All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Here is complete code  <form version="1.1" theme="light"> <label>ds_dash_performance Clone</label> <search id="base_kpi"> <query>index=abc sourcetype=abc | table host app,cpu_idle_pct_kpi,cpu_... See more...
Here is complete code  <form version="1.1" theme="light"> <label>ds_dash_performance Clone</label> <search id="base_kpi"> <query>index=abc sourcetype=abc | table host app,cpu_idle_pct_kpi,cpu_io_wait_pct_kpi,cpu_user_pct_kpi,ds_procs_kpi,free_disk_ds_vtmp_kpi,free_disk_tmp_ds_kpi,free_disk_var_kpi,free_disk_var_tmp_kpi,kernel_rel_kpi,load1m_kpi,load_avg_kpi,mem_free_mb_kpi,mem_free_pct_kpi,reboot_server_kpi,redhat_rel_kpi,region,rx_bps_kpi,sec_env,swap_free_mb_kpi,swap_free_pct_kpi,tx_bps_kpi virtualization_kpi | dedup host</query> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> </search> <fieldset submitButton="false"></fieldset> <row> <panel id="Inputs"> <title>ds_dash_Hostinfo</title> <input type="dropdown" token="metric_tok" searchWhenChanged="true" id="metric_tok"> <label>Top 10 Host Metric Picker</label> <search> <query/> <earliest>-24h@h</earliest> <latest>now</latest> </search> <choice value="host.btime">Boot Time</choice> <choice value="host.cpu.idle">CPU Idle %</choice> <choice value="host.cpu.user">CPU User %</choice> <choice value="host.load_1m">Load Avg (1min)</choice> <choice value="host.mem.free_gb">Mem Free (GB)</choice> <choice value="host.proc.httpsd">DS Httpd Proc Count</choice> <choice value="host.proc.postgres">DS Postgress Proc Count</choice> <choice value="host.proc.pcsd">PCSd Process Cnt</choice> <choice value="host.swap.used_gb">Swap Used (GB)</choice> <choice value="host.swap.free_gb">Swap Free (GB)</choice> <choice value="host.net.tx_kbs">Net TX (KB/s)</choice> <choice value="host.net.rx_kbs">Net RX (KB/s)</choice> <choice value="host.mem.used_gb">Mem Used (GB)</choice> <choice value="host.disk.dsvtmp.free_gb">/ds/vtmp Free (GB)</choice> <choice value="host.disk.dsvtmp.used_gb">/ds/vtmp Used (GB)</choice> <choice value="host.disk.tmp.free_gb">/tmp Free (GB)</choice> <choice value="host.disk.tmp.used_gb">/tmp Used (GB)</choice> <choice value="host.disk.vartmp.free_gb">/var/tmp Free (GB)</choice> <choice value="host.disk.vartmp.used_gb">/var/tmp Used (GB)</choice> <choice value="host.mem.sssd_be_pages">sssd_be (pages)</choice> <default>host.cpu.user</default> </input> <input type="dropdown" token="host_tok" id="host_tok"> <label>Host Picker</label> <fieldForLabel>ShortName</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query>index=abc source=host | dedup host | rex field=host "(?&lt;ShortName&gt;[^\.]+)" | eval ShortName=ShortName . " (".'host.info.app'.")" | table ShortName host | sort host</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> <input type="time" searchWhenChanged="true" token="global_time_tok"> <label>Time Range</label> <default> <earliest>-24h</earliest> <latest>now</latest> </default> </input> <html> <style> table tbody tr td { font-size: 75% !important; padding: 0px 3px !important;} .dashboard-panel .panel-head h3 { padding: 1px 1px 1px 1px !important; font-size: 10px !important; } thead { visibility: hidden; display: none; /* Optional, but can be more effective */ } #Inputs { height: 320px !important; width: 20% !important } #host_tok { width: 100%; } #host_tok [data-component] { width: auto !important; } #metric_tok { width: 100%; } #metric_tok [data-component] { width: auto !important; } </style> </html> </panel> <panel id="HostMetric"> <html> <style> table tbody tr td { font-size: 75% !important; padding: 0px 3px !important;} .dashboard-panel .panel-head h3 { padding: 1px 1px 1px 1px !important; font-size: 10px !important; } #HostMetric { height: 320px !important; width: 65% !important } </style> </html> <chart> <title>$metric_tok$</title> <search> <query>| mstats avg($metric_tok|s$) prestats=true WHERE "index"="abc_metrics" AND "host"=$host_tok|s$ span=30m | timechart avg($metric_tok|s$) AS Avg | fields - _span*</query> <earliest>$global_time_tok.earliest$</earliest> <latest>$global_time_tok.latest$</latest> </search> <option name="charting.drilldown">none</option> <option name="charting.chart">line</option> <option name="charting.chart.nullValueMode">connect</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.fieldColors">{"Avg":"#1e93c6"}</option> <option name="charting.gridLinesX.showMajorLines">true</option> <option name="charting.axisY.abbreviation">auto</option> <option name="charting.legend.mode">seriesCompare</option> <option name="charting.fieldDashStyles">{"Avg":"solid"}</option> <option name="displayview">analytics_workspace</option> </chart> </panel> <panel id="Hostinfo"> <html> <style> table tbody tr td { font-size: 50% !important; padding: 0px 0px !important;} .dashboard-panel .panel-head h3 { padding: 0px 0px 0px 0px !important; font-size: 7px !important; } #Hostinfo { height: 300px !important; width: 15% !important } </style> </html> <table> <title>Info for $host_tok$</title> <search> <query>index=abc source=host | search host=$host_tok|s$ | rename host.cpu.count as NumCPUs, host.mem.size_gb as MemGB, host.swap.size_gb as SwapGB, host.disk.tmp.size_gb as TmpGB, host.disk.vartmp.size_gb as VarTmpGB, host.disk.dsvtmp.size_gb as DSVtmpGB, host.info.app as App, host.info.boottime as BootTime, host.info.ip as IP4, host.info.rhel as RHEL, host.info.kernel as Kernel, host.info.virt as Virtualization, host.info.type as HostType, region as Region, sec_env as SecEnv, siteid as SiteID | table NumCPUs MemGB SwapGB TmpGB VarTmpGB DSVtmpGB App BootTime IP4 RHEL Kernel Virtualization HostType Region SecEnv SiteID | transpose | rename column as Key,"row 1" as Value | table Key Value</query> <earliest>-24h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="count">18</option> </table> </panel> </row> <row> <panel id="Picker"> <html> <style> table tbody tr td { font-size: 75% !important; padding: 0px 3px !important;} .dashboard-panel .panel-head h3 { padding: 1px 1px 1px 1px !important; font-size: 10px !important; } #Picker{ height: 300px !important; width: 15% !important } </style> </html> <table> <title>Top 10 Metric by $metric_tok$</title> <search> <query>| mstats avg("host.cpu.user") as cpu_user   WHERE index="abc_metrics" source=host host.info.app="ds" span=10m BY host | dedup host | eval cpu_user=round(cpu_user,1) | rex field=host "(?&lt;host_short&gt;[^\.]+)" | sort -cpu_user | head 10 | rename host_short as "Host", cpu_user as "CPU Usage (%)" | table "Host" "CPU Usage (%)"</query> <earliest>-1h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <format type="color" field="Value"> <colorPalette type="expression">case(value &gt;=80,"#ffab91", value &lt;80 AND value &gt;=50,"#fff59d", value &lt;50 AND value &gt;=20, "#c5e1a5", value &lt;20 AND value &gt;=0,"#81d4fa")</colorPalette> </format> </table> </panel> <panel id="PortTcount"> <html> <style> #PortTcount{ height: 250px !important; width: 10% !important } table tbody tr th td { font-size: 75% !important; padding: 0px 1px !important;} .dashboard-panel .panel-head h3 { padding: 1px 1px 1px 1px !important; font-size: 10px !important; } i.icon-sorts { display: none; } </style> </html> <table> <title>Hot Ports (Trans/hour)</title> <search> <query>index=abc source=port | rename port.port as Port | stats sum(port.code.200) as Tcount by Port | table Port Tcount | sort -Tcount | head 10</query> <earliest>-1h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel id="PortADTcount"> <html> <style> #PortTcount{ height: 250px !important; width: 10% !important } table tbody tr th td { font-size: 75% !important; padding: 0px 1px !important;} .dashboard-panel .panel-head h3 { padding: 1px 1px 1px 1px !important; font-size: 10px !important; } i.icon-sorts { display: none; } </style> </html> <table> <title>Hot Ports (ADTrans/hour)</title> <search> <query>index=abc source=port | rename port.port as Port | stats sum(port.code.557) as Tcount by Port | table Port Tcount | sort -Tcount | head 10</query> <earliest>-1h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> <panel id="PortGbytes"> <html> <style> table tbody tr th td { font-size: 75% !important; padding: 0px 1px !important;} .dashboard-panel .panel-head h3 { padding: 1px 1px 1px 1px !important; font-size: 10px !important; } #PortGbytes{ height: 250px !important; width: 10% !important } </style> </html> <table> <title>Hot Ports (GB/hour)</title> <search> <query>index=abc source=port | rename port.port as Port | stats sum(port.xfer_bytes) as Xbytes by Port | eval Gbytes=round(Xbytes/(1024*1024*1024),2) | table Port Gbytes | sort -Gbytes | head 10</query> <earliest>-1h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> <panel id="PortPeakClients"> <html> <style> #PortPeakClients{ height: 250px !important; width: 10% !important } table tbody tr th td { font-size: 75% !important; padding: 0px 1px !important;} .dashboard-panel .panel-head h3 { padding: 1px 1px 1px 1px !important; font-size: 10px !important; } </style> </html> <table> <title>Hot Ports (Peak Clients)</title> <search> <query>index=abc source=port | rename port.port as Port | stats max(port.numclients) as PeakClients by Port | table Port PeakClients | sort -PeakClients | head 10</query> <earliest>-1h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> <row> <panel id="AlertInputs"> <title>ds_dash_Portinfo</title> <input type="dropdown" token="class_tok" searchWhenChanged="true" id="class_tok"> <label>Class</label> <choice value="*">All</choice> <choice value="Port">Port</choice> <choice value="host">Host</choice> <choice value="*disk">Disk</choice> <choice value="general">General</choice> <default>Port</default> <initialValue>Port</initialValue> </input> <input type="dropdown" token="siteid_tok" searchWhenChanged="true" id="siteid_tok"> <label>SiteID</label> <choice value="*">All</choice> <default>*</default> <initialValue>*</initialValue> <fieldForLabel>siteid</fieldForLabel> <fieldForValue>siteid</fieldForValue> <search> <query>index=abc source=alert | dedup siteid | table siteid</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> <input type="dropdown" token="priority_tok" searchWhenChanged="true"> <label>Priority</label> <choice value="1">1</choice> <choice value="2">2</choice> <choice value="3">3</choice> <choice value="4">4</choice> <choice value="5">5</choice> <default>5</default> <initialValue>5</initialValue> </input> <html depends="$hiddenForCSS$"> <style> #AlertInputs { width: 15% !important; } #siteid_tok option { font-size: 9px !important; line-height: 12px !important; padding: 0px 1px !important;} </style> </html> </panel> <panel id="AlertOutputs"> <html> <style> #AlertOutputs{ width: 85% !important; } table tbody tr td { font-size: 75% !important; padding: 0px 3px !important; text-align: left !important;} </style> </html> <table> <search> <query>index=abc source=alert alert.class=$class_tok|s$ siteid=$siteid_tok|s$ alert.priority &lt;= $priority_tok|s$| stats count(_time) as Count Latest(_time) as When min(alert.priority) as Priority latest(alert.message) as Message by siteid alert.class alert.item | sort by When desc| eval HoursAgo=(now()-When)/3600, HoursAgo=round(HoursAgo,3), When=strftime(When,"%+") | table HoursAgo When siteid Count Priority alert.class alert.item Message</query> <earliest>-84h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">false</option> <format type="color" field="Priority"> <colorPalette type="map">{"1":#FFab91,"2":#ffcc80,"3":#fff59d,"4":#c5e1a5,"5":#81d4fa}</colorPalette> </format> </table> </panel> </row> <row> <panel> <event> <title>Ajay Test</title> <search> <query>| mstats avg("host.cpu.user") as Value WHERE "index"="abc_metrics" source=host host.info.app="ds" span=10m BY host | dedup host | eval Value=round(Value,1) | rex field=host "(?&lt;host&gt;[^\.]+)" | sort -Value | head 10 | table host Value</query> <earliest>$global_time_tok.earliest$</earliest> <latest>$global_time_tok.latest$</latest> </search> <option name="list.drilldown">none</option> </event> </panel> </row> </form>
Hi @rishabhpatel20  Can you confirm that no other CSS or JS is loaded in the dashboard? Either in the first couple of lines or within other html blocks in the dashboard? I notice you have uploaded j... See more...
Hi @rishabhpatel20  Can you confirm that no other CSS or JS is loaded in the dashboard? Either in the first couple of lines or within other html blocks in the dashboard? I notice you have uploaded just a section of the dashboard.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi everyone, What's the value of a token if is not set in an input? An empty string, null() or? I was trying to do something like: | eval user=if(isnull("$user_token$"), user, "$user_token$"), but... See more...
Hi everyone, What's the value of a token if is not set in an input? An empty string, null() or? I was trying to do something like: | eval user=if(isnull("$user_token$"), user, "$user_token$"), but it doesn't work.
<table> <title>Hot Ports (ADTrans/hour)</title> <search> <query>index=abc source=port | rename port.port as Port | stats sum(port.code.557) as Tcount by Port | table Port Tcount | sort -Tcount | h... See more...
<table> <title>Hot Ports (ADTrans/hour)</title> <search> <query>index=abc source=port | rename port.port as Port | stats sum(port.code.557) as Tcount by Port | table Port Tcount | sort -Tcount | head 10</query> <earliest>-1h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> <panel id="PortGbytes"> <html> <style> table tbody tr th td { font-size: 75% !important; padding: 0px 1px !important;} .dashboard-panel .panel-head h3 { padding: 1px 1px 1px 1px !important; font-size: 10px !important; } #PortGbytes{ height: 250px !important; width: 10% !important } </style> </html> <table> <title>Hot Ports (GB/hour)</title> <search> <query>index=abc source=port | rename port.port as Port | stats sum(port.xfer_bytes) as Xbytes by Port | eval Gbytes=round(Xbytes/(1024*1024*1024),2) | table Port Gbytes | sort -Gbytes | head 10</query> <earliest>-1h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> <panel id="PortPeakClients"> <html> <style> #PortPeakClients{ height: 250px !important; width: 10% !important } table tbody tr th td { font-size: 75% !important; padding: 0px 1px !important;} .dashboard-panel .panel-head h3 { padding: 1px 1px 1px 1px !important; font-size: 10px !important; } </style> </html> <table> <title>Hot Ports (Peak Clients)</title> <search> <query>index=abc source=port | rename port.port as Port | stats max(port.numclients) as PeakClients by Port | table Port PeakClients | sort -PeakClients | head 10</query> <earliest>-1h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> <row>
So here is the image of dashboard  There are 4 tables and in all 4 no headers  Sample code for 2 tables  <table> <title>Hot Ports (ADTrans/hour)</title> <search> <query>index=abc source=p... See more...
So here is the image of dashboard  There are 4 tables and in all 4 no headers  Sample code for 2 tables  <table> <title>Hot Ports (ADTrans/hour)</title> <search> <query>index=abc source=port | rename port.port as Port | stats sum(port.code.557) as Tcount by Port | table Port Tcount | sort -Tcount | head 10</query> <earliest>-1h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> <panel id="PortGbytes"> <html> <style> table tbody tr th td { font-size: 75% !important; padding: 0px 1px !important;} .dashboard-panel .panel-head h3 { padding: 1px 1px 1px 1px !important; font-size: 10px !important; } #PortGbytes{ height: 250px !important; width: 10% !important } </style> </html> <table> <title>Hot Ports (GB/hour)</title> <search> <query>index=abc source=port | rename port.port as Port | stats sum(port.xfer_bytes) as Xbytes by Port | eval Gbytes=round(Xbytes/(1024*1024*1024),2) | table Port Gbytes | sort -Gbytes | head 10</query> <earliest>-1h</earliest>
Please share the source for your dashboard panel
Hi @sandeep_A1997  Pls check the bucket status - indexer clustering > Indexes > Bucket Status Pls update us if you have any bucket issues...    Some docs links: https://help.splunk.com/en/splunk... See more...
Hi @sandeep_A1997  Pls check the bucket status - indexer clustering > Indexes > Bucket Status Pls update us if you have any bucket issues...    Some docs links: https://help.splunk.com/en/splunk-enterprise/administer/manage-indexers-and-indexer-clusters/9.4/troubleshoot-indexers-and-clusters-of-indexers/bucket-replication-issues https://splunk.my.site.com/customer/s/article/SF-and-RF-is-not-met-on-Cluster-Manager  
Hey @rishabhpatel20, Can you share the dashboard source code here to understand why the headers are not visible? Also, a clear screenshot from dashboard that shows the header is missing. The second ... See more...
Hey @rishabhpatel20, Can you share the dashboard source code here to understand why the headers are not visible? Also, a clear screenshot from dashboard that shows the header is missing. The second screenshot displays fields like Hot Ports, and Trans/Hour. If those are not the headers, what are you expecting? Thanks, Tejas.
I am creating a query and when I see the result I see proper table with headers , but saving it to existing dashboard , it is just displaying the content without headers. I tried to expand the table ... See more...
I am creating a query and when I see the result I see proper table with headers , but saving it to existing dashboard , it is just displaying the content without headers. I tried to expand the table size as well.    index=abc source=port | rename port.port as Port | stats sum(port.code.557) as Tcount by Port | sort -Tcount | head 10 | table Port Tcount Search result    Below image is from dashboard pannel , no headings     
Suddenly we observed /opt/data was unmounted, and ownership has changed from splunk to root. Mounted back and restarted the service. still SF and RF are not meeting up. Restarted the service from AWS... See more...
Suddenly we observed /opt/data was unmounted, and ownership has changed from splunk to root. Mounted back and restarted the service. still SF and RF are not meeting up. Restarted the service from AWS, still no response, we have 3 indexers placed in this cluster. tried rollingg restart for remaining indexers, when i restarted the second indexer, the splunk stopped and /opt/data  ownership changed and unmounted, mounted them again same happend with 1st indexer too, didnot touched 3rd indexer. Now amoung 3 indexer 2 were down restarted then and started splunk in them and mounted /opt/data too, still we are not able to see SF and RF are meeting.
Hi @Mirza_Jaffar1  There is no mention of SSL in the error logs so I am leaning towards an issue with the pass4SymmKey or another encrypted credential. Have you recently made any changes or installe... See more...
Hi @Mirza_Jaffar1  There is no mention of SSL in the error logs so I am leaning towards an issue with the pass4SymmKey or another encrypted credential. Have you recently made any changes or installed any apps? If you copied a local directory from another instance that contained encrypted credentials then this instance will be unable to decrypt them, this is because Splunk encrypts credentials based on its own splunk.secret file  You can verify encrypted keys such as pass4SymmKey by using: $SPLUNK_HOME/bin/splunk show-decrypted --value '<value>'   When using this you need to change the $ -> \$ otherwise Linux will think this is a variable. for example $7$abc -> \$7\$abc Please let us know what your architecture is like, e.g. what instance is this within your architecture and if you made any recent changes.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hello @gabriele_chini, Can you provide the code you use for generating the token and do you save it in kvstore? How long does the token stay active and do you regenerate the token if it has already ... See more...
Hello @gabriele_chini, Can you provide the code you use for generating the token and do you save it in kvstore? How long does the token stay active and do you regenerate the token if it has already been expired? Thanks, Tejas. 
Try (temporarily) adding a new panel to see what your users are getting back from the saved search and whether there are any errors <row> <panel> <title>Operational times</title> <... See more...
Try (temporarily) adding a new panel to see what your users are getting back from the saved search and whether there are any errors <row> <panel> <title>Operational times</title> <table> <search> <query>| savedsearch set_operational_hours</query> <earliest>0</earliest> <latest>now</latest> </search> </table> </panel> </row> Moving the search may not help if the users' role does not allow them to successfully execute the savedsearch. Please check the permissions (as I said earlier).
Hey @danielbb, While creating architecture diagrams, I used to go for config file icon only for any of the conf files  i.e. props, transforms, server, etc. Yes, for inputs there are multiple icons s... See more...
Hey @danielbb, While creating architecture diagrams, I used to go for config file icon only for any of the conf files  i.e. props, transforms, server, etc. Yes, for inputs there are multiple icons supported i.e. monitor input, API input, etc.  I haven't come across any specific stencils for props/transforms. Thanks, Tejas. 
Thanks, Im wondering if its a permissions issue. The details on what the process is running as and the ownership of the files in /opt/splunkforwarder should help rule it in/out either way! Let me kno... See more...
Thanks, Im wondering if its a permissions issue. The details on what the process is running as and the ownership of the files in /opt/splunkforwarder should help rule it in/out either way! Let me know if you can get hold of this information. Thanks
Better to use RPM as then there are those pre and post scripts which are doing some cleaning etc. tasks which are not done if you are just unzipping that into /opt/splunk directory! And  with tgz yo... See more...
Better to use RPM as then there are those pre and post scripts which are doing some cleaning etc. tasks which are not done if you are just unzipping that into /opt/splunk directory! And  with tgz you must always do as root "chown -R splunk:splunk /opt/splunk" or whatever your splunk user is  before you start it after update!
I supposing that when you are running this  <search id="operational_hours"> <query>| savedsearch set_operational_hours</query> <finalized> <set token="operational_start_time">$result.o... See more...
I supposing that when you are running this  <search id="operational_hours"> <query>| savedsearch set_operational_hours</query> <finalized> <set token="operational_start_time">$result.operational_start_time$</set> It used some indexes or other KO which are not allowed for regular users. You should check it users can use that command on GUI and get results. If I remember correctly there was some restrictions to use at least loadjob in SHC, but I'm not sure if there are same kind of restrictions with savedsearch command? I couldn't find any mentions in docs. Then you must remember this: When the savedsearch command runs a saved search, the command always applies the permissions associated with the role of the person running the savedsearch command to the search. The savedsearch command never applies the permissions associated with the role of the person who created and owns the search to the search. This happens even when a saved search has been set up to run as the report owner. If you need to get this run as an owner instead of running user you must use ref on dashboard for those queries. But even then you cannot add/modify parameters which those searches accept and used. If you try to use those then splunk run those also as user not as owner. 
Hello @NanSplk01, If it is only the actions field that you're interested in the subsearch, you don't need to perform all of the other operations. But since you're using splunk_server=* in the second... See more...
Hello @NanSplk01, If it is only the actions field that you're interested in the subsearch, you don't need to perform all of the other operations. But since you're using splunk_server=* in the second search, here's something that might help you. | rest /servicesNS/-/-/saved/searches | search title=kafka* | rename dispatch.earliest_time AS "frequency", title AS "title", eai:acl.app AS "app", next_scheduled_time AS "nextRunTime", search AS "query", updated AS "lastUpdated", action.email.to AS "emailTo", action.email.cc AS "emailCC", action.email.subject AS "emailSubject", alert.severity AS "SEV" | eval severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") | eval identifierDate=now() | convert ctime(identifierDate) AS identifierDate | table identifierDate title lastUpdated, nextRunTime, emailTo, query, severity, emailTo | fillnull value="" | sort -lastUpdated | join type=left title [ | rest "/servicesNS/-/-/saved/searches" timeout=300 splunk_server=* | search disabled=0 AND title="kafka*" | fields title actions splunk_server | stats values(actions) as actions by title splunk_server]   Let me know if this helps your use case. Thanks, Tejas.   --- If the solution works, an upvote is appreciated..!!
splunk and root permission conflicts as per the logs permission errors   1- wget version in /opt 2- .tgz allocate splunk permission 3- stop the splunk services 4- run tgz via splunk user while u... See more...
splunk and root permission conflicts as per the logs permission errors   1- wget version in /opt 2- .tgz allocate splunk permission 3- stop the splunk services 4- run tgz via splunk user while upgrdaing This should work
what does indicates   06-19-2025 11:09:33.046 +0000 ERROR AesGcm [65605 MainThread] - Text decryption - error in finalizing: No errors in queue 06-19-2025 11:09:33.046 +0000 ERROR AesGcm [65605 Ma... See more...
what does indicates   06-19-2025 11:09:33.046 +0000 ERROR AesGcm [65605 MainThread] - Text decryption - error in finalizing: No errors in queue 06-19-2025 11:09:33.046 +0000 ERROR AesGcm [65605 MainThread] - AES-GCM Decryption failed! 06-19-2025 11:09:33.047 +0000 ERROR Crypto [65605 MainThread] - Decryption operation failed: AES-GCM Decryption failed! 06-19-2025 11:09:33.081 +0000 ERROR AesGcm [65605 MainThread] - Text decryption - error in finalizing: No errors in queue 06-19-2025 11:09:33.081 +0000 ERROR AesGcm [65605 MainThread] - AES-GCM Decryption failed! 06-19-2025 11:09:33.081 +0000 ERROR Crypto [65605 MainThread] - Decryption operation failed: AES-GCM Decryption failed!