Final version... obviously inside a script or an interactive menu with parameters should work fine 👍   curl -skL -u 'usr:pwd' 'https://SHC_NODE:8089/servicesNS/-/-/saved/searches' --get -d 'output_mode=json' -d 'count=0' | jq -r ' .entry[] | select(.acl.app == "MYAPP" and .acl.owner == "MYUSER") | .name + " : " + .acl.app + " : " + .author + " : " + .acl.owner + " : " + .acl.sharing + " : " + (.content.disabled|tostring) '   Alternative,   curl -skL -u 'usr:pwd' 'https://SHC_NODE:8089/servicesNS/-/-/saved/searches' --get -d 'output_mode=json' -d 'count=0' | jq -r ' .entry[] | select(.acl.app == "MYAPP" and .acl.owner == "MYUSER") | [.name,.acl.app,.author,.acl.owner,.acl.sharing,.content.disabled] | @csv '   Thanks all 👍 ... View more

Great 👏👏👍 Effectively XML is quite obsolete 😴 Thanks again 👍 ... View more

Just a beginning for shell... with script parameters (user and app in variables), i'm close enough to what i'm seeking 😀   curl -skL -u 'usr:pwd' 'https://SHC_NODE:8089/servicesNS/admin/MYAPP/saved/searches?count=-1' | egrep '<title>|name="app">|name="sharing">|name="owner">|name="disabled">' | grep -v '<title>savedsearch</title>' | sed -n -e '/title/,+4p' | paste - - - - - | grep 'MYAPP' | grep 'title' | sed 's/ //g ; s/\t//g'   Perhaps not perfect, yet... but close 😀 Thanks. ... View more

Ahhhhhhhhhhh, here we go!!! It takes also the "sharing=global" objects 🙄i understand. Are there more parameters to filter directly from the GET? I can't read them in Documentation 🤷‍♀️ (also the "?count=x" is not documented 🤔) Thanks. ... View more

I neved had problems with Captain Election, both with [raft_statemachine] disabled = true disabled = false 🤷‍ ... View more

@sainag_splunk wrote: The disabled setting in SHC only impacts captain election and member roster management. Ok, so it's minimal, and has ne real impact of cluster operativity 👍 Thanks 👍 ... View more

Don't understand the question 🙄🙄🙄 I have a non clustered Indexing infrastructure (8 standalone indexers). @sainag_splunk wrote: I don't think that required.  I decide what's required 😉and i want the SHC to replicate distsearch.conf 😉😉 My question was another, leave replicate_search_peers away, What changes in a SHC by setting "disabled = true or false"? By default is true. ... View more

Great, thanks 👏👏👏 I took my way, doing so,   |eval earliest_epoch="$time.earliest$",latest_epoch="$time.latest$" |eval earliest_epoch=case(isnum(earliest_epoch),earliest_epoch,earliest_epoch=="now",time(),"earliest_epoch"="",0,true(),relative_time(time(),earliest_epoch)) |eval latest_epoch=case(isnum(latest_epoch),latest_epoch,latest_epoch=="now",time(),true(),relative_time(time(),latest_epoch))     ... View more

Great 👏👏👏👏👏👍 But maybe dashboard will not update variables/tokens until you manually change the picker. Let's say i choose "-5m" from picker and latest is "now" for default, it will remain fixed to relative_time(time(), $earliest$)  the UNIX-time value, also if my panels refreshes. So, letting dashboard has refreshing panels, the -5m will become -6 -7 -8 -9 -10 ......... untill you change the picker... Also for $latest$=="now", time() Same concept for earliest... it becomes fixed until you refresh entire dashboard/picker. ... View more

SHC is perfectly in sync!!! I have no errors at all when all nodes are running, until i restart the SHC. I will try a node at a time, and i'll monitor the logs. It's only for curiosity, since SHC works perfectly 🤷‍♀️🤷‍♀️🤷‍♀️ IMO it's some kind of "artifact" remained from previously versions, over which i did updgrades (6 to 7 to 8 [where we changed the Indexers to new nodes/servers]). Quite sure resetting the raft and rebuilding the SCH will delete the "issue". ... View more

    Anyway, a question to - why the need to delay the script's output in the first place? It seems a very unusual requirement.     ... originally the script used a "timeout [variable_secs]" launching a while loop to wait with a "test -f file" if "file" was generated during the STARTTIME untill the next "timeout [variable_secs]" (variable_secs is taken by a table, every file has it's own variable_secs). If timeout exits with exit_code 124, an stdout + log entry is written in a log file. If a new script is launched with same identical args, itsself check if a previous one is still running and exit suddenly, waiting the previous to do its job. So i have a single input entry for each file in table (file exists or file does not exists after start_time [the table also have its start_time variable for every file] + variable_secs. During the "variable_secs" if i had a new file in table to check, the script is blocked from the previously, so i can't check it. Let's say, having a table like this server1 /tmp/flow.log 07:00 07:30 server1 /tmp/flow2.log 07:10 07:15   Scheduled script run by splunkd is scheduled every 5m. Let's say now it's 06:55, 06:55 splunkd run script, it exits with no output/file log since check it's not 07:00 OR 07:10 (script does this) 07:00 splunkd run script, task starts for "/tmp/flow.log" and wait untill 07:30 for file generation 07:05 splunkd run script, aborted since the previous 07:00 is still in background and running 07:10 same as 07:05, "/tmp/flow2.log" is skipped 07:15 same as 07:10, "/tmp/flow2.log" is skipped 07:20 same as 06:55 ... So "/tmp/flow2.log" is totally skipped. Now, on some servers, as said, a cron was used. On other servers i rewrite the script without the timeout/sleep, and write an entry every 5m with a variable "FOUND=[0|1]", and then stating with SPL a "stats count sum(FOUND) as found by host,file" and with some dashboards/alerts who traces them, a sum of 0 in that timerange is a file not present. ... View more

I know it's a unusual question, for this reason i asked 😂😂😂 THAT is the way i'm using now, getting data from input monitor. For this reason i wanted to know if i could manage it by splunkd directly 😊 I also used on some servers the /etc/cron.hourly/ directly by splunkd, creating tasks dinamically on the fly by launching a root subshell to create task in cron.hourly and getting its inputs monitor output to file after the timeout/sleep does it's job and the script exits with its exit code. But the mission was to NOT TOUCH ANYTHING IN THE SYSTEM, so i asked if a monitor script could be forced to rerun also if the previous was still in background 🤷‍♀️thanks anyway everyone 👍👍👍 ... View more

Yes. That's so... and that was a really bad idea for App order UI in WebGUI 🤦‍♂️🤦‍♂️🤦‍♂️ Previously drag option with jquery was perfect... really do not know why they change drastically this section 🙄🙄🙄 Editing "user-prefs.conf" need a daemon restart. Annoying. ... View more

Very strange, since also PickleRick says it's the normal behaviour of a DS not deleting custom addons 🤔 ... View more

Giuseppe, aren't you confused with the Deployer SH? 🤔 Because the Deployer behaves as you said 👍 Thanks & bye. ... View more

Thanks, i know how DS<>UF works 😉   So, Is there a way to tell DS: maintain ONLY addon#1 + addon#2 + addon#3 and DELETE ALL OTHER CUSTOM ADDONS (addon#4 in this example)?   THE ANSWER IS: NO!!! 😁   👍👍👍 ... View more

Maybe some DS conf to change? I'll see. For now, as said, i prefer to maintain custom users addons 😊 in fact, I would have problems with several users 😁 Only wanted to know if there was a way to do the opposite 😎 Thanks 👍 ... View more

/etc/apps of UF +++my addons deployed by DS Check_System Ethernet-Speed GET_ALL maxKBps output +++custom addons created on UF (still there) GET_ALL_FAKE_IDX LOCAL +++internal SplunkUniversalForwarder introspection_generator_addon journald_input learned search splunk_httpinput splunk_internal_metrics   INFO DC:HandshakeReplyHandler [1815 HttpClientPollingThread_A48B7A13-D8C3-4DBB-ADAD-5F1F80E30A12] - Handshake done.     ... View more

I say,  i prefer this behaviour, since sometimes it's useful to insert addons manually, outside DS, but i wanted to know if it was possible, in fact, the opposite, with changes to the DS! I confirm custom addons remains on my UFs 🤕 ... View more