Hey Everyone, I currently have a dashboard the has two maps utilizing the "| geom geo_us_states featureIdField=State" and one maps utilizing cities, which i have the longitude and latitude for. For the cities maps, i currently have it in markers mode. Is there a way that when i hover over the cities, or click on them, it can display the count and field name associated with the count? For example, A = 10 B=12 and C=9 For the states map, is there a way to group certain states together to form a region? for example, California, Nevada, and Oregon are the western region and have them colored a certain way. Or is there an app i can download that can help me achieve this. I appreciate all the help!

Hello, Supposing you have a Search Head in Cloud, doing Federated Searches to other Search Heads on-prem, which is the compression ratio (if any)? I have found those useful information about compression between forwarders and Indexers, but not between Search Heads.   https://community.splunk.com/t5/Getting-Data-In/What-kind-of-compression-is-used-between-forwarders-and-indexers/m-p/103239 https://community.splunk.com/t5/Getting-Data-In/Forwarder-Output-Compression-Ratio-what-is-the-expected/m-p/69899 Splunk Cloud Platform Service Details - Splunk Documentation   Thanks a lot, Edoardo

Hello All, I'm receiving a warning from our InfoSec app that my data isn't CIM compliant.  We have FortiGate syslogs, Windows Domain Controller Security logs, and Carbon Black Cloud logs being sent to Splunk Cloud.   As far as I can tell, the logs being sent are CIM-compliant.  Is there anything else I can check?   Thanks, Doug

how to join 2 lookup files to combine all the rows.  I used this query but not giving proper values and used join/append no use. | inputlookup fileA table A E F |join  [ inputlookup fileB.csv] table E A B C One file data looks: A E F 234 CAR 2 456 BUS 3 Second file data: A B C 234 MON 3 234 TUES 4 234 WED 5 234 THUR 1 234 FRI 2 234 SAT 1 456 MON 3 456 TUES 4 456 WED 5 456 THUR 1 456 FRI 2 456 SAT 1 Final output be like : E A B C CAR 234 MON 3 CAR 234 TUES 4 CAR 234 WED 5 CAR 234 THUR 1 CAR 234 FRI 2 CAR 234 SAT 1 BUS 456 MON 3 BUS 456 TUES 4 BUS 456 WED 5 BUS 456 THUR 1 BUS 456 FRI 2 BUS 456 SAT 1 Thanks in Advance..!!

Hi, we have deployed a search head cluster with two search head and one deployer. when we run : /opt/splunk/bin/splunk apply shcluster-bundle -target  https://sh1.example.com:8089 we get the following message: Error when issuing rolling restart on the master: Internal Server Error{"messages":[{"type":"ERROR","text":"Rolling restart cannot be initiated without service_ready_flag = 1, check status through \"splunk show shcluster-status\". Reason :Waiting for 3 peers to register. (Number registered so far: 2)"}]} and when we run the following command: splunk show shcluster-status the initialized_flag equal 0.   Captain: dynamic_captain : 1 elected_captain : Wed Nov 8 13:05:58 2023 id : 84F622C1-C493-4A7C-B12B-D7EDBBCCD3A8 initialized_flag : 0 kvstore_maintenance_status : disabled label : sh2 mgmt_uri : https://sh2.example.com:8089 min_peers_joined_flag : 0 rolling_restart_flag : 0 service_ready_flag : 0 Members: sh2 label : sh2 mgmt_uri : https://sh2.example.com:8089 mgmt_uri_alias : https://sh2.example.com:8089 status : Up sh1-server label : sh1-server last_conf_replication : Pending mgmt_uri : https://sh1.example.com:8089 mgmt_uri_alias : https://sh1.example.com:8089 status : Up

I have the following search index=dsi_splunk host=dev_splunkmanager script=backup | stats earliest(_time) as debut by pid | convert timeformat="%d/%m/%Y %H:%M" ctime(debut)  The result is sorted as I need: I use this search as input for a dropdown on dashboard studio but de result is sorted differently: It seems the list is sorted by "value".   How may I have an unsorted dropdown to conserve the result order?   Thanks