Often that error ties to TLS settings. Force TLS1.2 with this command : [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ... View more

To see what is in main, you can run search like this: index=main earliest=-7d latest=now | fieldsummary As far as why it searches main, that is completely dependent on what your local Splunk admin set for the roles that your user has. The setting is called Indexes Searched by Default and whenever I am admin, I ALWAYS set all of these to <NULL> . It is VERY bad practices to write searches without specifying index because the behavior can change AT ANY TIME. ... View more

Did anyone fixed this error? I am facing same issue... ... View more

It will help if you give more detail about your configurations. ... View more

This search is also taking forever to run. ... View more

Next scheduled time stops at this time 2018-08-14 17:00:00 CDT and until now it is not updated Check the splunkd logs no error from my applications ... View more

Thanks @HiroshiSatoh, the solution you provided worked. ... View more

In order to remove events at index time use SEDCMD in props.conf ex: [your_custom_sourcetype] SEDCMD-remove = s/(place_regex_that_matches_events_you_wish_to_remove_here)//g Let me know if that helps. ... View more

Hi. I get this warnings in SPLUNK ES of a part of TA that we do not use. Any idea to get this turned off/disabled? Search peer [servername role indexer ] has the following message: Unable to initialize modular input "splunk_ta_aws_sqs" defined inside the app "Splunk_TA_aws": Unable to locate suitable script for introspection. ... View more

It sounds like you have a column missing from one of the files. Try running: |inputlookup <name of lookup> On both search heads, and make sure the rows & fields match. Secondly, are the files populated by a scheduled search? - could it be that you need to run/reschedule the search to populate it? ... View more

Hi, I found the below link related to this issue, https://answers.splunk.com/answers/123430/how-to-update-geoip-database-for-iplocation-command.html Please have a look and let me know if this can help? And what exactly shall be done? Thanks. ... View more

Okay, your code is like this... sourcetype=fgt devname=loc1 OR devname=loc2 OR devname=loc3 | eval Bytes=len(_raw) | eval Date=strftime(_time,"%Y-%m-%d") | eval GB=(Bytes/(1024*1024*1024)) | chart span=1d sum(GB) over devname by Date limit=0 The above should always give results when the following conditions are true 1) there are events in sourcetype=fgt with devname=loc1 OR devname=loc2 OR devname=loc3 2) field _raw exists in the events. 3) the events have a valid _time. 4) the events are on an index that you have access to read. (YOU SHOULD ALWAYS CODE "index=foo") 5) the search has time to complete. I suspect the problem is item 5. To test items 1-4, run this in verbose mode... sourcetype=fgt with devname=loc1 OR devname=loc2 OR devname=loc3 | head 1 | eval Bytes=len(_raw) | eval Date=strftime(_time,"%Y-%m-%d") | eval GB=(Bytes/(1024*1024*1024)) If the above search generates no results, then there is an error in the search code. Perhaps the fields have been renamed since the original search was coded, or perhaps you have lost security access to the index. If there are results, then verify that Bytes, Date and GB all have valid values. If they do, then the problem is probably that your scheduled search ran out of time before it could complete. Check the job for messages. I believe you can open the scheduled search (the empty results) and then use the job inspector to look for messages. There are a couple of ways to extend the search time, but we'll explore your followup question first, since tstats , if workable, is a better use of machine time. ... View more

The above query will only work and provide license usage using _internal index. But the input is coming to different indexes. But, we need to group the hosts by the _meta field and find the license usage of each group. Is it possible to calculate license usage using the _meta field added to every host in the configuration? ... View more

This question is a few year old, but here's the latest answer in case someone else needs it... If your Windows 10 build is 17063 or later, you have curl.exe built into Windows. Source: https://techcommunity.microsoft.com/t5/Containers/Tar-and-Curl-Come-to-Windows/ba-p/382409 How to check your build? Press the Windows key and the r key at the same time, sometimes noted as WIN+R, to open the Run dialog box. Type winver in the run box and press enter. How to use curl on Windows? Call curl.exe and use parameters Just like curl on Linux or Mac. So your line #1 becomes: curl.exe -k https://10.19.16.101:8088/services/collector/event -H "Authorization: Splunk 982D05B0-8603-4311-A1AF-32462BA47C9F" -d "{\"event\":\"Breakfast Order\"} {\"event\":{\"coffee\":\"double cream double sugar\",\"muffin\":\"blueberry\",\"juice\":\"none\"}}" ... View more