All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I have used the uniqueId and message in xyseries, but getting that error message for xyseries. I have 2 log events and both will have uniqueId in that event, now I want both log events to be in ... See more...
I have used the uniqueId and message in xyseries, but getting that error message for xyseries. I have 2 log events and both will have uniqueId in that event, now I want both log events to be in my result table only when they both have same value for uniqueId. While as per below query it brings even the logs events which do not have same uniqueId or matching message in them. index=finder_db AND (host="host1" OR host="host2") AND (("Wonder Exist here")  OR ("Message=Limit the occurrence" AND "FinderField=ZEOUS")) | table uniqueId, FinderField by uniqueId  | stats values(FinderField) as FinderField, values(FinderField) as FinderField by uniqueId   Host1 and host2 in this query is my servers name where these log would exist. I am searching 2 string in log events, one is "Wonder Exist here" and second is starting with Message=  and both log will have uniqueId which I want to match for both events and bring as 1 single row in result   Hope I am able to explain and thanks for help
Did not know that you could do this on an "app level", but it might be worth looking into different push modes! Thanx
So what are you looking to change? The application and the way it logs errors?
Please clarify - if you have unsolved checked, it should be red if the count is greater than 0 but if it is 0 then the panel is green? Since you are using checkboxes, what do you want if both boxes ... See more...
Please clarify - if you have unsolved checked, it should be red if the count is greater than 0 but if it is 0 then the panel is green? Since you are using checkboxes, what do you want if both boxes are checked?
Hi we have Java based application & they are getting every minute error (EventLogger)    
NO for unsolved it will be red if the count is  0  then only the panel color will be green .  And for solved all panels should be green nothing should be red.
Hello everyone, I'm facing challenges with integrating Splunk and Jira using the Splunk Add-on for Jira Cloud. I've set up a new input using a token from an admin account and created an indexer to c... See more...
Hello everyone, I'm facing challenges with integrating Splunk and Jira using the Splunk Add-on for Jira Cloud. I've set up a new input using a token from an admin account and created an indexer to centralize the data. However, despite these configurations, I am unable to retrieve the events as expected. I have verified that the token is valid and have ensured the input configurations in Splunk are correct, but nothing seems to work properly. The Jira admin account has the necessary permissions to access the required events, yet no data is being collected in Splunk. I am seeking advice or suggestions on what might be causing this issue. If anyone has encountered similar problems or has ideas on steps to resolve this, I would greatly appreciate your insights. Thank you in advance for your help!
There is insufficient information - what application, what errors, what logger, what customer? Please provide more detail about your usecase.
I am getting this error  Error in 'xyseries' command: At least one data field must be specified. Should my initial search provide already a table for stats and xyseries ? Can I put condition for... See more...
I am getting this error  Error in 'xyseries' command: At least one data field must be specified. Should my initial search provide already a table for stats and xyseries ? Can I put condition for 2 log events that they must match uniqueID? As I do not want to combine 2 log events where uniqueId in both is not matching.
If I understood correctly, you want red and green if unsolved is checked and green and red if unsolved is not checked? <form version="1.1" script="solved3.js ,minor.js, warning.js , critical.js" the... See more...
If I understood correctly, you want red and green if unsolved is checked and green and red if unsolved is not checked? <form version="1.1" script="solved3.js ,minor.js, warning.js , critical.js" theme="dark"> <label>SBC Monitoring</label> <init> <set token="rangeColors">"0x118832","0xd41f1f"</set> </init> <fieldset submitButton="false"> <input type="checkbox" token="srStatus"> <label>Status</label> <choice value="1">solved</choice> <choice value="0">unsolved</choice> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>solved=</valuePrefix> <delimiter> OR </delimiter> <default>0</default> <initialValue>1,0</initialValue> <change> <eval token="rangeColors">if(isnotnull(mvfind($form.srStatus$,"0")),"\"0x118832\",\"0xd41f1f\"","\"0xd41f1f\",\"0x118832\"")</eval> </change> </input> </fieldset> <row> <panel> <title>MINOR EVENTS</title> <single> <search> <query>| makeresults count=5 | eval solved=random()%2 ```| inputlookup sbc_minor.csv``` | search $srStatus$ | stats count</query> <earliest>-30d@d</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="colorBy">value</option> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="numberPrecision">0</option> <option name="rangeColors">[$rangeColors$]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="useThousandSeparators">1</option> <drilldown> <set token="minor">minor</set> <unset token="major"></unset> <unset token="critical"></unset> <unset token="warning"></unset> </drilldown> </single> </panel> <panel> <title>MAJOR EVENTS</title> <single> <search> <query>| makeresults count=5 | eval solved=random()%2 ```| inputlookup sbc_major.csv``` | search $srStatus$ | stats count</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="colorBy">value</option> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="numberPrecision">0</option> <option name="rangeColors">[$rangeColors$]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="useThousandSeparators">1</option> <drilldown> <set token="major">major</set> <unset token="minor"></unset> <unset token="critical"></unset> <unset token="warning"></unset> </drilldown> </single> </panel> <panel> <title>CRITICAL EVENTS</title> <single> <search> <query>| makeresults count=5 | eval solved=random()%2 ```| inputlookup sbc_critical.csv``` | search $srStatus$ | stats count</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="rangeColors">[$rangeColors$]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="useColors">1</option> <drilldown> <set token="critical">critical</set> <unset token="major"></unset> <unset token="minor"></unset> <unset token="warning"></unset> </drilldown> </single> </panel> <panel> <title>WARNING EVENTS</title> <single> <search> <query>| makeresults count=5 | eval solved=random()%2 ```| inputlookup sbc_warning.csv``` | search $srStatus$ | stats count</query> <earliest>0</earliest> <latest></latest> </search> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="rangeColors">[$rangeColors$]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="useColors">1</option> <drilldown> <set token="warning">warning</set> <unset token="major"></unset> <unset token="minor"></unset> <unset token="critical"></unset> </drilldown> </single> </panel> </row> <row> <panel> <title>MINOR ALERTS HISTORY</title> <chart> <search> <query>index=sbc-logs RAISE-ALARM | dedup S | rex field=_raw ".*Severity:(?&lt;Severity&gt;\D+);" | rex field=_raw "\[Time:(?&lt;Time&gt;.*)]" | rex field=Time "(?&lt;date&gt;.*)@" | rex field=_raw "RAISE-ALARM:(?&lt;Alarm_Type&gt;\w+)" | rex max_match=0 field=_raw ": \[(?&lt;Region&gt;\w+)\]" | rex max_match=0 field=_raw "\[\w+\d\](?&lt;message&gt;[^;]+)" | table Alarm_Type Region message IP Severity Time date | search Severity=minor | stats count as Total by date | appendpipe [ stats count | eval Message="No Minor Alerts" | where count==0 | table Message | fields - Alarm_Type Region message IP Severity Time date] | transpose 0 | eval allnulls=1 | foreach row* [ eval allnulls=if(isnull('&lt;&lt;FIELD&gt;&gt;'),allnulls,0) ] | where allnulls=0 | fields - allnulls | transpose 0 header_field=column | fields - column</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>MAJOR ALERTS HISTORY</title> <chart> <search> <query>index=sbc-logs RAISE-ALARM | dedup S | rex field=_raw ".*Severity:(?&lt;Severity&gt;\D+);" | rex field=_raw "\[Time:(?&lt;Time&gt;.*)]" | rex field=Time "(?&lt;date&gt;.*)@" | rex field=_raw "RAISE-ALARM:(?&lt;Alarm_Type&gt;\w+)" | rex max_match=0 field=_raw ": \[(?&lt;Region&gt;\w+)\]" | rex max_match=0 field=_raw "\[\w+\d\](?&lt;message&gt;[^;]+)" | table Alarm_Type Region message IP Severity Time date | search Severity=major | stats count as Total by date</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>CRITICAL ALERTS HISTORY</title> <chart> <search> <query>index=sbc-logs RAISE-ALARM | dedup S | rex field=_raw ".*Severity:(?&lt;Severity&gt;\D+);" | rex field=_raw "\[Time:(?&lt;Time&gt;.*)]" | rex field=Time "(?&lt;date&gt;.*)@" | rex field=_raw "RAISE-ALARM:(?&lt;Alarm_Type&gt;\w+)" | rex max_match=0 field=_raw ": \[(?&lt;Region&gt;\w+)\]" | rex max_match=0 field=_raw "\[\w+\d\](?&lt;message&gt;[^;]+)" | table Alarm_Type Region message IP Severity Time date | search Severity=critical | stats count as Total by date | appendpipe [ stats count | eval Message="No critical Alerts" | where count==0 | table Message | fields - Alarm_Type Region message IP Severity Time date] | transpose 0 | eval allnulls=1 | foreach row* [ eval allnulls=if(isnull('&lt;&lt;FIELD&gt;&gt;'),allnulls,0) ] | where allnulls=0 | fields - allnulls | transpose 0 header_field=column | fields - column</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>WARNING ALERTS HISTORY</title> <chart> <search> <query>index=sbc-logs RAISE-ALARM | dedup S | rex field=_raw ".*Severity:(?&lt;Severity&gt;\D+);" | rex field=_raw "\[Time:(?&lt;Time&gt;.*)]" | rex field=Time "(?&lt;date&gt;.*)@" | rex field=_raw "RAISE-ALARM:(?&lt;Alarm_Type&gt;\w+)" | rex max_match=0 field=_raw ": \[(?&lt;Region&gt;\w+)\]" | rex max_match=0 field=_raw "\[\w+\d\](?&lt;message&gt;[^;]+)" | table Alarm_Type Region message IP Severity Time date | search Severity=warning | stats count as Total by date | appendpipe [ stats count | eval Message="No Minor Alerts" | where count==0 | table Message | fields - Alarm_Type Region message IP Severity Time date] | transpose 0 | eval allnulls=1 | foreach row* [ eval allnulls=if(isnull('&lt;&lt;FIELD&gt;&gt;'),allnulls,0) ] | where allnulls=0 | fields - allnulls | transpose 0 header_field=column | fields - column</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row> <panel depends="$minor$"> <title>Minor Events</title> <table id="sbc_minor_table"> <search> <query>| inputlookup sbc_minor.csv | search $srStatus$ | eval Server_Name=case(IP == "10.2.96.35","US-SOU",IP == "10.82.10.245","KR-SEL",IP == "10.86.164.25","CN-SGH",IP == "10.86.68.25","CN-SHH",IP == "10.86.128.25","CN-SHA" ,IP == "10.20.41.90 ","DE-SLO",IP == "10.150.222.120","DE-BIE")</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel depends="$major$"> <title>Major Events</title> <table id="sbc_alarm_table"> <search> <query>| inputlookup sbc_major.csv | search $srStatus$ | eval Server_Name=case(IP == "10.2.96.35","US-SOU",IP == "10.82.10.245","KR-SEL",IP == "10.86.164.25","CN-SGH",IP == "10.86.68.25","CN-SHH",IP == "10.86.128.25","CN-SHA" ,IP == "10.20.41.90 ","DE-SLO",IP == "10.150.222.120","DE-BIE")</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel depends="$critical$"> <title>Critical Events</title> <table id="sbc_critical_table"> <search> <query>| inputlookup sbc_critical.csv | search $srStatus$ | eval Server_Name=case(IP == "10.2.96.35","US-SOU",IP == "10.82.10.245","KR-SEL",IP == "10.86.164.25","CN-SGH",IP == "10.86.68.25","CN-SHH",IP == "10.86.128.25","CN-SHA" ,IP == "10.20.41.90 ","DE-SLO",IP == "10.150.222.120","DE-BIE")</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel depends="$warning$"> <title>Warning Events</title> <table id="sbc_warning_table"> <search> <query>| inputlookup sbc_warning.csv | search $srStatus$ | eval Server_Name=case(IP == "10.2.96.35","US-SOU",IP == "10.82.10.245","KR-SEL",IP == "10.86.164.25","CN-SGH",IP == "10.86.68.25","CN-SHH",IP == "10.86.128.25","CN-SHA" ,IP == "10.20.41.90 ","DE-SLO",IP == "10.150.222.120","DE-BIE")</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>
I'm not sure what "columns" you want from this data but assuming that you want to have a table with various messages per id and status you might want something like <your initial search> | stats va... See more...
I'm not sure what "columns" you want from this data but assuming that you want to have a table with various messages per id and status you might want something like <your initial search> | stats values(Message) as Message by UniqueId Status | xyseries UniqueId Status Message
Hello Folk, I am getting multiple error on application error on application & customer want to disable for error logger with suppression. can you please guide me how to the class & method name for e... See more...
Hello Folk, I am getting multiple error on application error on application & customer want to disable for error logger with suppression. can you please guide me how to the class & method name for error suppression.   Thanks 
I want to have result in table with 2 or 3 log events combined based on unique key in all events and return 1 single row for all those events having unique key in them. for all my log events I have ... See more...
I want to have result in table with 2 or 3 log events combined based on unique key in all events and return 1 single row for all those events having unique key in them. for all my log events I have a common unique key for which I want to combine them and get in table as single row for that unique key and if value for any column is not present then null for that particular cell in table.   Log event 1:  Message="Taken the response",UniqueId="329wey98fywe",Status=Pending Log event 2:  Message="Process completed",UniqueId="329wey98fywe",Status=Finalized Log event 3:  Message=,UniqueId="329wey98fywe",Status=Pending
Hi @livehybrid , Thanks for this info and sample query it helps me complete the query I needed.
ok this is the source code <form version="1.1" script="solved3.js ,minor.js, warning.js , critical.js" theme="dark"> <label>SBC Monitoring</label> <fieldset submitButton="false"> <input type=... See more...
ok this is the source code <form version="1.1" script="solved3.js ,minor.js, warning.js , critical.js" theme="dark"> <label>SBC Monitoring</label> <fieldset submitButton="false"> <input type="checkbox" token="srStatus"> <label>Status</label> <choice value="1">solved</choice> <choice value="0">unsolved</choice> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>solved=</valuePrefix> <delimiter> OR  </delimiter> <default>0</default> <initialValue>1,0</initialValue> </input> </fieldset> <row> <panel> <title>MINOR EVENTS</title> <single> <search> <query>| inputlookup sbc_minor.csv | search $srStatus$ | stats count</query> <earliest>-30d@d</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="colorBy">value</option> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="numberPrecision">0</option> <option name="rangeColors">["0x118832","0xd41f1f"]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="useThousandSeparators">1</option> <drilldown> <set token="minor">minor</set> <unset token="major"></unset> <unset token="critical"></unset> <unset token="warning"></unset> </drilldown> </single> </panel> <panel> <title>MAJOR EVENTS</title> <single> <search> <query>| inputlookup sbc_major.csv | search $srStatus$ | stats count</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="colorBy">value</option> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="numberPrecision">0</option> <option name="rangeColors">["0x118832","0xd41f1f"]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="useThousandSeparators">1</option> <drilldown> <set token="major">major</set> <unset token="minor"></unset> <unset token="critical"></unset> <unset token="warning"></unset> </drilldown> </single> </panel> <panel> <title>CRITICAL EVENTS</title> <single> <search> <query>| inputlookup sbc_critical.csv  | search $srStatus$ | stats count</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="rangeColors">["0x118832","0xd41f1f"]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="useColors">1</option> <drilldown> <set token="critical">critical</set> <unset token="major"></unset> <unset token="minor"></unset> <unset token="warning"></unset> </drilldown> </single> </panel> <panel> <title>WARNING EVENTS</title> <single> <search> <query>| inputlookup sbc_warning.csv  | search $srStatus$ | stats count</query> <earliest>0</earliest> <latest></latest> </search> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="rangeColors">["0x118832","0xd41f1f"]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="useColors">1</option> <drilldown> <set token="warning">warning</set> <unset token="major"></unset> <unset token="minor"></unset> <unset token="critical"></unset> </drilldown> </single> </panel> </row> <row> <panel> <title>MINOR ALERTS HISTORY</title> <chart> <search> <query>index=sbc-logs RAISE-ALARM | dedup S | rex field=_raw ".*Severity:(?&lt;Severity&gt;\D+);" | rex field=_raw "\[Time:(?&lt;Time&gt;.*)]" | rex field=Time "(?&lt;date&gt;.*)@" | rex field=_raw "RAISE-ALARM:(?&lt;Alarm_Type&gt;\w+)" | rex max_match=0 field=_raw ": \[(?&lt;Region&gt;\w+)\]" | rex max_match=0 field=_raw "\[\w+\d\](?&lt;message&gt;[^;]+)" | table Alarm_Type Region message IP Severity Time date | search Severity=minor | stats count as Total by date | appendpipe      [ stats count     | eval Message="No Minor Alerts"      | where count==0      | table Message      | fields - Alarm_Type Region message IP Severity Time date]  | transpose 0  | eval allnulls=1  | foreach row*      [ eval allnulls=if(isnull('&lt;&lt;FIELD&gt;&gt;'),allnulls,0) ]  | where allnulls=0  | fields - allnulls  | transpose 0 header_field=column   | fields - column</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>MAJOR ALERTS HISTORY</title> <chart> <search> <query>index=sbc-logs RAISE-ALARM | dedup S | rex field=_raw ".*Severity:(?&lt;Severity&gt;\D+);" | rex field=_raw "\[Time:(?&lt;Time&gt;.*)]" | rex field=Time "(?&lt;date&gt;.*)@" | rex field=_raw "RAISE-ALARM:(?&lt;Alarm_Type&gt;\w+)" | rex max_match=0 field=_raw ": \[(?&lt;Region&gt;\w+)\]" | rex max_match=0 field=_raw "\[\w+\d\](?&lt;message&gt;[^;]+)" | table Alarm_Type Region message IP Severity Time date | search Severity=major | stats count as Total by date</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>CRITICAL ALERTS HISTORY</title> <chart> <search> <query>index=sbc-logs RAISE-ALARM | dedup S | rex field=_raw ".*Severity:(?&lt;Severity&gt;\D+);" | rex field=_raw "\[Time:(?&lt;Time&gt;.*)]" | rex field=Time "(?&lt;date&gt;.*)@" | rex field=_raw "RAISE-ALARM:(?&lt;Alarm_Type&gt;\w+)" | rex max_match=0 field=_raw ": \[(?&lt;Region&gt;\w+)\]" | rex max_match=0 field=_raw "\[\w+\d\](?&lt;message&gt;[^;]+)" | table Alarm_Type Region message IP Severity Time date | search Severity=critical | stats count as Total by date | appendpipe      [ stats count     | eval Message="No critical Alerts"      | where count==0      | table Message      | fields - Alarm_Type Region message IP Severity Time date]  | transpose 0  | eval allnulls=1  | foreach row*      [ eval allnulls=if(isnull('&lt;&lt;FIELD&gt;&gt;'),allnulls,0) ]  | where allnulls=0  | fields - allnulls  | transpose 0 header_field=column  | fields - column</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>WARNING ALERTS HISTORY</title> <chart> <search> <query>index=sbc-logs RAISE-ALARM | dedup S | rex field=_raw ".*Severity:(?&lt;Severity&gt;\D+);" | rex field=_raw "\[Time:(?&lt;Time&gt;.*)]" | rex field=Time "(?&lt;date&gt;.*)@" | rex field=_raw "RAISE-ALARM:(?&lt;Alarm_Type&gt;\w+)" | rex max_match=0 field=_raw ": \[(?&lt;Region&gt;\w+)\]" | rex max_match=0 field=_raw "\[\w+\d\](?&lt;message&gt;[^;]+)" | table Alarm_Type Region message IP Severity Time date | search Severity=warning | stats count as Total by date | appendpipe      [ stats count     | eval Message="No Minor Alerts"      | where count==0      | table Message      | fields - Alarm_Type Region message IP Severity Time date]  | transpose 0  | eval allnulls=1  | foreach row*      [ eval allnulls=if(isnull('&lt;&lt;FIELD&gt;&gt;'),allnulls,0) ]  | where allnulls=0  | fields - allnulls  | transpose 0 header_field=column  | fields - column</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row> <panel depends="$minor$"> <title>Minor Events</title> <table id="sbc_minor_table"> <search> <query>| inputlookup sbc_minor.csv | search $srStatus$ | eval Server_Name=case(IP == "10.2.96.35","US-SOU",IP == "10.82.10.245","KR-SEL",IP == "10.86.164.25","CN-SGH",IP == "10.86.68.25","CN-SHH",IP == "10.86.128.25","CN-SHA" ,IP == "10.20.41.90 ","DE-SLO",IP == "10.150.222.120","DE-BIE")</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel depends="$major$"> <title>Major Events</title> <table id="sbc_alarm_table"> <search> <query>| inputlookup sbc_major.csv | search $srStatus$ | eval Server_Name=case(IP == "10.2.96.35","US-SOU",IP == "10.82.10.245","KR-SEL",IP == "10.86.164.25","CN-SGH",IP == "10.86.68.25","CN-SHH",IP == "10.86.128.25","CN-SHA" ,IP == "10.20.41.90 ","DE-SLO",IP == "10.150.222.120","DE-BIE")</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel depends="$critical$"> <title>Critical Events</title> <table id="sbc_critical_table"> <search> <query>| inputlookup sbc_critical.csv | search $srStatus$ | eval Server_Name=case(IP == "10.2.96.35","US-SOU",IP == "10.82.10.245","KR-SEL",IP == "10.86.164.25","CN-SGH",IP == "10.86.68.25","CN-SHH",IP == "10.86.128.25","CN-SHA" ,IP == "10.20.41.90 ","DE-SLO",IP == "10.150.222.120","DE-BIE")</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel depends="$warning$"> <title>Warning Events</title> <table id="sbc_warning_table"> <search> <query>| inputlookup sbc_warning.csv | search $srStatus$ | eval Server_Name=case(IP == "10.2.96.35","US-SOU",IP == "10.82.10.245","KR-SEL",IP == "10.86.164.25","CN-SGH",IP == "10.86.68.25","CN-SHH",IP == "10.86.128.25","CN-SHA" ,IP == "10.20.41.90 ","DE-SLO",IP == "10.150.222.120","DE-BIE")</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>  
OK, I successfully did a second attempt. There were 2 issues (which combined threw me off the track): - There was a uncommitted rolechange for a server to be searchhead (Monitoring Console -> gen... See more...
OK, I successfully did a second attempt. There were 2 issues (which combined threw me off the track): - There was a uncommitted rolechange for a server to be searchhead (Monitoring Console -> general settings). That (so I assume), has been applied on the first activity. And later been reverted before the second try. - When changing the servername of the Manager Node, the searchheads aren't able to verify the connection anymore (name of the certstore does not fit anymore). Therefor they go missing in the monitoring console. You have to reset/reapply the connection credentials (settings -> distributed search -> search peers). I think the 1st issue resulted in the SHC to go offline. Because this did not happen on the second implementation. Problem solved.
@livehybrid    Thanks again. Karma added to the post     Could you help or suggest on the connection time out error with the python script.
The edited app.conf has additional line indicating the fact that app was configured: [install] is_configured = true state = enabled allows_disable = false install_source_checksum = <checksum>    
Hi @MatiaFazio  Splunk ITSI is a licensed premium app which requires an additional license above a standard Splunk Ingest/SVC license. Has ITSI been included as part of your license with Splunk? Th... See more...
Hi @MatiaFazio  Splunk ITSI is a licensed premium app which requires an additional license above a standard Splunk Ingest/SVC license. Has ITSI been included as part of your license with Splunk? The account team should enable the download for your account once an ITSI license has been issued. Either way I think the best approach here is to reach out to your Splunk account team to discuss as we arent able to share restricted apps.   Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
Hi @MatiaFazio  The PowerConnect for SAP app needs to be approved for download againt your Splunkbase account, this app is managed by a PowerConnect themselves, so you may need to contact them via h... See more...
Hi @MatiaFazio  The PowerConnect for SAP app needs to be approved for download againt your Splunkbase account, this app is managed by a PowerConnect themselves, so you may need to contact them via https://www.powerconnect.io/contact-us/ to be granted access to download the app on Splunkbase. Alternatively I believe that Splunk can license this app out, so its probably worth checking with your Splunk account team/manager first to see if you are already licensed for this and see if they are able to help.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing