A simple, but not trivial, question. When searching a log file, we sometimes find fields previously extracted "on-the-fly" from the search SH, in various ways (Regex, Field_Delimiter), or directly from the Indexer, again in different ways. NOW, the question: it often happens that we spend a lot of time searching for the exact config from which the extraction comes, sifting through the various SH and Indexer configs... eventually, between one thing and another, we get there. But, as mentioned, it often wastes a lot of time... just an example: i have a log where, in many years, many users put an hand, any user inserted his field extraction for a single field, creating something like 20/30 conf for a single log and for 20/30 fields... bothersome when debugging and seeking a single field (as said with the search form you get it quite soon, but...)!!! 🙄 Is there a quick way to understand WHERE a particular field extracted from the log COMES FROM? A "detailed-field-inspector" that tells us exactly: "this field is extracted from the SH, Regex, 'Sourcetype: my_extract_conf'"? Thanks. ... View more

Hello. I'm having new issues after upgrading a DS from V.9.1 to V.9.4.5. Every phone-home from the UFs (i have about 2000 UFs), gives a 0 [ZERO] in UI. I can see UFs connected to 8089 of my DS Listener, many errors on Splunk logs, AdminHandler:AuthenticationHandler [289178 TcpChannelThread] - Denied session token for user: splunk-system-user On UFs i have the classic "deploymentclient.conf", with a simple, [target-broker:deploymentServer] targetUri = myDS:8089 With previous versions i never had issues. Has something changed in 9.4 for UFs to DS connect? Thanks.   ... View more

Hello. Another great problem. I tested the update on a clean install, 9.1.0 (empty, default) to 9.4.4, and all worked fine. KVSTORE passed fom V4 to V7 and is running, by running step-by-step own upgrade. Now i did the same update on a production instance, and there's no way to update KVSTORE 🤤 ==> BEFORE THE UPDATE 9.1.x This member: backupRestoreStatus : Ready date : xxx dateSec : 1761289316.9 disabled : 0 featureCompatibilityVersion : 4.2 guid : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx oplogEndTimestamp : xxx oplogEndTimestampSec : xxx oplogStartTimestamp : xxx oplogStartTimestampSec : xxx port : 8191 replicaSet : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx replicationStatus : KV store captain standalone : 1 status : ready storageEngine : wiredTiger KV store members: 127.0.0.1:8191 configVersion : 1 electionDate : xxx electionDateSec : xxx hostAndPort : 127.0.0.1:8191 optimeDate : xxx optimeDateSec : xxx replicationStatus : KV store captain serverVersion : 4.2.17 uptime : 347 ==> AFTER THE UPDATE TO 9.4.4 Splunk Enterprise 9.4 and higher no longer support KV store server version 4.2. Upgrade to KV store server version 7.0 for continued support and security, and to comply with Splunk Support Policy. See https://docs.splunk.com/Documentation/Splunk/latest/Admin/MigrateKVstore in the Admin manual to plan your upgrade. This member: backupRestoreStatus : Ready disabled : 0 featureCompatibilityVersion : An error occurred during the last operation ('getParameter', domain: '15', code: '13053'): No suitable servers found: `serverSelectionTimeoutMS` expired: [Failed to read 4 bytes: socket error or timeout] guid : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx port : 8191 standalone : 1 status : starting storageEngine : wiredTiger versionUpgradeInProgress : 0   Thanks. ... View more