We saw this problem with a customer deployment as well.  It turned out that a different admin, not the main admin who was usually on the box, had set Splunkd some time ago to only be run as a certain domain user rather than as system. The msi's upgrade at the end restarts splunk but I guess it ends up restarting as the user who ran the msi, so it fails.    Another clue was that restarting splunkd on the command line,  by the administrator user,  failed with "splunk stopped" as the only output. tacking launchsplunk=0 onto the msi invocation was the answer ultimately.  and then the admins set Splunk back to just run as System so it wouldn't cause any unexpected problems going forward ... View more

Hello ! Sorry I don't think I ever realized that in the new Answers, app developers don't actually get notified when there is a question about their apps.  So I only saw this question because @tscroggins    @'ed me directly.  (thanks by the way).   Going forward I have now "subscribed" to my own app so although that seems weird, perhaps it will help. The "pain" field is actually calculated from a macro in the app called "estimate_pain", and you are free to try out some modifications.    What ships is a somewhat complex thing that depends on total_run_time, the ratio of scan_count to event_count,    has_index_term,  has_pre_command,    various logic around which command is the first_transforming command, (strongly penalizing things like "table"),  also avg_pct_memory   max_mem_used. There are also some exceptions poked in the logic,  for instance if the first command is metadata or makeresults it kind of short circuits some of the logic.  likewise if the first_transforming command is "head" etc. The INTENTION is that high "pain" correlates strongly with the sort of searches that the Splunk deployment's admins would want to know about, so they could go educate or help that user do something less awful. I am super curious for what you see,  what your reaction is and suggestions are.  Answers is fine so we can talk on there.  Note however that on the landing page of the sideview_ui app it also exhorts you the user to email anyuthing and everything to sideview_ui@sideviewapps.com or to post your question on the app's channel on the Splunk community slack I hope that helps, and please send in any and all feedback, in any area and in any quantity.   Thanks. ... View more

This is a pretty complex problem - part of the puzzle is in the audit log's info="granted" event,  another part is in the audit log's info="completed" event,   even more of it is over in the introspection index. Then of course for jobs that still exist on the filesystem there is a wealth more info you can get from the rest command or by a custom search command that inspects info.csv and status.csv. I recommend checking out an app that we released recently called Sideview UI -   specifically the view within that app called "user_activity". This will do all of this for you,  sidestep pretty thorny autokv problems in the audit data,  and not just give you all of this per search, but also present stats and rollups by user,  app, dashboard,   even by sourcetypes-that-were-actually-searched it also has a macro called "calculate pain" that will score a "pain" number for each search, and then sum up all the "pain" in the by-user,  by-app,  by-sourcetype rollups etc.   So that admins can try and pick off the worst offenders first. it's up on SB here and approved for both Cloud and onprem - https://splunkbase.splunk.com/app/6449/ and there's a #sideview_ui channel for it in the community slack. ... View more

We are seeing the same thing too.   We are seeing it with a long running job (~20mins) that is pulling a few million records. Note that the file splunkd is trying to open is in /var/run/ but not in /var/run/dispatch/<sid>   so this is some internal secret cache that splunkd is using. The relevant excerpt from the (frankly enormous) search.log is below. tl;dr is that it says the file is being used by another process. A couple seconds later it tries to remove the directory and that fails because the directory is not empty. And then a few more seconds and suddenly it triggers splunkd shutdown,   in the search.log.  which.... makes no sense because customer did not report that splunk shut down.     ..... nothing too interesting and then ..... 01-06-2022 12:33:09.439 INFO UserManager [7352 SearchResultExecutorThread] - Unwound user context: admin -> NULL 01-06-2022 12:33:09.439 INFO UserManager [7700 SearchResultExecutorThread] - Unwound user context: admin -> NULL 01-06-2022 12:33:09.457 INFO ResultsCollationProcessor [4780 phase_1] - Writing remote_event_providers.csv to disk 01-06-2022 12:33:09.459 INFO DispatchExecutor [4780 phase_1] - END OPEN: Processor=stats 01-06-2022 12:33:09.459 INFO DispatchExecutor [4780 phase_1] - BEGIN OPEN: Processor=timechart 01-06-2022 12:33:09.673 ERROR StatsFileIO [4780 phase_1] - open failed for file=C:\Program Files\Splunk\var\run\splunk\srtemp\2075148042_2268_at_1641492677.2\statstmp_merged_0.sb.lz4, error: The process cannot access the file because it is being used by another process. 01-06-2022 12:33:09.674 INFO ReducePhaseExecutor [4780 phase_1] - Not downloading remote search.log files. Reason: No remote event providers. 01-06-2022 12:33:09.674 INFO ReducePhaseExecutor [4780 phase_1] - Not downloading remote search_telemetry.json files. Reason: No remote event providers. 01-06-2022 12:33:09.674 INFO ReducePhaseExecutor [4780 phase_1] - Ending phase_1 01-06-2022 12:33:09.674 INFO UserManager [4780 phase_1] - Unwound user context: admin -> NULL 01-06-2022 12:33:09.674 ERROR SearchOrchestrator [8764 searchOrchestrator] - Phase_1 failed due to : StatsFileWriterLz4 file open failed file=C:\Program Files\Splunk\var\run\splunk\srtemp\2075148042_2268_at_1641492677.2\statstmp_merged_0.sb.lz4 01-06-2022 12:33:09.674 INFO ReducePhaseExecutor [5628 StatusEnforcerThread] - ReducePhaseExecutor=1 action=CANCEL 01-06-2022 12:33:09.674 INFO DispatchExecutor [5628 StatusEnforcerThread] - User applied action=CANCEL while status=0 01-06-2022 12:33:09.675 ERROR SearchStatusEnforcer [5628 StatusEnforcerThread] - sid:1641492672.2086 StatsFileWriterLz4 file open failed file=C:\Program Files\Splunk\var\run\splunk\srtemp\2075148042_2268_at_1641492677.2\statstmp_merged_0.sb.lz4 01-06-2022 12:33:09.675 INFO SearchStatusEnforcer [5628 StatusEnforcerThread] - State changed to FAILED due to: StatsFileWriterLz4 file open failed file=C:\Program Files\Splunk\var\run\splunk\srtemp\2075148042_2268_at_1641492677.2\statstmp_merged_0.sb.lz4 01-06-2022 12:33:09.703 INFO UserManager [5628 StatusEnforcerThread] - Unwound user context: admin -> NULL 01-06-2022 12:33:09.710 INFO DispatchStorageManager [8764 searchOrchestrator] - Remote storage disabled for search artifacts. 01-06-2022 12:33:09.711 INFO DispatchManager [8764 searchOrchestrator] - DispatchManager::dispatchHasFinished(id='1641492672.2086', username='admin') 01-06-2022 12:33:09.711 INFO UserManager [8764 searchOrchestrator] - Unwound user context: admin -> NULL 01-06-2022 12:33:09.711 INFO SearchOperator:kv [6548 RunDispatch] - Extractor stats: name=_autoKvStats, probes=80, total_time_ms=1200, max_time_ms=15 01-06-2022 12:33:10.248 INFO ISearchOperator [6548 RunDispatch] - 0x30cebfd120 PREAD_HISTOGRAM: usec_1_8=4644 usec_8_64=0 usec_64_512=0 usec_512_4096=61 usec_4096_32768=0 usec_32768_262144=0 usec_262144_INF=0 01-06-2022 12:33:11.579 WARN StatsProcessorV2 [6548 RunDispatch] - Failed to remove temporary directory: C:\Program Files\Splunk\var\run\splunk\srtemp\2075148042_2268_at_1641492677.2: 1 errors occurred. Description for first 1: [{operation:"failed to remove directory", error:"The directory is not empty.", file:"C:\Program Files\Splunk\var\run\splunk\srtemp\2075148042_2268_at_1641492677.2"}] 01-06-2022 12:33:16.835 INFO SearchStatusEnforcer [6548 RunDispatch] - SearchStatusEnforcer is already terminated 01-06-2022 12:33:16.837 INFO UserManager [6548 RunDispatch] - Unwound user context: admin -> NULL 01-06-2022 12:33:16.837 INFO LookupDataProvider [6548 RunDispatch] - Clearing out lookup shared provider map 01-06-2022 12:33:16.846 INFO ShutdownHandler [7912 Shutdown] - Shutting down splunkd 01-06-2022 12:33:16.846 INFO ShutdownHandler [7912 Shutdown] - shutting down level "ShutdownLevel_Begin" 01-06-2022 12:33:16.846 INFO ShutdownHandler [7912 Shutdown] - shutting down level "ShutdownLevel_NoahHealthReport" 01-06-2022 12:33:16.846 INFO ShutdownHandler [7912 Shutdown] - shutting down level "ShutdownLevel_FileIntegrityChecker" 01-06-2022 12:33:16.846 INFO ShutdownHandler [7912 Shutdown] - shutting down level "ShutdownLevel_JustBeforeKVStore" 01-06-2022 12:33:16.846 INFO ShutdownHandler [7912 Shutdown] - shutting down level "ShutdownLevel_KVStore" 01-06-2022 12:33:16.846 INFO ShutdownHandler [7912 Shutdown] - shutting down level "ShutdownLevel_DFM" 01-06-2022 12:33:16.846 INFO ShutdownHandler [7912 Shutdown] - shutting down level "ShutdownLevel_Thruput" ..... And then it goes back to tens of thousands of messages about various calcfields not being extracted because they're not needed. .....   ... View more

Ah!    Great.  No I've been waiting for folks to ask about the old tools in the Admin Tools app. I had not moved over the "License Monitor" into Canary,  but I'll do so now and in all likelihood it will be in the next release of Canary.   Which should actually go live next week some time. ... View more

Hi!   Sideview Admin Tools is effectively superceded by the Canary app, and the newer copy of the Sideview Editor that ships inside Canary. If you're running Splunk 8.X then Sideview Admin Tools won't really work at all and you'll *have* to get Canary instead.   If on the other hand you're running Splunk 7.X then that's a bug of some kind, and I'm curious what exact version of Splunk you're running so that I can reproduce., However either way your best bet is to switch to Canary,  as it runs great on both 7.X and 8.X You can read more about what all this means here - https://sideviewapps.com/apps/canary/sideview-utils-users/   ... View more

Technically Canary has a module called "DateTime" which does give you a nice absolute date/time picker.   It ultimately outputs a $foo$ token into the Canary UI that is an epochtime value.  On the larger implications of building an entire CRUD UI, with the date picker as just one of several fields in there let me say some words about that ----   It is technically possible to do build a full CRUD UI with Canary (with splunk 8 or 7) or Sideview Utils (splunk 7.X and below) as the front end. I have built several over the years, in arguably 3 different ways.  However this is very advanced and pretty far beyond the sort of docs and examples that Canary (or Sideview Utils) docs will be illustrating and explaining. The Create side is fairly easy and there are a lot fo ways to skin that cat.   The 'Edit" side is the tricky one historically.      rendering the properties into a table row or into some kind of custom HTML layout is doble with either the Table module's "embedding" features, or with the Multiplexer module.    but there are some corner cases that you need to get right for good user experience. Anyway,  the coolest way is to use a Paged Multiplexer module for the hard part   We have a commercial product called "Supporting AXL Addon for Cisco CDR Reporting and Analytics"  that has a full crud ui for credentials.    And our main product "Cisco CDR Reporting and Analytics" has several CRUD ui's to administer different things.  Those ones are built leaning more heavily on our "customBehavior" mechanism, meaning most of the fiddly bits are over in javascript. In short though, if you don't already have a lot of experience creating and troubleshooting views in Canary (or in Sideview Utils),  i would not pick this as your first challenge because it's quite complex and it will involve a lot of moving parts and great familiarity with each of them.   ... View more

One solution would be if we could shift the deployment stuff over onto the application rows,  and you need to shift the server stuff over as well.  Or going the other way, if we could shift all the pieces we need ontot he actual "relationship" rows, and then just do a stats that only picks things up from them. Either way - that sort of feeling, where you need to copy a couple phases of things around using different ids,  is when you should think of eventstats or streamstats. In this particular case I cannot make it very simple.   It involves a lot of "shifts" and it's ugly.     | makeresults | fields - _time | eval data="1,A,appl1,,;2,A,appl2,,;3,D,depl1,,;4,D,depl2,,;5,D,depl3,,;6,S,serv1,,;7,S,serv2,,;8,S,serv3,,;9,S,serv4,,;10,R,,1,3;11,R,,2,4;12,R,,2,5;13,R,,3,6;14,R,,4,7;15,R,,5,8;16,R,,5,9", data=split(data, ";") | mvexpand data | rex field=data "(?<sys_id>[^,]*),(?<type>[^,]*),(?<name>[^,]*),(?<parent>[^,]*),(?<child>[^,]*)" | fields sys_id type name parent child | eval parent=if(parent=="",null(),parent), child=if(child=="",null(),child) | eval application_id=case(type="A",sys_id, type="R",parent), server_id=case(type=="S",sys_id,type="R",child), application_name=case(type="A",name), deployment_name=case(type="D",name), server_name = case(type="S",name) | eventstats values(server_name) as server_name by server_id | eval deployment_id=case(type=="D",sys_id,type=="R" AND isnull(server_name), child, true(),parent) | eventstats values(server_id) as server_id values(deployment_id) as deployment_id by application_id | fillnull deployment_id value="" | mvexpand deployment_id | eventstats values(deployment_name) as deployment_name values(server_name) as server_name by deployment_id | eventstats values(application_name) as application_name by application_id | fields application_name deployment_name server_name | stats values(*) as * by application_name         The mocked up rows -- I had to add an extra eval to try and make it a little more like data.   emptystring values and null() values are pretty different.   I manually am turning some thing sback into null() values where it matters. The big eval statement -- it's a little careless in how it hands out application_id but it doesnt matter - likewise with server_id the next two lines - eventstats and then the eval that makes deployment_id -   deployment id is trickier but we basically use the absence of the server_name field to conclude that the "R" row is a application-to-deployment row.   the fillnull - mvexpand will throw away values that are actual nulls, so we do an ugly workaround to replace with emptystring values.   It's a bit of a shell game.  It copies the data from row to row,  step by step.  tedious and painful.   And if there's a way to replace it all with a simple pair of stats commands,  it's certainly beyond my abilities at the moment. SO - there's another path.  And that's to break it into smaller problems. I would go that way in this case.   Make a static file-based lookup mapping deployment id to deployment name. likewise from server id to server name.   and from application id to application name.   Then you can have 3 explicit lookup statements, painting these names onto all the rows.  And between eval and lookup you can actually load up the "relationship" rows with ALL of the ids and names,  and then one simple stats can do it in a single fell swoop then.  I'll come back and write up specific SPL to flesh out this way. ... View more

Ah thanks - sorry there was a typo in my response. The URL is http://splunk/en-US/debug/refresh?entity=/data/ui/views and it was missing the "s" on the end, which is why you were getting that error. Add the "s" and it will work. Also I will go and edit my comment above to fix that typo. ... View more

This may be because the app packages a "custom module" in the legacy Advanced XML system, and that the custom module contains its own custom python endpoint. You can check it very quickly by looking for a stack trace in web_service.log If there is one, look carefully in the last line of the stack - it will refer to a python file that is in a particular app, in an "appserver/modules" subdirectory. If that stack trace does exist, and points to this particular app, that's your root cause. And if so, here's the explanation of what just happened> a) those endpoints are not a part of the normal "web.conf" endpoints that you might be more familiar with in Splunkweb. This stuff is a pretty obscure backwater of some ancient systems that predate the web.conf controllers and have been largely forgotten since 4.X/5/X days. b) Splunkd in 8.0 still runs those legacy "advanced xml custom module" endpoints even though technically the advanced XML was suposed to be removed completely in 8.0. Splunk has acknowledged this as a mistake and I hear it's being fixed. c) furthermore Splunkd in 8.0 runs these ancient things in python3, which will almost guarantee that the endpoint wont run. d) more fun - when it fails to run the endpoint, splunkweb then itself fails to start for some reason. ... View more

I think the core problem, or at the very least a major source of confusion, is that you're taking _time, which is already an integer value (the number of seconds since big ben rang out the new year in 1970), and turning it into a string-formatted time, naming that field "time_epoch" which is SUPER confusing because its values are string-formatted times, not epochtime integers. Then sorting by that string formatted time. This is a little odd but so far not really a problem - just weird since the original _time value can do all that perfectly well too. Wild guess - you're getting confused by the behavior of the Splunk UI - whenever it sees any field called "_time" it sneakily sneaks in and on-the-fly converts the display of those values to string-formatted times. However the values underneath are epochtime integers. you can always verify that I'm not talking crazy by doing | eval srsly_wat=_time Then anyway, back to our story the problem arises with this - | bin span=2m time_epoch that would make sense if time_epoch was actually an epochtime-valued field, ie if it held integer values. It makes no sense however in this case where the "time_epoch" field holds strings. Bin has no idea what to do with this combination of field and value, and so what it does is -- nothing at all. it throws no error but it does nothing. I think if you fix that core issue, you might be able to revisit what you're trying to do with the bin+makecontinuous +filldown. re-examining that fresh, with some fresh caffeine, is a good idea. index=infra_apps sourcetype=ca:atsys:edemon:txt | search Job=* | rename hostname as host | fields Job host Autosysjob_time Status _time | lookup datalakenodeslist.csv host OUTPUT cluster | mvexpand cluster | table Job Status host cluster _time | search cluster=* AND host=* | sort + _time | stats count by _time Job Status host cluster This is bit of an instinct, but I have seen many cases where people where folks are fiddling with bin+makecontinuous+filldown basically trying to recreate one of timechart's core use cases, beacuse they've come to believe that timechart can't do it. I hope this helps - I don't think it's your whole answer, but I think it clears some of the mess up and puts you in a better place. and i'll update this answer if you post back etc. ... View more

it's not a good practice to use append or appendcols for this search. Instead you can use "conditional eval" to create what you need, and then have a single reporting command (timechart / stats / chart / etc) do all the work. this allows the reporting commands to do the work out at the indexer nodes. This should speed up the search by a somewhat large factor and you'll also avoid any truncation limits and finalization limits around append/appendcols. try this: eventtype=client_rest_volume earliest=-7d@w0 latest=@w0 | eval rsptime = rsptime/1000 | eval is_sla_trans = if(rsptime<2000,1,0) | timechart span=1d count as tot_trans sum(is_sla_trans) as sla_trans | eval successrate=((sla_trans/tot_trans)*100)."%" | rename tot_trans as "Total Transactions" | rename sla_trans as "Transactions within SLA" | rename successrate as "SLA Success %" By the way I gave a talk at Conf on this sort of thing, and you can see the slides here - https://conf.splunk.com/watch/conf-online.html?search=FNC2751#/ (and possibly by the time you read this, you can also get the recording) ... View more

If you manually request the image, does splunkWeb return a 404 or a 200? It seems very similar to the longstanding problem where people add a new dashboard.js or application.js or application.css, but it doesn't get loaded until SplunkWeb is restarted. Thinking about all this, I can't remember if the root cause is that splunkWeb refuses to serve net-new static files until a restart, or if that condition applies only to appllication.* and dashboard.* and is more of a cache problem in the python code. Along the same line, if you can log into the host itself then another thing to try is to just restart splunkweb. splunk restart splunkweb Kicking splunk boots everyone out and makes everyone come at you with pitchforks. restarting just "splunkweb" wont do that and will generally just give everyone a few seconds of o_O while requests spin a bit. ... View more

Supported as of v3 for dbxquery which is great, but still not supported as dbinputs, it seems, which was the question ... View more

Looking at Sideview Utils release notes, it looks I added this feature exactly a week later, Version 2.6.4 released August 23rd 2013, has Added a requested feature to Tabs where it will now do $foo$ replacement into *static* tab values before it outputs them downstream. which is so long ago that it was about 48 releases and 243 release notes ago. ALSO anyone who has Sideview XML views and dashboards, should go to this page https://sideviewapps.com/apps/canary/ and after reading a bit, click the link that says "I maintain (or develop) custom dashboards or apps written with Sideview Utils" ... View more

I don't think this question has anything to do with eventtypes? The create input screen in the office 365 app, has an indexes pulldown. For the OP the only values he sees are history, main and summary but he doesn't know why since he does have other indexes and he sees them listed elsewhere in other apps. Possibly you know some detail leading you to believe there is some involvement with eventtypes? ... View more