Hi, I have the below scenario. please could you help?   spl1: index=abc sourcetype=1.1 source=1.2 "downstream" "executioneid=*"  spl2: index=abc sourcetype=2.1 source=2.2 "do not write to downstream" "executioneid=*" both the spl uses the same index and they have the common field called executionid.  some execution ids are designed not to go to downstream application in the flow. I want to combine these two spl based on the executioneid  

Hello. I have a problem with Splunk Dashboard Studio table. Sometimes after refreshing the table, when the content is reloaded, column widths become random, some are too wide, some are too narrow, even though, there is a lot of blank space. That makes the content not fit to the table and a scroll bar appears (an example what it looks like can be seen below) It does not happen all the time, only occasionally, I was not able to determine what it depends on. After sorting the table by one of the columns, everything goes back to normal, column widths become even and the content does not overflow anymore (example what the table should look like can be seen below) Note, that I have set a static width for the first column. I have tried removing it but that does not seem to help much. It seems like column widths still get messed up. Does anyone have any suggestions, what could be causing this? I would like to avoid setting static widths for all columns if possible because in some situations, the total number of columns can be different. I am using Splunk Enterprise v9.1.1

Hi, Yesterday I upgraded a splunk instance from 8.2.6 to 9.1.2. Afterwards all users that have the role "user" are logging every 10 milliseconds this log: 01-04-2024 08:53:44.220 +0000 INFO AuditLogger - Audit:[timestamp=01-04-2024 08:53:44.220, user=test_user, action=admin_all_objects, info=denied ] This issue is filling the index _audit very fast and I had to reduce the index size as a workaround but I doesn't resolve the problem. Have you ever have these problem in your enviroment?

Hi all, I have created an search which returns set of email address and few hosts and using table command to display that. Result looks like below: Hostname Agent Version Email host1 1.0 test1@gmail.com host2 2.0 test2@gmail.com host3 2.0 test1@gmail.com host4 2.0 test1@gmail.com   Now , I want to send separate emails to test1@gmail.com and test2@gmail.com. The email should only contain hosts belonging to them. i.e host1, host3, host4 and its agent version should go to test1@gmail.com and host2 should go to test2@gmail.com I want to embed a link in the alert email body that redirects to search result and should contain hostnames that belong to particular recepient. Can anyone help me how to generate dynamic alert link ? Regards, PNV

I have the following transforms.conf file: [pan_src_user] INGEST_EVAL=src_user_idx=json_extract(lookup("user_ip_mapping.csv",json_object("src_ip", src_ip),json_array(src_user_idx)),"src_user") and props.conf file: [pan:traffic] TRANSFORMS-pan_user = pan_src_user user_ip_mapping.csv file sample: src_ip src_user 10.1.1.1 someuser   However it's not working - not sure what I'm doing wrong? The src_user_idx field is not showing up in any of the logs