All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

ok , i have tried it and it does not work
If you are passing tokens from dashboard A to dashboard B that are inputs in dashboard B, then use &form.token_name=bla where token_name is the name of your token in dashboard B .
Oh, apologies hahaha  Yeah, I tried using dev tools to see which REST endpoint WebUI uses. Not for exporting to CSV but for exporting to pdf (uses pdfgen endpoint). But can't find Splunk documenta... See more...
Oh, apologies hahaha  Yeah, I tried using dev tools to see which REST endpoint WebUI uses. Not for exporting to CSV but for exporting to pdf (uses pdfgen endpoint). But can't find Splunk documentation on it anywhere and other forums don't seem to have a working solution. Anyways thanks for recommendation. Will raise a case with support for now.   
Hi @yuanliu, Sorry, but the previous approach hasn’t worked for me. Let me provide the full context with the entire query. I am trying to compare building names from two sources: an indexed search a... See more...
Hi @yuanliu, Sorry, but the previous approach hasn’t worked for me. Let me provide the full context with the entire query. I am trying to compare building names from two sources: an indexed search and a lookup file. For example, the building_from_search1 values from the indexed search are: \"Aachen 1\" \"Almanor 1\" \"Almanor 2\" \"Amsterdam\" The lookup file, which has a column named buildings, contains values like: \"Aachen 1\" \"Almanor 1\" \"Almanor 2" \"Antara" Currently, I am using the mvappend command to combine both sets and filter for values with a count of 1. However, this approach gives me unique values from both searches, not just the unique values from the indexed search. The target is to print unique values from the indexed search only. In this example, "Amsterdam" should be included in the result, but I am currently getting both "Amsterdam" and "Antara." Here is the query I am using: index= buildings_core "Buildings updated in database*" | rex "REQUEST_UNIQUE_ID:(?<request_unique_id>[^ ]+)" | rex "Buildings updated in database:\s(?<buildings>\{[^}]+\})" | eval buildings = replace(buildings, "[{}]", "") | eval buildings = split(buildings, ",") | mvexpand buildings | eval building_from_search1 = mvindex(split(buildings, ":"), 1) | stats values(building_from_search1) as buildings_from_search1 by request_unique_id | append [ | inputlookup roomlookup_buildings.csv | stats values(buildings) as buildings_from_search2 ] | eval all_buildings = mvappend(buildings_from_search1, buildings_from_search2) | stats count by all_buildings | where count = 1 | stats values(all_buildings) as all_buildings | eval source="buildings_lacking_timezone_data" | table source, all_buildings
Yes. I know that &amp; is a HTML entity. Hence the smiley. Anyway. If exporting from WebUI works OK and the REST-initiated export does not there are two things you can do: 1) As I mentioned - raise... See more...
Yes. I know that &amp; is a HTML entity. Hence the smiley. Anyway. If exporting from WebUI works OK and the REST-initiated export does not there are two things you can do: 1) As I mentioned - raise a case with support. It seems like a bug. A proper CSV should be properly quoted/escaped/whatever. 2) You can use developer tools to check which REST endpoint the WebUI uses
@Siddharthnegi- I'm saying not to change, change just to see if it works or not. And this will tell you if that also does not work meaning, its the issue with how you are editing the file or the file... See more...
@Siddharthnegi- I'm saying not to change, change just to see if it works or not. And this will tell you if that also does not work meaning, its the issue with how you are editing the file or the file location or something like that. I asked just to validate whether its the issue with how you are editing the file or a Splunk bug.   I hope this helps!!!
Hello Splunkers In Single Value viz I know we can change text colour or background one at a time but I have a requirement to control both text and background colour in a single value visualisati... See more...
Hello Splunkers In Single Value viz I know we can change text colour or background one at a time but I have a requirement to control both text and background colour in a single value visualisation for example IF result > 0       Text: #9c0006       Background: #ffc7c ELSE     Text: #006100     Background: #c6efce I'm using Splunk cloud so don't have the option to use JavaScript. Simple CSS solution is needed.     Any help will be appreciated   
how about set the time value on the linked dashboard?. If i delete the time range on linked dashboard (B), the visualization is wait for token. But if i add time range there, the global time from the... See more...
how about set the time value on the linked dashboard?. If i delete the time range on linked dashboard (B), the visualization is wait for token. But if i add time range there, the global time from the destination dashboard is overwrite it.
"Reports" tab of one of our apps is missing from the Navigation bar as seen in the image below.   Below is the content of default.xml from "local/data/ui/nav" directory. Everything except "Repo... See more...
"Reports" tab of one of our apps is missing from the Navigation bar as seen in the image below.   Below is the content of default.xml from "local/data/ui/nav" directory. Everything except "Reports" tab is in <view> tag but reports is in <collection> tag. Can anyone please help in bringing this report tab back and explain how this collection tag works.  
the &amp is HTML encoding to escape the & character. Exporting to CSV works via the API but when field values are multi-value and within each multi-value there is a comma as part of the data, exporti... See more...
the &amp is HTML encoding to escape the & character. Exporting to CSV works via the API but when field values are multi-value and within each multi-value there is a comma as part of the data, exporting to CSV doesn't work. 
My three cents | where NOT a in b or | where NOT b=a (as you can do with  multivalued fields) is NOT the same as | where a!=b The first form filters out all results where value a appears anywh... See more...
My three cents | where NOT a in b or | where NOT b=a (as you can do with  multivalued fields) is NOT the same as | where a!=b The first form filters out all results where value a appears anywhere in the field b - as one of the values in mulitivalued field whereas the second form keeps all results which have at least one value in field b which is different than a. Also results with empty field b are treated differently.
If you have any news, please update this post. We made a support call to Red Hat without any luck Hopefully its works for you
The fields extracted with REPORT are eztracted in search time so they're not available inindex time for INGEST_EVAL.
Hi @aina.rahman , Thank you for posting on community. To monitor the SQL Server and SQL Agent services and set up email alerts when they are down, you can follow these steps: Enable the Ema... See more...
Hi @aina.rahman , Thank you for posting on community. To monitor the SQL Server and SQL Agent services and set up email alerts when they are down, you can follow these steps: Enable the Email Server if not yet set up.  steps to  Enable the Email Server Set up Related Health Rules, Policies, and Actions to Monitor Services for SQL Server Monitoring, utilize AppDynamics Database Agent: Install Database Agent Monitor Databases and Database Servers Steps: Set Health Rule: On Controller > Databases > Alert & Respond, configure a health rule. Use the metric DB|KPI|Database Availability to monitor whether the SQL Server is running.     Set Policies: Policies: On Controller > Alert & Respond > Policies, create a new policy. Set the Trigger, Health Rule Scope, and Actions. Add action and configure email to specify where to send alert emails.     By following these steps, I received email alerts when health rules are violated (SQL server down/SQL server stopped). for SQL Server Agent Monitoring, utilize AppDynamics Machine Agent. AppDynamics Machine Agent can monitor processes on server. Machine Agent Server Process Metrics Steps: Set up health rule, policy, and action similarly to the database agent above. Notes: When setting up the health rules, under Affected Entities, select Custom Health Rule Type to set process metrics such as memory usage or count in the Critical/Warning area. By following these steps, I received email alerts when the SQL Agent service is down. Other Monitoring Alternatives Below are some possible alternatives to monitor your windows services status: .NET Agent Extension .NET Agent extension to monitor windows services. Reference: .NET Agent Extension Documentation Write your own Machine Agent Extension Machine Agent for custom monitoring of services. Reference: Machine Agent Documentation Hope this help. Regards, Martina
Something got converted here &->&amp; But to the point - if the csv export works badly, it's a material for support case.
Thank you for the reply , but that name should be "report" not "my report"
The above assumes that your lookup file contents show is not the one where you are looking up against product_table.csv but if it's the same table, what are you trying to get from your lookup in the ... See more...
The above assumes that your lookup file contents show is not the one where you are looking up against product_table.csv but if it's the same table, what are you trying to get from your lookup in the current command? If you only have one lookup then what you want is sourcetype=foo index=bar item="productA" | lookup product_table.csv productCode AS item | timechart span=1d max(dailyBaseline) as baseline sum(product_count) as volume by name  
Do you mean something like this? sourcetype=foo index=bar item="productA" | lookup product_table.csv productCode AS item | timechart span=1d sum(product_count) as volume by name | lookup product_ta... See more...
Do you mean something like this? sourcetype=foo index=bar item="productA" | lookup product_table.csv productCode AS item | timechart span=1d sum(product_count) as volume by name | lookup product_table.csv name output dailyBaseline  
Hello,     I practice the PoC/PoV lab exercise under Black Belt Stage 2 course. When installed controller, it showed the disk storage needed is 5120 MB which is for Medium profile (5TB), instead the... See more...
Hello,     I practice the PoC/PoV lab exercise under Black Belt Stage 2 course. When installed controller, it showed the disk storage needed is 5120 MB which is for Medium profile (5TB), instead the chosen Demo profile (50GB). Anyone can give advice to my issue ? Thanks.           Jonathan Wang, 2024/07/31 Error messages: Task failed: Check if the required data directories have sufficient space on host: appd-server as user: root with message: The destination directory has insufficient disk space. You need a minimum of 51200 MB for installation.
Here's one way you can do it by adding this after your timechart command   | foreach * [ eval productCode="<<FIELD>>" | lookup baseline.csv productCode OUTPUT name dailyBaseline | eval {name}=<<FIE... See more...
Here's one way you can do it by adding this after your timechart command   | foreach * [ eval productCode="<<FIELD>>" | lookup baseline.csv productCode OUTPUT name dailyBaseline | eval {name}=<<FIELD>>, base_{name}=dailyBaseline | fields - productCode name dailyBaseline "<<FIELD>>" ]   after a split by clause the column name is the productCode, so the foreach * will iterate through the columns and create a field called dailyBaseline_productX for each found value. There will be other ways Edit: Added friendly name mapping