@marathon-man wrote: I guess setting local = true for the command (actually all the commands I guess) would do the trick here, as mentioned in another reply? Yes, but: If someone runs, say, index=foo | mylocalcommand then Splunk will pull all events to the SH, including all _raw and fields - that's a lot of work. Therefore I'd include the recommendations (e.g. "only run after stats") in the docs together with setting local=true. ... View more

My workaround would be "talk to the people who do have access". ... View more

The App Exporter never solved that part.   Back when it was written and working, the /package REST call would give you a URL to download the package. That URL (& the download) was removed from the REST call in Splunk Enterprise long ago. ... View more

I haven't looked at it in years. If you just need to package an app once, call the REST API:  | rest splunk_server=local services/apps/local/{name}/package https://docs.splunk.com/Documentation/Splunk/9.4.1/RESTREF/RESTapps#apps.2Flocal.2F.7Bname.7D.2Fpackage ... View more

Is your command actively querying the collection? If so, replicate=true won't help you.   replicate=true will push the collection's content to the indexers *as CSV*. The KV Store on the indexers (if even running) won't know the collection or its content. I'm surprised and doubtful that replicate=true ever worked for someone running Splunk Enterprise on-prem.   Easiest fix would be to only use the command on the SHs, e.g. after a |stats, |tstats, etc. - or if need be |localop. ... View more

Yes. ... View more

Great! Feel free to post the solution in case others can benefit from it later. ... View more

Can you describe or draw what you're trying to achieve / what you're trying to avoid? ... View more

Not that I'm aware of, no. Support may have an SPL-Number to track. ... View more

Including include_reduced_buckets=t in your tstats parameters should work around the 8.2 _internal tstats issue. ... View more

It would be the `$risk|n$` token filter that would turn off the implicit `$risk|h$` filter that made it HTML-safe... but calling `|n` inside an HTML panel doesn't work ... probably for securitay. ... View more

Here's Stirling's Approximation in SPL: `| eval n! = sqrt(2*pi()*n)*pow(n/exp(1), n)` ... View more

There are two more, significantly less SPL-intense options: Cheat. Given the restrictions of finite-bit maths, you can easily ship a lookup of all reasonable factorials instead of calculating them on the fly, here's a start: https://oeis.org/A000142/list Use Stirling's approximation, expressed in SPL it's `| eval n! = sqrt(2*pi()*n)*pow(n/exp(1), n)` ... it won't be perfect, but it'll give you the right number of digits and the first two will be accurate, ie two sigfigs of precision. Probably good enough for your use case, for 13 choose 6 it yields 1749. ... View more

If this is in a dashboard then you don't need to launch a subsearch, instead you can use the token `$env:app$`: https://docs.splunk.com/Documentation/Splunk/8.0.6/Viz/tokens#Use_global_tokens_to_access_environment_information ... View more

Can your Fortinet FW send to HEC? ... View more

Ignore the replace old connection events in your startswith condition. ... View more

Your user's timezone setting applies to your user only. In general I recommend setting the right timezone instead of messing around with adding/subtracting seconds manually. ... View more

Have you tried setting the timezone for your user to IST? ... View more

Filter based on that then. ... View more

I don't see language:eng in there. ... View more

I can't tell you how to use your data if you don't post your data. ... View more

Filter by language:eng then? ... View more

I don't think there is a language detection function in Splunk. Do your original events have a language field? ... View more