I have some saved searches with whitespaces in their names. So in savedsearches.conf i have stanzas like following: "[Any saved search 1]". When I perform the command like xsplunk cmd btool savedsearches list 'Any saved search 1' --debug I have results for all saved searches contains word "Any" at the begining of name. How can I list savedsearch named "Any saved search 1" exactly? ... View more

Some time ago we had a Splunk search head cluster with nodes named “vm-splunk-sh01”, “vm-splunk-sh02”, “vm-splunk-sh03”. Then we added some new nodes, i.e. vm-splunk-nsh01, vm-splunk-nsh02 etc. After successful adding of these new nodes to cluster we stopped old nodes vm-splunk-sh01, vm-splunk-sh02, vm-splunk-sh03 without removing them by command “splunk remove shcluster-member” and re-use these machines by clearing and reinstalling them (it’s my mistake). Now there are following strings in the new nodes’ logs: 2017-06-20T13:06:53.880Z I REPL [ReplicationExecutor] Error in heartbeat request to vm-splunk-sh02:8191; Location18915 Failed attempt to connect to vm-splunk-sh02:8191; couldn't initialize connection to host vm-splunk-sh02, address is invalid How we can force cluster to (fully) forget old members? ... View more

I have data source with JSON events like this: {"timestamp":"04-07-2015 15:57:49.726","priority":"INFO","thread":"btpool0-1294","instance":"PG1","primary":"true","category":"SplunkInteractionLogger","type":"feeext","status":"f","duration":14,"message":{"req":{"ts":"2015-07-07 15:57:49","paymentInterfaceType":"MB2.0","payerType":"MB2.0","operationType":"L","clientId":"1-8ODP6R4","providerCode":"transfer-bank","templateId":null,"amount":0.0000,"currency":"643","agreement":"3434385492","cardnumber":null,"expdate":null,"cvv2":null,"cardholderName":null,"cardid":null,"srcPointer":null,"srcPointerType":null,"billID":null,"comment":null,"providerFields":[{"providerFieldCode":"uid","type":"text","providerFieldTextValue":{"value":"M.000758477"}}]},"err":{"ts":"2015-07-07 15:57:49","code":"error-external","externalErrorCode":"N.2.24782","externalErrorMessage":"AnyText.","reqSumFlag":null,"reqSum":null,"reqSumCur":null}}} "timestamp" field contains time of event. My props.conf on indexers for tihs sourcetype: [mysourcetype] TIMESTAMP_FIELDS = "timestamp" SHOULD_LINEMERGE = false When I perform search at webUI, Splunk finds highlited JSON events with correctly assigned fields. But recognizes time incorrectly. It assignes "04-07-2015 15:57:49.726" to _time as 07 day of 04th month, that is incorrect in this log, because first number is day and second is month in it (but year, hours, minutes, seconds and milliseconds have the correct assignment in result value of _time). When I modify my props.conf as described below (by adding TIME_FORMAT for correct time recognition) [mysourcetype] TIMESTAMP_FIELDS = "timestamp" TIME_FORMAT = %d-%m-%Y %H:%M:%S SHOULD_LINEMERGE = false Splunk does not start new interpretation of timestamp as expected, but starts to interpret timestamp value as multivalue field, the first value of which is null, second value - string with time (and internal event time field becomes assinged incorrectly, splunk find null in place, specifyed by TIMESTAMP_FIELDS, and try to determine the time of event by other methods, that is usuccessfully) Why? How to fix? I want to specify my own time format for this JSON sourcetype, for which _time is assigned by "timestamp" field value and expect that there will be one value in timestamp field. Is it possible? Are there any indirect ways if not? ... View more