Hi, I have bar chart powered by a query that uses an eval case pattern to group events into apps.  e.g., index=blah NOT "*test*" NOT "*exe*" Level=Error | eval AppName = case( (SourceName="Foo" AND Message="*Bar*"), "app1", (SourceName="Foo"), "app2", (source="Mtn" AND 'Properties.Service'="Barf"), "app3", (SourceName="Whatever" AND match(_raw, ".*Service = OtherThing.*")), "app4", ) | stats count as ErrorCount by AppName What I'd like to do is have each bar, when clicked, open a new window that shows the events corresponding to the app.  e.g., for the above example, the queries would be: index=blah NOT "*test*" NOT "*exe*" Level=Error (SourceName="Foo" AND Message="*Bar*") index=blah NOT "*test*" NOT "*exe*" Level=Error (SourceName="Foo") index=blah NOT "*test*" NOT "*exe*" Level=Error (source="Mtn" AND 'Properties.Service'="Barf") index=blah NOT "*test*" NOT "*exe*" Level=Error (SourceName="Whatever" AND match(_raw, ".*Service = OtherThing.*")) The problem I am having is how to make the drilldown xml node function thusly.  I thought I could use conditional tokens, but when condition nodes are in the drilldown node, I get an error saying "link cannot be condition", even though the link node is the last sibling of all the condition nodes. Please help! Thanks, Orion

Hello, I have just installed the ML toolkit for Splunk. However I keep getting this error when I attempt to create a fit model: "Error in 'fit' command: (ImportError) DLL load failed while importing _arpack: The specified procedure could not be found." I have installed the Python for Scientific Computing Module before this. I've already tried uninstalling and reinstalling, but I keep getting the same error. Any help would be much appreciated!  

Being fairly new to many features in Splunk, I wish to verify that the fields on 2 different hosts match for consistency. Here's a simple search to show the fields I'd like to verify.  What's the best way to go about this? index="postgresql" sourcetype="postgres" host=FLSM-ZEUS-PSQL-* | table host, node_name, node_id, active, type | where NOT isnull(node_name)   host node_name node_id active type FLSM-ZEUS-PSQL-02 flsm-zeus-psql-02 2 t standby FLSM-ZEUS-PSQL-02 flsm-zeus-psql-01 1 t primary FLSM-ZEUS-PSQL-01 flsm-zeus-psql-02 2 t standby FLSM-ZEUS-PSQL-01 flsm-zeus-psql-01 1 t primary  

  splunk 6.1 error and cannot search :   Error in 'litsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting www.splunk.com....   The search job has failed due to an error. You may be able view the job in the Job Inspector   when i check settings->system->licensing and click "show all messages, there are 5 messages on Nov 3rd, 4th, 7th, 8th, 9th "This pool has exceeded its configured poolsize=21474836480 bytes. A warning has been recorded for all members"   How do we tshoot and resolve this to get search working again? We do not have an active splunk support contract.   Regards, Jason

Hi, is it possible to organize users by functional area for example : Security, IT, NetOps,.... In these areas, each team might monitor specific metrics related to their functional area, or they might monitor a general set of metrics for the specific systems they manage, or both.

Hi, Splunk Enterprise latest New to splunk. Ingesting from some appliances via Syslog on a UDP port. All is fine for INGESTING logs. Event numbers are actively increasing, however, when I go into "Search", it has completely stopped. For example, I have 50k events and a latest update of 10:52. I click on the data source "udp:9006" and the last event shown is from 10:30. Things were working great and in real time up until 10:30, then it just stops completely. Any ideas? Thanks