This isn't a question, rather just a place to drop a PDF I put together that I titled "Bare Bones Splunk"   I've seen a lot of people try and get started with Splunk, but then get stuck right after getting Splunk Enterprise installed on their local machine. It can be daunting to log into Splunk for the first time and know what the heck you should do.  A person can get through the install to the What Happens Next page, and be pretty overwhelmed with what to do next: Learn SPL and search?  What should they search?  How should they start getting their data in?  What sort of data should I start getting in?  What dashboard should I build? They've started...but need that ah-ha example to see how this tool will fit into their existing environment and workflow. The attached Bare_Bones_Splunk.pdf file guides the reader from the point of install to using the data already being indexed in index=_internal to replicate a few common use cases of Splunk: Monitor a web server Monitor an application server Monitor security incidents The examples are really simple, and the resulting dashboard created in the tutorial is a poor example of something your boss might want (or not...how observant is your boss - do they just want a few graphs with nice colors?).  But, this will give someone a really quick intro to Splunk without having to do anything other than install (and then maybe they will be ready to tackle a broader introduction, like the Search Tutorial)

I have a user that requested me to look into some of his reports. He wanted the permission of report 2 to match with report 1. Both are owned by two different people, but two people with similar roles and access.   After we tweaked the settings for the report, being shared in the app, having read access by all, and write permissions to those with the appropriate roles, they are still having issues viewing and editing.    The owner of report 1 is the owner/creator of the report. The report runs as owner, and is shared globally. He doesn't have permissions to edit the actual alert.  He created the report initially, how come he cant edit it. I even cloned it and reassigned ownership, to no avail.  Report 1  runs as owner, while report 2 has the option to run as owner or as the user. How come one report has that option while the other one is locked to running as owner? As far as user two goes, his roles include permissions to the used indexes, as well as access to the app, default search app, and he has even more roles and permissions than user 1. Yet, he receives an error when trying to view the link that splunk sends out that has the attached report.  My question is, is there anywhere else I should be looking at in order to find permission discrepancies. From everything ive seen, both users have access to the required indexes, have pretty much soft-admin on splunk, and i assume they have viewed these in the past. From roles to users to capabilities, they have everything in order, or at least it seems. Is there something I should check in the configs?    Thanks for any guidance. 

I often run into a case where I find I need to take the same dataset and compute aggregate statistics on different group-by sets, for instance if you want the output of this:     index=example | stats avg(field1) by x,y,z | append [ index=example | stats perc95(field2) by a,b,c ]   I am using the case n=2 groupbys for convenience. In the general case there are N groupbys, and arbitrary stats functions... what is the best way to optimize this kind of query, without using append (which runs into subsearch limits)? Some of the patterns I can think of are below. One way is to use appendpipe.    index=example | appendpipe [ | stats avg(field1) by x,y,z ] | appendpipe [ | stats perc95(field2) by a,b,c ]   Unfortunately this seems kind of slow, especially once you start having to add more subsearches and preserving and passing  a large number of non-transformed events throughout the search. Another way is to use eventstats to preserve the events data, finishing it off with a final stats.   index=example | eventstats avg(field1) as avg_field1 by x,y,z | stats first(avg_field1) as avg_field1, perc95(field2) by a,b,c   Unfortunately this is not much faster. I think there is another way using streamstats in place of eventstats, but I still haven't figured out how to retrieve the last event without just invoking eventstats last() or relying on an expensive sort.   Another way I've tried is intentionally duplicating your data using mvexpand which has the best performance by far.    index=example ```Duplicate all the data``` | eval key="1,2" | makemv delim="," key | mvexpand key ```Set groupby = concatenation of groupby field values``` | eval groupby=case(key=1,x.",".y.",".z, key2=a.",".b.",".c, true(), null()) | stats avg(field1), perc95(field2) by groupby   Are there any other patterns that are easier/faster? I'm curious as to how Splunk processes things under the hood, I know something called "map-reduce" is part of it but would be curious to know if anyone knows how to optimize this computation and why it's optimal in a theoretical sense. 

Hi, I am trying to create a custom app using add-on builder.  In request I am looking to use global account details. but its throwing an error.  Not sure what I am missing here. Anyone know about this issue ? I am using latest version of Add-on builder. Reference  https://docs.splunk.com/Documentation/AddonBuilder/4.1.3/UserGuide/ConfigureDataCollectionAdvanced Thanks

I have a multiselect that does not interact with my Trellis chart. I would say; it's not defined in my base search but not sure how to identify the issue and how to fix? BASE Search: | eval Pat=spath(json, "Info.Pat.Time") | eval Con=spath(json, "Info.Con.Time") | eval Cov=spath(json, "Info.Cov.Time") | eval Category = RED | table _time, Pat, Con, Cov, Category  Mulit-Select: | eval SysTime = Category + ":" + _time | fields - Category | untable SysTime Reason CurationValue | eval Category = mvindex(split(SysTime, ":"), 0) | eval _time = mvindex(split(SysTime, ":"), 1) | fields - SysTime | table Reason | dedup Reason Chart: | search Category $t_category$ Reason $t_reason$ | timechart span=1h avg(Pat) as Pat, avg(Con) as Con, avg(Cov) as Cov