Morning All,
Popped onto the estreamer dashboard this morning in our Splunk Cloud environment (7.0.3.8) and noticed none of the metrics/statistics were populating.
Checking into the dashboard code itself and can see validation warnings specifically in relation to 'legacy notation' or 'unknown option name' - I was under the impression that a Splunk app updated automatically within the Splunk environment? is there a way to update the notations/options so Splunk can then populate the dashboard?
For example this is some of the troublesome XML below
<searchString>`SfeS-client-check-logs` | eval state=case(status_id=-1,"Error", status_id=0,"Disabled", status_id=1,"Running", status_id=2,"Running", status_id=3,"Stopping", status_id=4,"Restarting") | table state</searchString>
<earliestTime>-90s</earliestTime>
<latestTime>now</latestTime>
Found this from some previous XML Legacy notation answers on here however I cant quite get the fiddling around on the XML work
......
....your_search
...what you put here only affects the research that is in the query tag.
</search
Im still unsure exactly how to populate here even with the above explanation as still getting legacy notations or unexpected close arguments!
Kind Regards,
Thomas Brewster
