It makes no difference if I change it and run it on the HF locally itself, the second REST command never works. ... View more

This is being experienced by multiple users, so a browser cache isn't the issue. ... View more

No the issue is that it's not getting to Splunk, but I have no clue why that would be. The data is in Tenable Cloud but not getting to Splunk apparently. ... View more

Anyone figure out why? I'm having this exact same issue. ... View more

Oh I see it now, the word is in the CSV file itself. But I'm only concerned with the headers, is that not what the alert means? ... View more

Well see we are trying to find specific keywords, so I know like one I'm trying to test. When I run your second command, it pulls in a ton of CSV files. Checking one, and the word isn't in the CSV header at all? ... View more

So the first one command, every word it brings back is a duplicated one? ... View more

It's not in the search results as I get it, rather it's tracked by Mongo and that is how we're seeing it. So I don't have search.log indexed into Splunk and therefore have no visibility.  ... View more

Unfortunately kvstore is running and starting normally ... View more

I'm also getting this issue, except my UF is delayed by 400 hours sending logs to Splunk. And only for Windows Events. ... View more

@ITWhisperer  So I am trying to find sporadic hosts, or hosts that will have over 24-hour gaps or maybe just 24-hour gaps in between sending data to indexers. My search looks like this  | tstats count as hourcount where (index=_* OR index=*) by _time,host span=1h | appendpipe [ | stats count by host | addinfo | eval _time = mvappend(info_mintime,info_maxtime) | stats values(_time) as Time by host | mvexpand Time | rename Time as _time ] | sort 0 _time host | streamstats time_window=24h count as skipno by host | where skipno=1 AND _time>relative_time(now(),"-13d@d") | stats sum(skipno) as count by host | eval mySporadicFlag = if(count=1,"yes","no") Except the problem is if it reports every 48 hours in a 14-day period, that's sporadic but the streamstats count would be higher than 1. But if you reversed the yes and no, than everything would be sporadic even hosts that only have minute gaps in data. So I'm stuck on how to improve this search from here to find actually sporadic hosts. ... View more

What about the ones where that doesn’t fix it? ... View more

This is the update of the first search.   ... View more

It came back within 2 hours and is now affecting two indexers. ... View more

Well there is no errors in Splunk for that sourcetype, so nothing like that is flagging in the data. And all the connections seem fine, there is other add-ons on that HF that are reporting fine. ... View more

Beyond just a second ago when I restarted it, I have nothing popping up. ... View more