Hard a hard time debugging that one. It only works if your SPL code with subquery return is in a dashboard "base search". <dashboard> <label>My dashboard title</label> <search id="parent_search_1"> <query>``` put your query here with your subquery return $ ```</query> </search> <row> <panel> <table> <title>My child visualization</title> <search base="parent_search_1"> <query>``` have the rest of your query there ```</query>   ... View more

If the hostname of your computer is "localhost", it won't even try to connect to the Deployment Server. ... View more

Splunk 8.x.x here. Profiling settings did block my apply bundle command. /opt/splunk/bin/splunk apply cluster-bundle Encountered some errors while applying the bundle. Cannot apply (or) validate configuration settings. Bundle validation is in progress. /opt/splunk/bin/splunk show cluster-bundle ... <bundle_validation_errors on master> ...   This command did the trick: curl -k -u admin https://CLUSTER_MASTER_IP:8089/services/cluster/master/control/default/cancel_bundle_push -X POST   And I could edit and apply the bundle afterwards. ... View more

Same problem, no solution found. If it can grab AWS namespaces, why can't it grab Custom namespaces? ... View more

Why don't you add a new field to your datamodel and assign it the _indextime value ? ... View more

My work-around is to add a normalized value for the action field. action="logout" ... View more

Following the previous answer, simply use a stats command: | index=yourindex | rex "(?<newfield>[^\/]+)(?=.vmx)" | stats latest(_raw), count by newfield   ... View more

Fast forward to 2019, Splunk 7, the bug is still happening. One dashboard queries and evals action="restart_splunkd" which causes an Audit:[timestamp=XXX, user=XXX, action=restart_splunkd, info=granted][n/a] log to appear in the _audit index with an audittrail sourcetype (everytime the dashboad is reloaded). ... View more