All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Assuming your real data has valid json in (not this mangled version of it), you could start by extracting the parameter name/value pairs for each event. | eval parameters=json_array_to_mv(json_extra... See more...
Assuming your real data has valid json in (not this mangled version of it), you could start by extracting the parameter name/value pairs for each event. | eval parameters=json_array_to_mv(json_extract_exact(_raw,"parameters")) | streamstats count as row | mvexpand parameters | spath input=parameters | eval name="field_".trim(name,"@") | eval {name}=value | stats values(field_*) as * by row If you have a common event id which identifies all these events to your single download event, you could stats by this id instead of row
Hello guys, I'd like to hide external border lines of a panel when I hover over each panel.  By default, external border lines appear on a mouseover. Can anyone help me disabling this default f... See more...
Hello guys, I'd like to hide external border lines of a panel when I hover over each panel.  By default, external border lines appear on a mouseover. Can anyone help me disabling this default feature (even small tooltip can also be disabled if possible)? Thanks
@mark_groenveld  The rex does work with the "events" you shared (as demonstrated below) | makeresults | fields - _time | eval _raw="{\"CLUSTER1.COM\",\"viewSiteAsUser.hasAccess\":true} {\"CLUSTER_V... See more...
@mark_groenveld  The rex does work with the "events" you shared (as demonstrated below) | makeresults | fields - _time | eval _raw="{\"CLUSTER1.COM\",\"viewSiteAsUser.hasAccess\":true} {\"CLUSTER_VIP\":\"CLUSTER1.COM\"}" | multikv noheader=t | fields _raw | rex field=_raw "(?<ClusterVal>CLUSTER[0-9]+)" Please share more events where the rex "did not work"
This has been scratching my head. I'm working on dashboards on user activity on our application. Multiple dashboards I am working I'm trying to report when an external document was downloaded that is... See more...
This has been scratching my head. I'm working on dashboards on user activity on our application. Multiple dashboards I am working I'm trying to report when an external document was downloaded that is tied to the specific module of our application. Our application utilizes uses SQL. When I download an external document in our application, it generates a total of 12 separate events.  I set up field extractions on the DocumentId, DocumentTypeId, and DocmentFileTypeId.  What I am trying to do with the 12 separate events is to show in one event with the DocumentTypeId DocumentId and DocumentFileTypeId (not as much needed). The DocumentTypeId is my primary event since it's tied to the dashboard for the specific module followed by the DocumentId. The DocumentTypeId tells me what the file is pertaining to the system, DocumentFileTypeId if it's a PDF or a different type, and the DocumentTypeId is the document number in SQL. For the time, I am using _time instead of accessDate in the events. All 12 was from the single download even with the three accessDate times.  Tried a few different commands and searches now and just can't seem to get it to report correctly. When I think I have it correct, it's not the case when I expand the search range where for example all my Document Ids would also list the same DocumentTypeId which I verified against the DB to be incorrect when I used the join command.  This is the raw events that were exported and sanitized for the post. The events have a valid _json. T {"auditResultSets":null,"schema":"ref","storedProcedureName":"DocumentFileTypeGetById","commandText":"ref.DocumentFileTypeGetById","Locking":null,"commandType":4,"parameters":[{"name":"@RETURN_VALUE","value":0},{"name":"@DocumentFileTypeId","value":7}],"serverIPAddress":"000.000.000.000","serverHost":"Webserver","clientIPAddress":"000.000.000.000","sourceSystem":"WebSite","module":"Vendor.Product.BLL.DocumentManagement","accessDate":"2025-03-21T16:37:14.8614186-06:00","userId":0000,"userName":"username","traceInformation":[{"type":"Page","class":"Vendor.Product.Web.UI.Website.DocumentManagement.ViewDocument","method":"Page_Load"},{"type":"Manager","class":"Vendor.Product.BLL.DocumentManagement.DocumentManager","method":"Get"}]} {"auditResultSets":null,"schema":"ref","storedProcedureName":"DocumentAttributeGetByDocumentTypeId","commandText":"ref.DocumentAttributeGetByDocumentTypeId","Locking":null,"commandType":4,"parameters":[{"name":"@RETURN_VALUE","value":0},{"name":"@DocumentTypeId","value":00},{"name":"@IncludeInactive","value":false}],"serverIPAddress":"000.000.000.000","serverHost":"Webserver","clientIPAddress":"000.000.000.000","sourceSystem":"WebSite","module":"Vendor.Product.BLL.DocumentManagement","accessDate":"2025-03-21T16:37:14.8614186-06:00","userId":0000,"userName":"username","traceInformation":[{"type":"Page","class":"Vendor.Product.Web.UI.Website.DocumentManagement.ViewDocument","method":"Page_Load"},{"type":"Manager","class":"Vendor.Product.BLL.DocumentManagement.DocumentManager","method":"Get"}]} {"auditResultSets":null,"schema":"ref","storedProcedureName":"DocumentDetailGetByParentId","commandText":"ref.DocumentDetailGetByParentId","Locking":null,"commandType":4,"parameters":[{"name":"@RETURN_VALUE","value":0},{"name":"@DocumentId","value":000000}],"serverIPAddress":"000.000.000.000","serverHost":"Webserver","clientIPAddress":"000.000.000.000","sourceSystem":"WebSite","module":"Vendor.Product.BLL.DocumentManagement","accessDate":"2025-03-21T16:37:14.8614186-06:00","userId":0000,"userName":"username","traceInformation":[{"type":"Page","class":"Vendor.Product.Web.UI.Website.DocumentManagement.ViewDocument","method":"Page_Load"},{"type":"Manager","class":"Vendor.Product.BLL.DocumentManagement.DocumentManager","method":"Get"}]} {"auditResultSets":null,"schema":"ref","storedProcedureName":"DocumentStatusHistoryGetByFK","commandText":"ref.DocumentStatusHistoryGetByFK","Locking":null,"commandType":4,"parameters":[{"name":"@RETURN_VALUE","value":0},{"name":"@DocumentVersionId","value":000000},{"name":"@IncludeInactive","value":""}],"serverIPAddress":"000.000.000.000","serverHost":"Webserver","clientIPAddress":"000.000.000.000","sourceSystem":"WebSite","module":"Vendor.Product.BLL.DocumentManagement","accessDate":"2025-03-21T16:37:14.8614186-06:00","userId":0000,"userName":"username","traceInformation":[{"type":"Page","class":"Vendor.Product.Web.UI.Website.DocumentManagement.ViewDocument","method":"Page_Load"},{"type":"Manager","class":"Vendor.Product.BLL.DocumentManagement.DocumentManager","method":"Get"}]} {"auditResultSets":null,"schema":"ref","storedProcedureName":"DocumentVersionGetByFK","commandText":"ref.DocumentVersionGetByFK","Locking":null,"commandType":4,"parameters":[{"name":"@RETURN_VALUE","value":0},{"name":"@DocumentId","value":000000}],"serverIPAddress":"000.000.000.000","serverHost":"Webserver","clientIPAddress":"000.000.000.000","sourceSystem":"WebSite","module":"Vendor.Product.BLL.DocumentManagement","accessDate":"2025-03-21T16:37:14.8614186-06:00","userId":0000,"userName":"username","traceInformation":[{"type":"Page","class":"Vendor.Product.Web.UI.Website.DocumentManagement.ViewDocument","method":"Page_Load"},{"type":"Manager","class":"Vendor.Product.BLL.DocumentManagement.DocumentManager","method":"Get"}]} {"auditResultSets":null,"schema":"ref","storedProcedureName":"DocumentLinkGetByFK","commandText":"ref.DocumentLinkGetByFK","Locking":null,"commandType":4,"parameters":[{"name":"@RETURN_VALUE","value":0},{"name":"@DocumentId","value":000000}],"serverIPAddress":"000.000.000.000","serverHost":"Webserver","clientIPAddress":"000.000.000.000","sourceSystem":"WebSite","module":"Vendor.Product.BLL.DocumentManagement","accessDate":"2025-03-21T16:37:14.8614186-06:00","userId":0000,"userName":"username","traceInformation":[{"type":"Page","class":"Vendor.Product.Web.UI.Website.DocumentManagement.ViewDocument","method":"Page_Load"},{"type":"Manager","class":"Vendor.Product.BLL.DocumentManagement.DocumentManager","method":"Get"}]} {"auditResultSets":null,"schema":"ref","storedProcedureName":"DocumentGetById","commandText":"ref.DocumentGetById","Locking":null,"commandType":4,"parameters":[{"name":"@RETURN_VALUE","value":0},{"name":"@DocumentId","value":000000}],"serverIPAddress":"000.000.000.000","serverHost":"Webserver","clientIPAddress":"000.000.000.000","sourceSystem":"WebSite","module":"Vendor.Product.BLL.DocumentManagement","accessDate":"2025-03-21T16:37:14.8457543-06:00","userId":0000,"userName":"username","traceInformation":[{"type":"Page","class":"Vendor.Product.Web.UI.Website.DocumentManagement.ViewDocument","method":"Page_Load"},{"type":"Manager","class":"Vendor.Product.BLL.DocumentManagement.DocumentManager","method":"Get"}]} {"auditResultSets":null,"schema":"ref","storedProcedureName":"DocumentFileTypeGetById","commandText":"ref.DocumentFileTypeGetById","Locking":null,"commandType":4,"parameters":[{"name":"@RETURN_VALUE","value":0},{"name":"@DocumentFileTypeId","value":7}],"serverIPAddress":"000.000.000.000","serverHost":"Webserver","clientIPAddress":"000.000.000.000","sourceSystem":"WebSite","module":"Vendor.Product.BLL.DocumentManagement","accessDate":"2025-03-21T16:37:14.736377-06:00","userId":0000,"userName":"username","traceInformation":[{"type":"Page","class":"Vendor.Product.Web.UI.Website.DocumentManagement.DocumentManagementMain","method":"ViewDocument"},{"type":"Manager","class":"Vendor.Product.BLL.DocumentManagement.DocumentManager","method":"GetLatestDocumentwithoutAttributes"}]} {"auditResultSets":null,"schema":"ref","storedProcedureName":"DocumentStatusHistoryGetByFK","commandText":"ref.DocumentStatusHistoryGetByFK","Locking":null,"commandType":4,"parameters":[{"name":"@RETURN_VALUE","value":0},{"name":"@DocumentVersionId","value":000000},{"name":"@IncludeInactive","value":""}],"serverIPAddress":"000.000.000.000","serverHost":"Webserver","clientIPAddress":"000.000.000.000","sourceSystem":"WebSite","module":"Vendor.Product.BLL.DocumentManagement","accessDate":"2025-03-21T16:37:14.736377-06:00","userId":0000,"userName":"username","traceInformation":[{"type":"Page","class":"Vendor.Product.Web.UI.Website.DocumentManagement.DocumentManagementMain","method":"ViewDocument"},{"type":"Manager","class":"Vendor.Product.BLL.DocumentManagement.DocumentManager","method":"GetLatestDocumentwithoutAttributes"}]} {"auditResultSets":null,"schema":"ref","storedProcedureName":"DocumentVersionGetByFK","commandText":"ref.DocumentVersionGetByFK","Locking":null,"commandType":4,"parameters":[{"name":"@RETURN_VALUE","value":0},{"name":"@DocumentId","value":000000}],"serverIPAddress":"000.000.000.000","serverHost":"Webserver","clientIPAddress":"000.000.000.000","sourceSystem":"WebSite","module":"Vendor.Product.BLL.DocumentManagement","accessDate":"2025-03-21T16:37:14.736377-06:00","userId":0000,"userName":"username","traceInformation":[{"type":"Page","class":"Vendor.Product.Web.UI.Website.DocumentManagement.DocumentManagementMain","method":"ViewDocument"},{"type":"Manager","class":"Vendor.Product.BLL.DocumentManagement.DocumentManager","method":"GetLatestDocumentwithoutAttributes"}]} {"auditResultSets":null,"schema":"ref","storedProcedureName":"DocumentLinkGetByFK","commandText":"ref.DocumentLinkGetByFK","Locking":null,"commandType":4,"parameters":[{"name":"@RETURN_VALUE","value":0},{"name":"@DocumentId","value":000000}],"serverIPAddress":"000.000.000.000","serverHost":"Webserver","clientIPAddress":"000.000.000.000","sourceSystem":"WebSite","module":"Vendor.Product.BLL.DocumentManagement","accessDate":"2025-03-21T16:37:14.736377-06:00","userId":0000,"userName":"username","traceInformation":[{"type":"Page","class":"Vendor.Product.Web.UI.Website.DocumentManagement.DocumentManagementMain","method":"ViewDocument"},{"type":"Manager","class":"Vendor.Product.BLL.DocumentManagement.DocumentManager","method":"GetLatestDocumentwithoutAttributes"}]} {"auditResultSets":null,"schema":"ref","storedProcedureName":"DocumentGetById","commandText":"ref.DocumentGetById","Locking":null,"commandType":4,"parameters":[{"name":"@RETURN_VALUE","value":0},{"name":"@DocumentId","value":000000}],"serverIPAddress":"000.000.000.000","serverHost":"Webserver","clientIPAddress":"000.000.000.000","sourceSystem":"WebSite","module":"Vendor.Product.BLL.DocumentManagement","accessDate":"2025-03-21T16:37:14.736377-06:00","userId":0000,"userName":"username","traceInformation":[{"type":"Page","class":"Vendor.Product.Web.UI.Website.DocumentManagement.DocumentManagementMain","method":"ViewDocument"},{"type":"Manager","class":"Vendor.Product.BLL.DocumentManagement.DocumentManager","method":"GetLatestDocumentwithoutAttributes"}]}
@livehybrid Thanks for this detailed explanation. This helped me as well.
I'm looking for training that would cover at when deploying a TA if it would have to go to the indexer level rather than the HF or the search head.  I know the HF usually gets the "Add-on" version of... See more...
I'm looking for training that would cover at when deploying a TA if it would have to go to the indexer level rather than the HF or the search head.  I know the HF usually gets the "Add-on" version of a TA just ran across certain circumstance recently where I was told I'd have to deploy a TA to the indexer level. I know there's the Splunk Certified Admin training on Udemy.  There's also the Splunk Enterprise Certified Admin training directly from Splunk.  Would either of those or something else cover what I'm looking for.   thanks    
Hello all, I am trying to understand the type of fields command. Documentation says it is a "distributable streaming" which means  it can be run on the indexer, which improves processing time.  ... See more...
Hello all, I am trying to understand the type of fields command. Documentation says it is a "distributable streaming" which means  it can be run on the indexer, which improves processing time.  If I use fields command to specify fields which are extracted in the search head (using field discovery for example) , how can it still considered as distributable streaming?  If I am not mistaken, field extraction on the indexers is possible using rex command or with indexed fields. Thank you in advance!
One way you could do this is by appending the color code to the values of AverageExecutionTime (making it a multi-value field), then reference that color code value in the colorPalette expression, th... See more...
One way you could do this is by appending the color code to the values of AverageExecutionTime (making it a multi-value field), then reference that color code value in the colorPalette expression, then throw in some CSS to hide the color code in the multi-value field: <row> <panel> <html depends="$hidecsspanel$"> <style> #ColoredTable table tbody td div.multivalue-subcell[data-mv-index="1"]{ display: none; } </style> </html> <title>TEST XRT Execution Dashboard</title> <table id="ColoredTable"> <search> <query>index="aws_app_corp-it_xrt" sourcetype="xrt_log" "OK/INFO - 1012550 - Total Calc Elapsed Time" | rex field=source "(?&lt;Datetime&gt;\d{8}_\d{6})_usr@(?&lt;Username&gt;[\w\.]+)_ses@\d+_\d+_MAXL#(?&lt;TemplateName&gt;\d+)_apd@(?&lt;ScriptName&gt;[\w]+)_obj#(?&lt;ObjectID&gt;[^.]+)\.msh\.log" | rex "Total Calc Elapsed Time\s*:\s*\[(?&lt;calc_time&gt;\d+\.\d+)\]\s*seconds" | stats avg(calc_time) as AverageExecutionTime max(calc_time) as MaxExecutionTime by ScriptName, ObjectID, TemplateName | eval AverageExecutionTime = round(AverageExecutionTime, 0) | lookup script_tresholds ObjectID ScriptName MaxLTemplate as "TemplateName" OUTPUT Threshold AS "Treshold" | eval colorCode = if(AverageExecutionTime > Treshold, "#D94E17", "#55C169") | table ScriptName, AverageExecutionTime, MaxExecutionTime, Treshold, ObjectID, TemplateName, colorCode | search $ScriptName$ $ObjectID$ | sort - AverageExecutionTime | eval AverageExecutionTime = mvappend(AverageExecutionTime,colorCode) | fields - colorCode</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="refresh.display">progressbar</option> <format type="color" field="AverageExecutionTime"> <colorPalette type="expression">mvindex(value,1)</colorPalette> </format> </table> </panel> </row>  
Thanks for posting livehybrid.  The rex did not work.  Karma points to you for giving it a go 
Technically, yes, but everything is a little re-arranged in the code.  My tabs and items tags are at the very bottom of the page.   I'll see if I can line it up to match what you have here and see if... See more...
Technically, yes, but everything is a little re-arranged in the code.  My tabs and items tags are at the very bottom of the page.   I'll see if I can line it up to match what you have here and see if it works. 
I see that the serverName already has the default value as $HOSTNAME (the docs of server.conf mentioned it), so it means that I can just delete the key-value pair, right?
In our environment, we have kept modular input in DS under deployment apps and pushed it to HF using serverclass. Is this the issue? Do modular inputs directly needs to be installed on HF rather than... See more...
In our environment, we have kept modular input in DS under deployment apps and pushed it to HF using serverclass. Is this the issue? Do modular inputs directly needs to be installed on HF rather than pushing from DS? 
Thank you very much! I think I've got it working as intended now!
Okay @Na_Kang_Lim  So the manual approach is to update the $SPLUNK_HOME/etc/instange.cfg and replace the guid = <oldGuid> with a new random guid. Then update the $SPLUNK_HOME/etc/system/local/serve... See more...
Okay @Na_Kang_Lim  So the manual approach is to update the $SPLUNK_HOME/etc/instange.cfg and replace the guid = <oldGuid> with a new random guid. Then update the $SPLUNK_HOME/etc/system/local/server.conf and change the serverName under the [general] stanza. Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
Thank you for your detail automation solution! Then what about the manual solution? If I were to write a guide for the owners of the server, what do I need them to do, and what do I have to do too? A... See more...
Thank you for your detail automation solution! Then what about the manual solution? If I were to write a guide for the owners of the server, what do I need them to do, and what do I have to do too? And yes, I am having both duplicate Instance GUID and Instance Name! The hostname of course it is not the same, I believe it takes the Computer Name of the Host, but the Instance GUID and Instance Name do duplicate!
Hello, I'm having a problem with the colouring of a column in my table. I need to colour the AverageExecutionTime column according to the value of Treshold. If AverageExecutionTime > Treshold then ... See more...
Hello, I'm having a problem with the colouring of a column in my table. I need to colour the AverageExecutionTime column according to the value of Treshold. If AverageExecutionTime > Treshold then the AverageExecutionTime column is coloured red. If AverageExecutionTime < Treshold then the AverageExecutionTime column is coloured green. I've tried lots of things but it doesn't work, the conidition isn't respected, and AverageExutionTime is always coloured green.  The first line should be in red   <row> <panel> <title>XRT Execution Dashboard</title> <table> <search> <query>index="aws_app_corp-it_xrt" sourcetype="xrt_log" "OK/INFO - 1012550 - Total Calc Elapsed Time" | rex field=source "(?&lt;Datetime&gt;\d{8}_\d{6})_usr@(?&lt;Username&gt;[\w\.]+)_ses@\d+_\d+_MAXL#(?&lt;TemplateName&gt;\d+)_apd@(?&lt;ScriptName&gt;[\w]+)_obj#(?&lt;ObjectID&gt;[^.]+)\.msh\.log" | rex "Total Calc Elapsed Time\s*:\s*\[(?&lt;calc_time&gt;\d+\.\d+)\]\s*seconds" | stats avg(calc_time) as AverageExecutionTime max(calc_time) as MaxExecutionTime by ScriptName, ObjectID, TemplateName | eval AverageExecutionTime = round(AverageExecutionTime, 3) |lookup script_tresholds ObjectID ScriptName MaxLTemplate as "TemplateName" OUTPUT Threshold AS "Treshold" | table ScriptName, AverageExecutionTime, MaxExecutionTime, Treshold, ObjectID, TemplateName |search $ScriptName$ $ObjectID$ $TemplateName$ |sort - AverageExecutionTime</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <!--format type="color" field="AverageExecutionTime"> <colorPalette type="expression"> <mapping field="AverageExecutionTime"> if(AverageExecutionTime > Treshold, "#D94E17", "#55C169") </mapping> </colorPalette> </format--> <!-- Mise en couleur conditionnelle --> <option name="count">100</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <format type="color" field="Color"> <colorPalette type="map">{"High":"#D94E17", "Low":"#55C169"}</colorPalette> </format> <drilldown> <condition field="ScriptName"> <link target="_blank">/app/search/dev_vwt_dashboards_uc31_details?ScriptName=$row.ScriptName$&amp;Script_Execution_Details=true&amp;earliest=$earliest$&amp;latest=$latest$</link> </condition> </drilldown> </table> </panel> </row> <row> <panel> <title>TEST XRT Execution Dashboard</title> <table> <search> <query>index="aws_app_corp-it_xrt" sourcetype="xrt_log" "OK/INFO - 1012550 - Total Calc Elapsed Time" | rex field=source "(?&lt;Datetime&gt;\d{8}_\d{6})_usr@(?&lt;Username&gt;[\w\.]+)_ses@\d+_\d+_MAXL#(?&lt;TemplateName&gt;\d+)_apd@(?&lt;ScriptName&gt;[\w]+)_obj#(?&lt;ObjectID&gt;[^.]+)\.msh\.log" | rex "Total Calc Elapsed Time\s*:\s*\[(?&lt;calc_time&gt;\d+\.\d+)\]\s*seconds" | stats avg(calc_time) as AverageExecutionTime max(calc_time) as MaxExecutionTime by ScriptName, ObjectID, TemplateName | eval AverageExecutionTime = round(AverageExecutionTime, 0) | lookup script_tresholds ObjectID ScriptName MaxLTemplate as "TemplateName" OUTPUT Threshold AS "Treshold" | eval colorCode = if(AverageExecutionTime > Treshold, "#D94E17", "#55C169") | table ScriptName, AverageExecutionTime, MaxExecutionTime, Treshold, ObjectID, TemplateName, colorCode | search $ScriptName$ $ObjectID$ | sort - AverageExecutionTime</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="refresh.display">progressbar</option> <format type="color" field="AverageExecutionTime"> <colorPalette type="expression">if(AverageExecutionTime &gt; Treshold,"#D94E17", "#55C169")</colorPalette> </format> </table> </panel> </row>
Hi @DaClyde  Its worth viewing the dashboard source   And look for the "layout" section,  Do you have a "layoutDefinitions" with "layout_1" and then a "type" containing a value? Similar to t... See more...
Hi @DaClyde  Its worth viewing the dashboard source   And look for the "layout" section,  Do you have a "layoutDefinitions" with "layout_1" and then a "type" containing a value? Similar to this? "layout": { "tabs": { "items": [ { "layoutId": "layout_1", "label": "New tab" } ] }, "layoutDefinitions": { "layout_1": { "type": "absolute", "options": { "height": 1185, "display": "auto-scale", "backgroundColor": "#C8DAE0" }, "structure": [ { ... Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
Unfortunately, we had some issue with a recent Splunk upgrade to 9.4.1 and had to roll back to 9.3.2. However, I had just built a dashboard in Studio 9.4.1with some drill down, but after the roll ba... See more...
Unfortunately, we had some issue with a recent Splunk upgrade to 9.4.1 and had to roll back to 9.3.2. However, I had just built a dashboard in Studio 9.4.1with some drill down, but after the roll back, now I just get this helpful message: "Layout undefined is not defined" Any ideas what was added to Studio in 9.4.x that wouldn't be compatible with 9.3.x? The only part of the dashboard that is loading is the time picker.  If I view the source, everything is still there.
Excellent, let us know how you get on Will
You could start with something like this and narrow down as required: index=_internal host=<YourServerName> log_level=Error Please let me know how you get on and consider adding karma to this or an... See more...
You could start with something like this and narrow down as required: index=_internal host=<YourServerName> log_level=Error Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will