Hello, I'm not sure how to achieve this, or if it's possible.  I have a Column that I am using as a Status indicator in a table.  This is working, but, I would love to remove the # being displayed.  Is there a way to either change the text color based on the same Threshold I am using to change the Cell color or maybe a way to just hide the values being displayed? Here's what I currently have in the Dashboard Source <format type="color" field="Monitor"> <colorPalette type="list">[#53A051,#DC4E41]</colorPalette> <scale type="threshold">1</scale> </format> <format type="color" field="Count"> <colorPalette type="list">[#53A051,#DC4E41]</colorPalette> <scale type="threshold">1</scale> </format> <drilldown>   Here's the column I am referring too.   Thank you for any help on this one, much appreciated Tom  

Hello everyone, I'm having a hard time figuring this out.  I have a Search where I have created a Transaction in order to only display the "Create" events in a table.  This worked, but, I had to add a joiner in order to display a field from another search.  Since I did this, only the events that have values in the joiner field I used is displayed. I need help with how can I still show all of the events from the Transaction even though they don't have values from the joiner I used. Here's the Search I have created.  (I'm still learning all of the Search possibilities, so it might be ugly (integrationName="Opsgenie Edge Connector - Splunk" alert.message = "STORE*" alert.message = "STORE*", alert.message != "*Latency" alert.message != "*Loss" action != "AddNote") OR (sourcetype="snow:incident" dv_opened_by=OPSGenieIntegration) | transaction "alert.id", alert.message startswith=Create endswith=Close keepevicted=true | where closed_txn=0 | eval joiner=if(integrationName="Opsgenie Edge Connector - Splunk", alertAlias, x_86994_opsgenie_alert_alias) | stats values(*) as * by joiner | where alertAlias==x_86994_opsgenie_alert_alias | fields _time, alert.updatedAt, alert.message, alertAlias, alert.id, action, "alertDetails.Alert Details URL", _raw, closed_txn, _time, dv_number | eval Created=strftime(_time,"%m-%d-%Y %H:%M:%S") | rename alert.message AS "Branch" | rename "alertDetails.Alert Details URL" as "Source Link" | rename dv_number as Incident | table Created, Branch, "Source Link", Incident | sort by Created DESC   Thanks for any help on this one, Tom

Hi, I have a Splunk Enterprise installation composed of 3 clustered indexers. I need to forward all the events received on the 9997 port to an external system. Data must be indexed locally but also sent to this external system. I can't do this operation directly from universal forwarders because of network restrictions. Is there a way to achieve this goal on indexers side?

Hello Everyone, I have setup a SPLUNK OTEL COLLECTOR sidecar container along with my application container in AWS ECS Fargate to send APM traces to Splunk Observability Cloud. Everything seems working but I was trying to add some container health check to see if my sidecar container is healthy or not, I have added a basic script that should always pass the checks. I have tried running script/command after login in to a container and they are working perfectly fine but When I configure them as Part of my healthcheck they are failing.  Image: quay.io/signalfx/splunk-otel-collector:latest Command using for healthcheck:  "/usr/lib/splunk-otel-collector/agent-bundle/bin/curl -f http://localhost:13133 || exit 1"   Has anyone faced this issue before, please help.   Thanks