Thank you. Maybe that could be used as a workaround. I guess I have to to the extraction change/enhancement myself then 😉   ... View more

It's a bit older but it seems to be some confusion around: Your second example is completely different from the first one as you use double quotes, i.e.   | eval var_type = typeof("num")   "num" is a literal string which has nothing to do with your variable! Take care about using double quotes (for strings), single quotes (for field names, e.g. containing spaces (for whatever reason... 😉 )) or no quotes at all (also for field names). Besides that to me it seems that this `tostring` function is buggy. If I convert any number using `tostring(number)` that should(!) become a string, regardless of any "format"-argument. And the "typeof()" function should then return "String" for this string. ... View more

Yes, that's exactly the line for th 8.2.9 version although the sha256sum is different there. ... View more

Even this is now 1year old 😉 But it's still possible to use these checksums as per https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/Dataintegritycontrol  Just use ./splunk check-integrity -index [ index name ] [ -verbose ] to check your indexed data and you will get "Integrity check succeeded on bucket..." or "Integrity check error for bucket..." (or maybe some other, similar output) for your buckets. ... View more

An older one, but... as said the `pem`-files under `distSearchKeys` are simply RSA-Private- and corresponding RSA-Public-Key files. These can be created (at least in a Linux environment) using the following commands: 1. Create private key file: `openssl genrsa -out private.pem 2048` 2. Create public key file from private key file: `openssl rsa -in private.pem -pubout -out trusted.pem` The `openssl` binary is located in Splunk's `bin` folder. If you want to create a trusted connection from e.g. a Cluster Master (CM) to an Indexer (IX) manually you just do the following: 1. create a new directory under `distServerKeys` named according to your CM-hostname 2. copy the `trusted.pem` file (i.e. the public key) from the CM's `distServerKeys` directory to the newly created directory on your IX 3. restart Splunk on both (in a cluster according to restart policy/rules) Under "Settings | Distributed search" on the CM you could then see if the connection between CM and IX is established: State = Up, Health status = Healthy If one of the above steps failed you get: State = Down, Health status = Sick (at least this was the output during my experiment I just ran) ... View more

Should this "day column" go on a row of its own? What if you have more than one data rows for a particular day? Maybe you want to have a look at the "bin" command (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Bin) to group your events by day with a "span=1d" parameter. ... View more

Is this for Enterprise Security? Maybe you get better results if you add the label accordingly. ... View more

What kind of data are you working on? Which input are you using? ... View more

What do you exactly mean with "all dates between my time picker"? What is the output of your SPL? What did you expect? Could you give some example data? ... View more

Just a friendly hint: you added your solution as comment what is good as everybody could see it. It would be even better if you convert it to/post it again as an answer - that's something different 😉 And as a last step you then accept this answer as a solution - so everybody could see right in the search results, that this question already HAS a solution. ... View more

@delewis13 could you please paste your corresponding dashboard code? ... View more

Have you checked the "ValueError: Invalid format string', 'event': 'Invalid format string'" (line 6) and "ValueError: Invalid format string" (line 15) messages? Maybe there's something wrong in some token.#.replacement string. ... View more

You are too late - this one was solved already four month ago 😉 But thank you for pointing this out - for some reason I thought, that putting single quotes around the password (see above) belongs to the syntax of the "--decrypt"-command. But of course - it's just the shell escape. ... View more

In the end it really doesn't matter, which team I give my points - it's all for supporting the corona studies, but... You are talking about two different teams here: a) Team: Splunk Folding@Home Research Labs (also referred to as "Buttercup Research Labs Team #: 238889) Link b) Team: Splunk Community Link Which one is "the one"? ... View more

At least today - e.g. in a Red Hat 7.6 environment - wildcard settings are used for the root user also. ... View more

This one is quite old - but still wrong - therefore the downvote. sysctl -p -command load kernel settings from /etc/sysctl.conf . That's different from the user-specific settings in /etc/security/limits.conf , which are not read by this command. Instead one has to logoff and logon again. ... View more

Yes, right, I read that Ubuntu 18.04 - and then immediately forgot it - my bad 😉 ... View more

Just an add-on: What kind of system do you have? E.g. RedHat currently uses firewalld by default - so you won't find any iptables -service. Maybe "the guy that have installed [...] this" is not that bad 😉 ... View more

Just go to "Settings" - "Licensing" - there's all you need. ... View more

Glad you have a solution. Some points to consider: you really should think about using the default ports, especially don't use 9997 - which is normally used for ingesting data - as the web gui port (which normally is 8000) - it makes things unnecessary confusing while reading docs or ask questions e.g. at answers.splunk.com 😉 as v8.0.1 is out all versions 6.x are at the end of life; so it seems to be the right time to upgrade your installation to something more current, e.g. 7.3.3; have a look here for details ... View more

9997 - in a default installation - is the port you use for incoming data, e.g. from your Universal Forwarders. The management port - in a default installation - which you use to access the REST API using your browser is 8089. Using that no "en-US" will be added to your URL. ... View more