HI, I have a single query to get all types of data in table. for one particular type I have an issue with the null values, i need to remove those null value results for the particular type only without effecting the other types of data. I need to remove those null values in that "error message" field for type 1 , for Type 2 it should be as it is. Thanks in advance.

Hi! I have a dashboard with two parts - a table based on an existing dataset, and a column chart based on this query:   | bucket _time span=day | stats count by _time   The full table code looks like this:   { "type": "splunk.column", "dataSources": { "primary": "..." }, "title": "...", "options": { "x": "> primary | seriesByName('_time')", "y": "> primary | frameBySeriesNames('count')", "legendDisplay": "off", "xAxisTitleVisibility": "hide", "yAxisTitleText": "...", "showYAxisWithZero": true }, "eventHandlers": [], "context": {}, "showProgressBar": false, "showLastUpdated": false }   I want a click on any column to filter the table based on global_time - if I click on March 22, it filters the table to only show records where the _time is Mar 22 00:00:00 to Mar 22 23:59:59. How do I do that?

receiving the following error when trying to run "./splunk show cluster-bundle-status" 'Failed to contact the cluster manager. ERROR:  Cluster manager is not enabled on this node. "    A duplicate error is displayed for the peers.  But when I sign into the cluster manager and go to indexer clustering there is all my 4 indexers on the dashboard and the manager node is properly set in configuration. I've even double checked the .conf files.  Any suggestions?    

Is there an existing Splunk log that would identify the time an entity is "retired" in Splunk ITSI? I recently had a significant amount of my entities retire for some reason despite the entities still sending metrics data to the metrics indexes. I do have an auto-retire policy in place, but I do not believe that any of the entities in question would not have sent data in the amount of time needed for the auto-retire policy to trigger on them. I am hoping to find a log that would help me identify when entities were retired and how they were retired, be it by the auto-retire policy or an admin making a mistake somehow.

I am trying to compare an IP address field called ex_ip thats stored in a lookup file with an index called activity which contains dest, src and a few other fields. I am trying to match the ex_ip from the lookup file with the dest IP from the activity index. My following query is not resulting in any matches. Any help would be appreciated. index="activity" |lookup activity2 ex_ip as lb OUTPUT ex_ip as match |eval match=if(LIKE('dest', 'ex_ip'), 1, 0) |search match=1  

I am having trouble with my search. I am finding groups and my groups are broken down into organization, unit, and subunit. The tokens are being passed in for each respective part of the group.  example: Group1: apple.banana.orange Group2: apple. banana.grape Group3: melon.berry index | search organization = $org$ | search unit = $unit$ | search subunit = $subunit$ | eval group = organization."."unit."."subunit This would output apple.bananan.orange and apple.banana.grape, but would not show anything for melon.berry Sometimes I have groups that do not have subunits. When I tried to add the fillnulll: index | search organization = $org$ | search unit = $unit$ | fillnull value="" $subunit$ | eval group =if(isnotnull($subunit$), organization."."unit."."subunit, "organization.".".unit) That worked for groups with no subunit, but then the groups that did have subunits it did not work. This would output melon.berry, but it would output all the events for apple.banana. It wouldn't do the search specifically for orange or grape.  I am trying to have my search handle when a subunit token is passed and it is blank, what to do with it to output the correct values.