Properly indexed fields should appear in fields.conf. ... View more

This query can be further modified into this: index="_internal" source="*metrics.log" per_index_thruput series=* NOT ingest_pipe=* |stats sum(kb) as kb values(host) as host by series however this query will also show the amount of KBs being logged into indexes via summary indexing (sourcetype=stash), which is supposed to be not charged. Hence, I would prefer this query: index=_internal type=usage idx IN (*) source="*license_usage.log" NOT (h="" OR h=" ") ... View more

In order to get metrics index info also: | rest /services/data/indexes count=0 datatype=all ... View more

/services/data/indexes is not listing the metrics indexes ... View more

The problem here is that |getservice gives the direct dependencies instead of the the child dependencies further down the service tree. ... View more