I get this error when trying to launch the Atlassian JIRA Issue Alert App.. https://splunkbase.splunk.com/app/5037/ It works well on another server that I have though, but no idea why. Any ideas what to check?  The call triggering this is following: https://hostname:port/en-GB/splunkd/__raw/servicesNS/nobody/TA-atlassian-jira-issue-alerts/TA_atlassian_jira_issue_alerts_settings/proxy?output_mode=json&_=1605256012447  The error in splunkd.log:  ERROR AdminManagerExternal - Received malformed XML from external handler: hello world\n1267650600228229401496703205376\n<eai><eai_settings><ACTION_CRED>--cred--</ACTION_CRED><appName>TA-atlassian-jira-issue-alerts</appName><callerArgs><id>proxy</id><args/></callerArgs><capabilityRead></capabilityRead><capabilityWrite></capabilityWrite><context>2</context><customAction></customAction><customActionCap></customActionCap><didFilter>False</didFilter><didPaginate>False</didPaginate><docShowEntry>True</docShowEntry><endpoint>&lt;splunktaucclib.rest_handler.endpoint.MultipleModel object at 0x7f105c49a490&gt;</endpoint><handler>&lt;splunktaucclib.rest_handler.handler.RestHandler object at 0x7f105c3a3310&gt;</handler><maxCount>30</maxCount><payload></payload><posOffset>0</posOffset><requestedAction>2</requestedAction><requestedFilters></requestedFilters><restartRequired>False</restartRequired><shouldAutoList>True</shouldAutoList><shouldFilter>False</shouldFilter><shouldReload>False</shouldReload><sortAscending>true</sortAscending><sortByKey>name</sortByKey><supportedArgs><arg name="--cred--"><isRequired>False</isRequired></arg></supportedArgs><userName>nobody</userName></eai_settings><config_info><feed_name></feed_name></config_info></eai>\n ... View more

Hi, I have hundreds of sourcetypes and the intervals when sourcetypes are sending data are not realtime, some are sending weekly, some are sending every few hours, some have other weird patterns. I want to predict when sourcetypes will send data, so I tried predict command and used ML Toolkit, unfortunately the query is extremely slow because of the map command.  Why is it so slow? The base query, taking the list of sourcetypes from a csv is extremely fast, under 1 second, and the query that comes after map, if I run it by itself it takes 4 seconds when I run for a specific sourcetype, so running for each sourcetype should not be so slow.  However when running them together with map command, it does not run, it is incredibly slow. Is there a way to make this faster? I tried without map, but joins were also problematic because the subquery that does the prediction does not work with more than 1 sourcetypes, so my other attempts to join the data has failed.   | inputlookup sourcetypes.csv | dedup sourcetype | table sourcetype | map [ search index="_internal" source="*metrics.log" group="per_sourcetype_thruput" series =$sourcetype$ | head 10 | stats count as counts_data_indexed by _time series | predict counts_data_indexed as predicted_counts_data_indexed algorithm=LLP5 holdback=0 future_timespan=1 upper0=upper0 lower0=lower0 | table sourcetype series _time counts_data_indexed predicted_counts_data_indexed | stats max(_time) as next_predicted_time last(series) as sourcetype | convert timeformat="%Y-%m-%d %H:%M:%S.%3N" ctime(next_predicted_time) ]   Now even if I change the first query and only have a sourcetype, the map command will still take forever.   --I am running this for 30 days | makeresults | eval sourcetype=splunkd | dedup sourcetype | map [ search index="_internal" source="*metrics.log" group="per_sourcetype_thruput" series=$sourcetype$ | head 20 | stats count as counts_data_indexed by _time series | predict counts_data_indexed as predicted_counts_data_indexed algorithm=LLP5 holdback=0 future_timespan=1 upper0=upper0 lower0=lower0 | table sourcetype series _time counts_data_indexed predicted_counts_data_indexed | stats max(_time) as next_predicted_time last(series) as sourcetype | convert timeformat="%Y-%m-%d %H:%M:%S.%3N" ctime(next_predicted_time)]       Ps: If I manage to do this query , will be able to make many useful queries and alerts based on predicted volume, if a source is sending more or less than usual, determining if a sourcetype has stopped sending (by comparing the prediction), there are many use cases that I can use in the future.  ... View more

Hi, I've configured inputs.conf like below, but I can't see any data. (Other stanzas for [perfmon:// are all working perfectly.) The log does not show anything about it. How can I validate that this name is correct "HTTPSvcReqQueues" and the rest of the input config is correct? Thanks! [perfmon://HTTPSvcReqQueues] counters = * disabled = 0 index = perfmon instances = * interval = 10 object = HTTP Service Request Queues useEnglishOnly = true ... View more