I had something similar happen and found that the server had a time skew of over two hours.  I set the time and the redirects stopped. ... View more

I had the same issue with DBX v3.1.3 with MS SQL query setups in the GUI: ERROR ... Error handling a request: ... Caused by: java.lang.NullPointerException: null at com.splunk.dbx.server.util.ResultSetMetaDataUtil.isTableHavingSameNameColumns I updated the configurations on the back end and they work fine. ... View more

Just came across this old post but still dealing with the question. You can deploy a script (scripted input) to change the target Deployment Server in system/local/deploymentclient.conf. I ran into a restart cycle putting the restart in the script directly (test, test, test again). To work around that I deploy one app to make the change, wait, verify, deploy a second app that only has the restartSplunkd = 1 setting and not doing anything else. Now I just need a script for my UFs on Windows machines (yay). ... View more

Interesting note , I used 3 methods to get characters and deal with several lines in my data: | abstract maxterms=24 maxlines=1 -I wanted to only see the first line but this pulled 24 characters into one line. Not too bad though. | rex "^(?.{24})" -Did not match the new line, returned nothing if first line was shorter than 24 characters. | eval TIME=substr(_raw,1,24) -Going to use this one. Using this to look at TIME_PREFIX, MAX_TIMESTAMP_LOOKAHEAD, and TIME_FORMAT settings in bulk. ... View more

I was able to make a new field from _raw with an intentional text put in then split on the text something like: index=main host=foo1bar2 | rex mode=sed field=_raw "s/\d/KEYBOARDWHACK/g" | eval splitField=split(_raw,"KEYBOARDWHACK") | mvexpand splitField Then you can reference the new splitField for what ever else you want to do. ... View more

So, I use that at the end of my title. ... View more

$field1.earliest$ to $field1.latest$ ... View more

This worked for me with time pickers. It is not pretty while it waits for data to load but once it gets the field1 values it works. Next I want to play with the time format. ... View more

I had run into something like this before and adjusted my maxWarmDBCount to several thousand (default 300). That helped before when I was losing buckets fast (small cold retention, then freezing and rolling off). Running on 6.2.3. Now I am seeing a very occasional bucket move to cold which is fine for now but I do not see why it is happening. I have plenty of space and my maxWarmDBCount update is still there: ./splunk cmd btool indexes list | grep -A30 | grep maxWarmDBCount Is there some need to distinguish hot and warm settings? They are in the same index homes for me (volume:hot:*). ... View more

In 6.2 I have been able to add a host value into email alert subjects by adding a variable. In savedsearches.conf under the alert stanza: action.email.subject = $name$ : $result.host$ You can also add the variable via the web interface. I am not sure about custom fields though. ... View more

Where are the queries coming from? Can you control the source and the applications that your users are using during the copy and pasting? For example, does the text encoding look like what you want in Notepad, Notepad ++, or TextPad? Can you create a process to specify what to use to copy, edit, then paste queries that does not create encoding issues for you? ... View more