Try this variation on the settings.  It should better account for newlines. [custom_json_sourcetype] SHOULD_LINEMERGE = false KV_MODE = json LINE_BREAKER = }(,[\S\s]*){ ... View more

Try removing the quotes from the file path. Check splunkd.log for errors relating to that input. ... View more

Don't use both INDEXED_EXTRACTIONS = JSON and KV_MODE=json in the same stanza or the fields will be extracted twice. The LINE_BREAKER setting requires a capture group.  Try these settings [custom_json_sourcetype] SHOULD_LINEMERGE = false KV_MODE = json LINE_BREAKER = }(,\s*){ ... View more

RF/SF does not apply to SmartStore so the storage usage would be 5TB.  Of the 5TB. the hot buckets would be on the indexers (and replicated) and the rest would be in S2. ... View more

Please post the SPL as text rather than as screen shots. It looks like the first search would become a subsearch within the second search. ... View more

Apps are empty either because the data they need isn't present or because the data can't be found.  You've shown the former is not true so it must be the latter. Confirm the data is in the index(es) where Veeam expects to find it.  If Veeam uses a datamodel (I suspect it does) then your data must be tagged so it is found by the DM.  Look at the DM definition to see which indexes and tags it needs. ... View more

You could try opening a support case to see if they will export your data.  Consider using the REST API to run queries (index=foo earliest=0 latest=now | table *) that return all the data from an index and then save that data in the desired format. ... View more

The underlabel option does not perform evaluations.  Do the eval in a separate statement. <search> <query>index=* EventCode=25753 | stats count(EventCode) as toto | append [| search index=* EventCode=* | stats count(EventCode) as toto2]</query> <earliest>-7d@h</earliest> <latest>now</latest> <done> <condition> <set token="NbHost">$result.toto$</set> <set token="NbHost2">$result.toto2$</set> <eval token="ratio">$NbHost$ / $NbHost2$</eval> </condition> </done> </search> <option name="drilldown">none</option> <option name="underLabel">$ratio$</option> ... View more

This regex will extract the highlighted text (?<msg>"errorMessage":"[^"]+") ... View more

Once a field is renamed the original name no longer exists and cannot be referenced.  All subsequent uses of the field must use the new name. ... View more

@PickleRickis correct in that this is a Hard Problem.  For further discussion on it, along with ways to (partially) solve it, see the .conf24 talk I co-produced at GitHub - TheWoodRanger/presentation-conf_24_audittrail_native_telemetry  ... View more

If the apps are defined in a custom app (a Best Practice) then edit savedsearches.conf to put the alerts in another app.  Then upload and install both apps. Otherwise, you can use the REST API to do the job.  See https://docs.splunk.com/Documentation/Splunk/9.2.2/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D First, I'd try modifying the eai:acl.app setting, but I'm not sure that's supported.  If it works, you're golden and just need to loop through a list of searches to move. If that doesn't work then you're stuck with copy-and-delete.  Read the specs for each search, create a copy of it in the destination app, then delete the original. ... View more

It's simple, really, since we know what precedes and follows the desired field.  Just put the known text into the regular expression and add a named capture group between them.  The pattern for the capture group can be either a non-greedy match of anything (.*?) or match anything that is not what follows the field ([^\|]+). ... View more

It would help to know what curl command you tried and what error it returned. AIUI, alerts must be deleted individually.  There is no method in the UI for selecting multiple alerts for deletion. ... View more

The UF will log communication failures in splunkd.log. Yes, you can monitor the indexers for no logs from hosts.  There are apps, including TrackMe, that can help with that. ... View more

If the host cannot reach the indexer then there will be nothing logged on the indexer to monitor.  The UF will log any failures to connect so that is the place to check, but you will have to do that on the host rather than in Splunk. ... View more

The iplocation command doesn't work with internal IP addresses (192.128.x.x, 10.x.x.x, etc.).  That's because many companies use the same IP address space so a lookup by IP alone is not meaningful.  Your company would have to create and install their own .mmdb file with the appropriate information. ... View more

It would help to know the error you received, but I suspect it's a syntax error of some sort.  That's because subsearches have to be placed where their results would make semantic sense. IOW, if the subsearch produces a result like (original_user=foo OR original_user=bar) then this makes no sense. | eval Name= mvindex((newValue),1) (original_user=foo OR original_user=bar) | stats values(*) as *  Try this, instead (index=<my index>) EventType="A" EventType=A | rename username as original_user | eval Id= mvindex((newValue),0) | eval Name= mvindex((newValue),1) | search [ search index=<my index> <filtering by a string> | eval src_email= mvindex((newValue),3) | rex field=src_email "(?<original_user>[\w\d\.\-]+\@[\w\d\.]+)" | fields original_user | format ] | stats values(*) as * Or this similar query for better performance (index=<my index>) EventType="A" EventType=A [ search index=<my index> <filtering by a string> | eval src_email= mvindex((newValue),3) | rex field=src_email "(?<original_user>[\w\d\.\-]+\@[\w\d\.]+)" | fields original_user | rename original_user as username | format ] | rename username as original_user | eval Id= mvindex((newValue),0) | eval Name= mvindex((newValue),1) | stats values(*) as * ... View more