Hi JJ,   Unfortunately the AppInspect team decided on a whim to fail the manual vetting for the latest version of this app. (it passed every version before, the reviewer was just having a bad day) You have two options: 1. Upload as private app, to do this: change the appid in app.conf, rename the folder to match the new appid, gzip it up and upload as a private app. Note: this is will break the connection to Splunkbase, you won't be able to automatically update the app from within Splunk. 2. Wait for me to upload a new version. Maybe the reviewer will be in a better mood. ... View more

I personally use the excellent RequestBin.com site to test all my config. Endpoint = https://xxxxxxxxxxx.x.pipedream.net/ Query string params (optional) - Query string is commonly denoted keyvalues after a question mark. IE www.example.splunkcloud.com/en-GB/account/login?loginType=splunk. In this example loginType=splunk is a querystring. Custom headers (optional) = These allow you to add custom headers. This is most commonly used for basic authentication. Payload = If your search returns the fields Test & Source then you could specify source={source};test={test}. To send JSON in this version of the app. You must construct the JSON string in your SPL search IE |eval json="{source:'".source."',test:'".test."'}" and then reference that field IE Payload = {json} I admit this is clunky and would be hard to maintain for long JSON values; I'd suggest a purpose-built app if your JSON is complex or nested. HTTP Method =POST Ingest response to index = If you wish you ingest the response, specific the index here Ingest Safety Max Size = This is the safety net to stop ingesting values greater than expected. If you don't want to ingest the response, set the value to 0 Should be able to identify errors with the following search. "index=_internal sourcetype=splunkd component=sendmodalert action="send_custom_rest_request" ... View more

Hi Jeremy, The Splunk Validated Architectures document is great place to start with these kind of questions. If you truly need full HA between DCs you might need a multi-site cluster. This will allow you to specify how many copies of the data you want to keep in each site (DC). In the SVA, the examples start with 'M'. That being said doing multi-site cluster with only 3 indexers is overkill so I'd question whether you truly need it. A normal clustered environment might better suit your requirements if you can accept the risk. ... View more

@mihenn Can you confirm whether adding the ingestion_safety fixed the issue? ... View more

Can you try setting the ingestion_safety variable. There's a known issue with version 1.1 which has been fixed in the yet to be released version 1.2 action.send_custom_rest_request.param.ingestion_safety_max_size = 0 ... View more