You're welcome! 🙂 ... View more

Run splunk btool authorize list to check that the role you have still has the capabilities associated with adding data (edit_input_defaults, edit_monitor, indexes_edit, list_inputs, etc) Perhaps someone messed around with the capabilities given to default roles. ... View more

Since the master is supposed to solely control the activities of the index cluster, it is recommended that you don't add extra work for the master to do. If you absolutely need to monitor these few files on the cluster master, I would recommend following this documentation (http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Forwardmasterdata). It is best practice to forward all of the master's logs to the peers, so the master does not have to be bogged down with any indexing itself. ... View more

Go to your dashboard and click on "Edit Source" in the Edit dropdown. You'll find the following kind of XML for the single value (the tag with single is the start of the single value). <dashboard> <label>test</label> <row> <panel> <single> <title>badfs</title> <search> <query>index=_internal | head 10 | stats count</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> <option name="height">500</option> </single> </panel> </row> </dashboard> Change the option name="height" tag value from whatever number you have there to 115 (this is the default size). This number represents the height in pixels. ... View more

The reason this message is displayed is because you're trying to write a multi-valued _key field to your KV Store. For example: I create a KV Store with the following values: '{"name":"indexer1","id":123,"address":{"street":"250 Brannan","city":"San Francisco"}}' '{"name":"indexer1","id":124,"address":{"street":"250 Brannan","city":"San Francisco"}}' I then write a search like this: index = _internal | head 1 | eval name = "indexer1"| lookup test_lookup name OUTPUT _key | outputlookup test_lookup append=true This means my one event from the search on _internal will match both of the KV Store entries, and we create a new field=_key for that event due to the OUTPUT of the lookup. Since we matched two entries in the KV Store, the _key field on the event will evaluate to something like "_key" : [ "56e30ef4af0001b2aa352761", "56e30f0baf0001b2aa352762" ]. Since Splunk's KV Store only allows a single, unique value for _key, the search fails with the cryptic message ERROR KVStoreLookup - KV Store Lookup output failed with code -115 and message '' tl;dr revise your search query, KV Store collection, or transforms.conf (max_matches=1) to ensure that you will not match an event to multiple KV Store entries when trying to write to the _key field. ... View more