if I must hit the event endpoint, what is the "time" field it expects?  I am currently sending something called "time" and getting ignored, similar to OP.  ... View more

buehler? ... View more

what was your solution in this case, @gymmynzl --just better logging setup, or something else? ... View more

did you ever figure this out?  ... View more

An obvious thing to note:  if you are installing as a domain account, and not local user, make sure it's in the form of :  `domain\userAccount` ... View more

These links only DL the file directly for me;  but as of August/2020, you see the wget link on the "thank you" page, after you've downloaded. This link may work directly, or you may need to choose a version and start downloading first, to see the wget link https://www.splunk.com/en_us/download/universal-forwarder/thank-you-universalforwarder.html ... View more

if I'm going to http://mySplunk:8000/en-US/debug/refresh?entity=/data/ui/view, suggestions on where to look next? I've checked all the files in /etc/apps/search/.../views/manager are have 644 permissions, owned by splunk. This XML file does not appear to have any style information associated with it. The document tree is shown below. <response> <link type="text/css" id="dark-mode" rel="stylesheet" href=""/> <style type="text/css" id="dark-mode-custom-style"/> <messages> <msg type="ERROR">Forbidden</msg> </messages> </response> ... View more

Permission for [views] set to "export=system" in /search app? -->Can you see the "show source" page from any other app, or is it missing from just one? ... View more

If you have customizations, they should be in /local...if not, perhaps you can move them there? You could try just cp-ing off the default folder to a tmp folder, and see how that goes? ... View more

were you able to sort this out? ... View more

I didn't think apps were replicated--can you explain? I understand the search artifacts are replicated, but I also understand I should keep SHC apps consistent. So, to deploy this on all the SHs from the Deployer, or no? ... View more

From docs link text However, searching for TERM(127.0.0.1) fails for data that looks like this: ip=127.0.0.1 - user=admin This is because the equal symbol ( = ) is a minor breaker, not a major breaker. Additionally, the IP address portion of the event is indexed as: ip, 127, 0, 1, and ip=127.0.0.1. You are looking for 127.0.0.1, which is not an indexed term. ... View more

did you ever figure out the issue? I've confirmed https, pass4symmkey is correct, cleaned all my SHC instances, still this. ... View more

Found much of this answer reading @lguinn 's comment on https://answers.splunk.com/answers/454262/how-do-i-fix-splunk-resync-shcluster-replicated-co.html ... View more

Can someone please explain why this is an issue/ why deleting var/run is the best solution? ... View more

Is there a reason (beyond the obvious complaint in the log) to use parsingQueue instead of: [queue] maxSize = 2MB ... View more

Seconding this question above-- is there a parameter we can get rid of, to get rid of these messages? ... View more

Is this the same for if an indexer has full disk? ... View more

For someone else with this issue-- the sourcetype of "syslog" has a specific transform set up to pull out the hostname from the logs. It doesn't use the inputs.conf or server.conf name See this answer: https://answers.splunk.com/answers/55751/host-field-getting-overwritten-in-syslog-processing.html ... View more

Did you ever find a solution to this? I'm having a similar issue-- only source=var/log/messages goes to host=hostname, while the other logs have host=fqdn my inputs.conf--the only place where this host name is defined (it's not in server.conf) [default] host = myhost.mydomain.com [monitor:///var/log/messages] disabled = false sourcetype = syslog index = myindex_1 [monitor:///usr/local/tomcat/logs/logname.log] disabled = false sourcetype = log4j i index = myindex_2 Thanks for any comments. ... View more

this no longer seems to be the case ... View more

The following version of this search runs over 7-10 days successfully. I want to make a summary index instead, so I can reliably get a month's data. Am I doing this correctly? index="myIndex" sourcetype=mySourcetype (msg=REQ* OR msg=RSP) (source="E:\\Logs\\Path-*" source!="E:\\Logs\\Path-Test*") (data.HostType<1000 AND data.HostType!=0) | fields data.CompanyNumber, data.ElapsedSeconds, HostName, data.IsApproved, cid, msg | stats max(data.ElapsedSeconds) as ElapsedSeconds, max(eval(if('data.IsApproved'="false",1,0))) as declines, by cid, HostName | stats dc(cid) as txnsPerHost avg(ElapsedSeconds) as avgElapsedSeconds max(ElapsedSeconds) as maxElapsedSeconds sum(declines) as declines by HostName | addinfo | eval totalSeconds = round(info_max_time - info_min_time) | eval tps=round((txnsPerHost/totalSeconds),2) | eval avgElapsedSeconds = round(avgElapsedSeconds,2) | eval maxElapsedSeconds = round(maxElapsedSeconds,2) | fields HostName txnsPerHost tps avgElapsedSeconds maxElapsedSeconds declines | sort 0 -txnsPerHost Summary creating search: index="myIndex" sourcetype=mySourcetype (msg=REQ* OR msg=RSP) (source="E:\\Logs\\Path-*" source!="E:\\Logs\\Path-Test*") (data.HostType<1000 AND data.HostType!=0) | fields data.CompanyNumber, data.ElapsedSeconds, HostName, data.IsApproved, cid, msg | stats max(data.ElapsedSeconds) as ElapsedSeconds, max(eval(if('data.IsApproved'="false",1,0))) as declines, by cid, HostName | collect index=mySummaryIndex Search using the summary: index=mySummaryIndex | stats dc(cid) as txnsPerHost avg(ElapsedSeconds) as avgElapsedSeconds max(ElapsedSeconds) as maxElapsedSeconds sum(declines) as declines by HostName | addinfo | eval totalSeconds = round(info_max_time - info_min_time) | eval tps=round((txnsPerHost/totalSeconds),2) | eval avgElapsedSeconds = round(avgElapsedSeconds,2) | eval maxElapsedSeconds = round(maxElapsedSeconds,2) | fields HostName txnsPerHost tps avgElapsedSeconds maxElapsedSeconds declines | sort 0 -txnsPerHost ... View more

@masonmorales some clarification questions: 1. When you say search "will run in server time"-- of the Indexer or SH? If I schedule a search to run at midnight my (SH) time, which is 5am Indexer time, looking back one hour-- I will get 4am-5am Indexer time results, right? 2. "This means that the actual time range of your search will be translated from your selected time zone to the server time zone. " So if I ask for data from the 12th hour/day/month, it will return the logs that are timestamped such on the Indexer (the actual log timestamps of 12/12 at 12oclock), right? Thanks ... View more

disregard; I just saw @jmeyers_splunk comment below ... View more