Hi I'm afraid that in this case there is SHC which is managed by deployer as it should. BUT then someone has installed one app into one member locally from cli or just unpack that file into correct app folder? @aasserhifni is this assumption correct? If it it then you are in deep s...t. I have one found this kind of situation and only way how I get rid of it was just disable that app locally. It's not help even install it first by SHC Deployer and then remove it by SHC Deployer. It just sit there. I haven't had time to figure out is there any way to get rid of it from cli or other method. It seems that there is some unknown (at least for me) mechanism how SHC manage this kind of situations. Probably something with kvstore and something on filesystems and something on captain. Maybe you could try to stop whole SHC and then remove that app on member and check if it's still there after start all nodes or not. I cannot test that as that environment was quite busy production with main alerts etc. If that is not helping you, you should ask help from Splunk Support, if they have some way to figure it out? r. Ismo ... View more

I have it this way (thanks splunk/ansible-splunk) - name: Set admin access via seed when: splunk_first_run | bool block: - name: "Hash the password" command: "{{ splunk.exec }} hash-passwd {{ splunk.password }}" register: hashed_pwd changed_when: hashed_pwd.rc == 0 become: yes become_user: "{{ splunk.user }}" no_log: "{{ hide_password }}" - name: "Generate user-seed.conf (Linux)" ini_file: owner: "{{ splunk.user }}" group: "{{ splunk.group }}" dest: "{{ splunk.home }}/etc/system/local/user-seed.conf" section: user_info option: "{{ item.opt }}" value: "{{ item.val }}" mode: 0644 with_items: - {opt: 'USERNAME', val: '{{ splunk.admin_user }}'} - {opt: 'HASHED_PASSWORD', val: '{{ hashed_pwd.stdout }}'} loop_control: label: "{{ item.opt }}" when: ansible_system is match("Linux") become: yes become_user: "{{ splunk.user }}" no_log: "{{ hide_password }}"  Then those user + pass information is in config file which are per environment etc. on git. All those secrets are saved by ansible-vault, so there is no passwords as plain text on your repository/inventory. You could have as many config files as you are needing. Usually one or more per environment and customer. ... View more

Hi you could read more, how to use btool check from https://dev.splunk.com/enterprise/tutorials/module_validate/validateapp/ r. Ismo ... View more

Hi This is quite often asked and answered question. You could found many answers via google with search phrase “ site:community.splunk.com index retention time” r. Ismo ... View more

Hi Here is excellent presentation about event distribution “ Best practises for Data Collection - Richard Morgan”. You could found it at least from slide share service. r. Ismo ... View more

As you have gotten valid license, just ask unlock license from same source as you got your normal license. ... View more

You should replace the version number with word “latest” and then you will get the latest version of those documents. ... View more

You should just replace this  splunk_server=* and then it sends that to all search peers. I cannot recall what are those endpoints, but it’s something under config or configurations. ... View more

Hi here is order how those are managed in search time https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Searchtimeoperationssequence You should ensure that this field has defined before you can use those e.g. in transforms.conf. E.g. if you are using ALIAS-field1 on props.conf you cannot use that field1 as  a SOURCE_KEY in props.conf. In this kind of situation you should extract that information from _raw instead of field which has defined on later phase of input sequence. I'm not sure about your event.url field is same as this TA has defined or not. If it's then you can see in props.conf that it has defined like EVAL-url = Host+URL and if this is your event.url field then it didn't  exists yet when you try to use it on transforms.conf. r. Ismo ... View more

Hi When you are creating an app into Splunk with GUI, there are two separate templates to chosen. Based on your chose it will create different files and directories under that app. When you are starting to create own apps and TAs, I strongly propose that you start to use e.g. git to store those and keep track on your changes. Then you could use some editor like Visual Studio Code to write those together with Simple XML editor and/or Dashboard Studio. There are some old .conf presentation how you can do this. Also read instructions from dev.splunk.com about this. r. Ismo ... View more

Hi You could use @richgalloway 's presented apps. I think that there was presentation about it last our previous .conf? Other option is just use REST requests to get that information what you want to show. On Splunk Cloud you haven't rest access to indexers and otherwise it has restricted amount of endpoints in use. For that reason you cannot get all that information with this way. IMHO: You should have all this kind of configuration in some version control system like git. Create needed Apps and TAs to store those. Maybe separate TAs based on your needs between HF/UF, Indexers and SH. Then just use any suitable methods / processes to install those into correct environment. Try to avoid configure that kind of information via both GUI and conf files. In long run you will avoid lot of issues to use git + Apps/TAs with conf files! r. Ismo ... View more

Hi you should use UF package which is loaded from your SCP stack. Just install it on all your UF+HF which are directly connected to your cloud stack and use its defaults to send into SCP. Don't mesh it! r. Ismo ... View more

Hi maybe this hits your fingers?  grantableRoles This limits what you can see and set. On cloud you cannot see all users as some of those are restricted for only Splunk's own use. r. Ismo  ... View more

It needs equal access as you have in GUI. If you need to access data then you need access to those indexes and same for internal indexes.  The only exception is that there are some scheduled reports which have run as owner. Those should work when you have access to those reports. But if those aren’t scheduled then that’s not working. ... View more

Can you give some sample events and how you would like to present results? ... View more

Hi What issue you are trying to solve with this change? I think that usually it’s better to use S2S between splunk nodes than http version. r. Ismo ... View more

Hi it’s just like @P_vandereerden said. You should read more about it from https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/SearchTimeModifiers#Specify_a_snap_to_time_unit r. Ismo ... View more

Hi you could write “multi line” searches separated by | on one line. In normal situation there is no mater have you written SPL in one line or formatting it to several lines. It’s just for reading it easier. You could also write your query as a report and then call it with savedsearch your report via rest. r. Ismo ... View more

Hi it depends how your roles have defined in authorizations. There is an attribute srchIndexesDefault, which define what indexes are used when you don’t use index=xyz on your query. Of course you must have access to those indexes. This is defined with an attribute srchIndexesAllowed. Those both are define in authorize.conf. As already has said, you should always use index=xyz on your queries to use needed/wanted indexes as different roles has different default indexes.  IMHO you shouldn’t ever use srchIndexesDefault as it leads people to drop that index=xyz part away from queries. r. Ismo ... View more

Hi If query takes long, then maybe you should look if you should use time() instead of now()? 1st gives you current time and 2nd is time when query has started. r. Ismo http://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/DateandTimeFunctions ... View more

Hi you said “due to a recent release”. What is this? A new splunk version, a new software realease of your business app or something else?  r. Ismo ... View more

Hi Could you open what you are meaning with this question? Are you moving splunk indexes on your host to another file system or volume in same node or moving whole node to another box or…. There are already couple of answers for both cases which you could found by google. We can also answer to you after we understand better your current problem. r. Ismo ... View more

Hi You could learn how to use SPL from your local instructions or https://docs.splunk.com/Documentation/Splunk/9.2.1/Search/GetstartedwithSearch We didn’t know your data, indexes etc. so we can’t help you, especially when we don’t know what you want to know. r. Ismo ... View more

Please create a new question as this one is already solved and you seems to have some different requirements. ... View more