I think you want to look at should_linemerge or creating a specific line_breaker options in props.conf https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#Line_breaking ... View more

Correct, it would change the local instance to an indexer member. It does not allow you to perform remote administration of other peers. If you aren't running Splunk web on your indexers then you'll need to use one of the other methods listed in the docs. Directly edit the peer's   server.conf   file. See   "Configure peer nodes with server.conf"   for details. Use the CLI   edit cluster-config   command. See   "Configure peer nodes with the CLI"   for details. ... View more

Metadata search should be faster, and capture hosts without recent events. Otherwise you may need to use a lookup to define your list of hosts. | metadata type=hosts index=abc* | search host=efg* | eval warn=relative_time(now(), "-15m") | eval crit=relative_time(now(), "-30m") | eval status=case(recentTime >= warn, "Normal", recentTime < warn AND recentTime >= crit, "Warning", recentTime < crit, "Critical", 1==1, "Undefined") | table host recentTime status totalCount | eval recentTime=strftime(recentTime, "%c") ] ... View more

Try setting Content-Type 'application/json' in the headers. This is an example I'm doing using Python requests module. requests.post("https://hec-server:8088/services/collector", headers={'Authorization': 'Splunk xxxxxxxxxxxxxxxx','Content-Type': 'application/json'}, data=json.dumps({'event': dictVar}), verify="False") ... View more

If you are seeing that page it means you have the node configured as a Search head. Click on Edit > Node Type There you will be able to configure it as a Peer node ... View more

Body paint. Rinse and repeat daily is highly recommended. ... View more

Are you trying to get triggered alerts, or just ALL configured/enabled? You can get some of that info from a REST endpoint. | rest /services/configs/conf-savedsearches | search action.email=1 disabled=0 | table action.email.to alert.severity search splunk_server title ... View more

I assume you're wanting to create a custom table and not the Inline Table. The Splunk sendemail.py script will escape any html you write in the Message form, so it will all appear as text in the email body. There have been threads on this topic before, but I don't remember ever seeing a simple solution. ... View more

For advanced evaluation like that you will probably need to do it within the search itself. You can use time functions to evaluate the current hour, and then add temporary fields to evaluate and further filter the search against. This may not be the most elegant solution, but I think it works. The important lines being the creation of the "smallHand" hour field; using it to set the filter field; and then applying the where filter. | makeresults | eval smallHand=strftime(now(), "%H"), field1="abc;def;ghi", field2="Lorem ipsum dolor sit amet" | makemv field1 delim=";" | mvexpand field1 | eval smallHand=if(field1="def" OR field1="ghi", "10", smallHand) | eval filter=if(smallHand>=9 AND smallHand<11 AND field1="def", "True", "False") | where filter!="True" | fields - filter, smallHand ... View more

It looks like you are using colon as your key:value delimiter. In that case you can send the logs in the exiting format to Splunk and configure delimiter extraction. See https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Exampleconfigurationsusingfieldtransforms#Configure_delimiter-based_field_extractions ... View more

Are you possibly hitting the limit of max searches per the user role setting? ... View more

Along the lines of your original idea to copy an event and modify it. You could do that and use | collect command to write it back to your index. https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Collect ... View more

sorry, the board formatting removed the field extraction tag from my regex. | rex field=url "([chpt]://)(?<urla>.*)" | fields - url | rename urla AS url I was saying you already have the field named 'url' so you cannot simply specify the same field name in the rex command to overwrite the existing values. That's why I gave it name 'urla' and then dropped the old one and then renamed the new field to the 'url' I forget that you use % instead of * for a where. I would assume all those wildcards are what's increasing the execution time. ... View more

It may be helpful to mention that |where does not accept wildcards. If you needed to wildcard then change to |search url!=*edge-chat.facebook.com instead. And you will want to put that before your top 10 command ... View more

To filter a specific url from the results, just add a | where url!="tcp://edge-chat.facebook.com/" There are multiple solutions for stripping tcp, http, https, etc... example 1 using eval replace: | eval url=replace(url, "tcp://", "") example 2 using rex to extract then drop old field and rename new (can't just extract and overwrite): | rex field=url "([chpt]://)(?.*)" | fields - url | rename urla AS url example 3 in case you want to reformat specific url only, combine multiple eval functions: | eval url=if(url="tcp://edge-chat.facebook.com/", replace(url, "tcp://", ""), url) ... View more