Hey, My SH cluster web UI is very slow when approaching several management pages, such as Views, Lookups definition & automatic lookups. (These pages load time is around 30 seconds) The issue does not occur on the apps or the dashboards themselves. Any ideas? Thanks ... View more

Hey I'm trying to publish an app to splunkbase. This is the error message I get: "The icon found in the package is not a valid png file" The app contains 4 icon files in the static folder in .png format (these are the files) Does someone know how to solve this issue? AFAIK, those are the only needed icon files (I have a published app from a year ago which has a similar structure). Thanks ... View more

Hey I’m trying to extract fields in index time on my summary index, in order to use ‘tstats’ command. I used ‘collect’ to index the data, Setting sourcetype=_json, but I couldn’t make the fields extracted in index time. I tested the command by using ‘makeresults’, and manually building the _raw field, but the fields were only extracted in search time (with KV_MODE=auto). Using KV_MODE=none and INDEXED_EXTRACTIONS=json, the fields were not indexed. So I made a different test. I copied the generated _raw to a local file, and added it using the Upload File option. This time the fields were extracted at index time, as desired. Is it possible to index fields using the collect command? Or am I doing something wrong? Also, I’ve checked the Accelerated Data Model, but it didn’t fit my needs (due to non streaming commands). ... View more

Hey, I have around 30 Splunk Universal Forwarders on my environment, monitoring the local Event Log (Windows Servers 2016). Lately I noticed that a few forwarders are having a delay / sending events too slow. I checked the traffic and noticed that once in every 20-30 seconds, the forwarder is sending around 3K events to the indexers, which is a very small amount of data, while the eventlog is creating much more events and much faster. So the slow forwarding opened a gap of around 30 minutes in the data. I tried to increase queues size and set thruput to unlimited. The performance of the server seems fine, no high CPU or memory usage. I looked on another server, which currently seems to send the events on time (and has a lot more events on its eventlog, yet it is faster), and from sniffing the traffic it seems like the forwarder is sending events almost every second - no ~20 seconds interval. I tried to forward to a different (test) environment, thinking the indexers are getting too many events from too many forwarders, but it does not seems to make any change. Also, the Splunk universal forwarder on the servers is configured the same way, via a deploy server. I wonder if any of you had this issue, or can think of a possible cause to the problem. Thanks! ... View more

Hey! I'm trying to run a search in the JS Splunk SDK, and periodically check the job for the current results. I found out that there are multiple exec_mode s possible, and if I set it to normal , I can get the job ID before the search has ended. I tried to run my job this way: service.search( searchQuery, searchParams, async function (err, job) { console.log("...done!\n"); let count = 0; const sleep = ms => new Promise(resolve => setTimeout(resolve, ms)) await sleep(4000); job.preview({}, function (err, results) { if (err) { console.error(err) return; } if (results.rows) { count++; console.log("========== Iteration " + count + " =========="); console.log(results.rows) for (var i = 0; i < results.rows.length; i++) { var row = results.rows[i]; console.log(stat + row[countIndex]); } console.log("================================="); } }); }); with these properties: const searchQuery = "search index=*"; const searchParams = { exec_mode: "normal" }; The output of this job.preview is that there are no rows yet. Is there anything wrong with the way I'm checking the job results? Is there a way to achieve the results before the job ends? Thanks! ... View more