All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thanx. Next time when you paste something please use </> code block to avoid character changes etc.  Based on those I suppose that your data haven't correct values what you are looking for. You shou... See more...
Thanx. Next time when you paste something please use </> code block to avoid character changes etc.  Based on those I suppose that your data haven't correct values what you are looking for. You should check it by clicking magnifying class on right bottom corner of your dashboard's individual panel. This opens exactly same search you to separate window/tab and you can see what events it found. Then you can debug it by e.g. commenting rows away from bottom to top. 
Here is the source code all together for those panels - left to right, might be easier to debug <row> <panel> <chart> <title>SchedConnect Messages to [nnnnn]</title> <search> <query>index="emh_... See more...
Here is the source code all together for those panels - left to right, might be easier to debug <row> <panel> <chart> <title>SchedConnect Messages to [nnnnn]</title> <search> <query>index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYYY | timechart count by DR1</query> <earliest>$TimePickerKielToken.earliest$</earliest> <latest>$TimePickerKielToken.latest$</latest> <refresh>1m</refresh> <refreshType>delay</refreshType> </search> <option name="charting.axisTitleX.text">Time</option> <option name="charting.chart">column</option> <option name="charting.drilldown">all</option> <option name="charting.legend.placement">right</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <chart> <title>SchedConnect Messages to {nnnnn]</title> <search> <query>index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYY | timechart count by DR1</query> <earliest>$TimePickerKielToken.earliest$</earliest> <latest>$TimePickerKielToken.latest$</latest> <refresh>1m</refresh> <refreshType>delay</refreshType> </search> <option name="charting.axisTitleX.text">Time</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.chart">column</option> <option name="charting.drilldown">all</option> <option name="charting.legend.placement">right</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <chart> <title>SchedConnect Messages to [nnnnn]</title> <search> <query>index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYYY | timechart count by DR1</query> <earliest>$TimePickerKielToken.earliest$</earliest> <latest>$TimePickerKielToken.latest$</latest> <refresh>1m</refresh> <refreshType>delay</refreshType> </search> <option name="charting.axisTitleX.text">Time</option> <option name="charting.chart">column</option> <option name="charting.drilldown">all</option> <option name="refresh.display">progressbar</option> </chart> </panel>
here is the source for the 1st panel <row> <panel> <chart> <title>SchedConnect Messages to [nnnnn]</title> <search> <query>index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYYY | t... See more...
here is the source for the 1st panel <row> <panel> <chart> <title>SchedConnect Messages to [nnnnn]</title> <search> <query>index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYYY | timechart count by DR1</query> <earliest>$TimePickerKielToken.earliest$</earliest> <latest>$TimePickerKielToken.latest$</latest> <refresh>1m</refresh> <refreshType>delay</refreshType> </search> <option name="charting.axisTitleX.text">Time</option> <option name="charting.chart">column</option> <option name="charting.drilldown">all</option> <option name="charting.legend.placement">right</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <chart>
Here is the source for the 2nd panel <chart> <title>SchedConnect Messages to {nnnn]</title> <search> <query>index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYYY | timechart count by... See more...
Here is the source for the 2nd panel <chart> <title>SchedConnect Messages to {nnnn]</title> <search> <query>index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYYY | timechart count by DR1</query> <earliest>$TimePickerKielToken.earliest$</earliest> <latest>$TimePickerKielToken.latest$</latest> <refresh>1m</refresh> <refreshType>delay</refreshType> </search> <option name="charting.axisTitleX.text">Time</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.chart">column</option> <option name="charting.drilldown">all</option> <option name="charting.legend.placement">right</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.size">medium</option> </chart> </panel> <panel> <chart>
This is panel 2 [the one showing NULL]  
This is panel 1  
Are you sure that those queries are used on those panels? Or are there some other filtering after those queries which remove all results? Can you share those panels source and also your sample data ... See more...
Are you sure that those queries are used on those panels? Or are there some other filtering after those queries which remove all results? Can you share those panels source and also your sample data (with anonymous values when needed)?
OK. Yes.  I found it. https://docs.splunk.com/Documentation/Splunk/latest/DistSearch/PropagateSHCconfigurationchanges#Set_up_the_deployer "Deploy to multiple clusters The deployer sends the same c... See more...
OK. Yes.  I found it. https://docs.splunk.com/Documentation/Splunk/latest/DistSearch/PropagateSHCconfigurationchanges#Set_up_the_deployer "Deploy to multiple clusters The deployer sends the same configuration bundle to all cluster members that it services. Therefore, if you have multiple search head clusters, you can use the same deployer for all the clusters only if the clusters employ exactly the same configurations, apps, and so on. If you anticipate that your clusters might need different configurations over time, set up a separate deployer for each cluster." But honestly,  I can't think of any reasonable use case for this.
Thanks but neither of those seem to work, I still get NULL even though there are messages.  This is very frustrating  
Did the installation verification gives any other reason why it couldn't succeed? But as already said, you must create a support ticket.
Based on documentation this is supported configuration. There could be several SHC serving by one deployer, but all those SHCs must have an equal configuration. Of course they can have different amoun... See more...
Based on documentation this is supported configuration. There could be several SHC serving by one deployer, but all those SHCs must have an equal configuration. Of course they can have different amount of members and those size could be different in every SHC. But honestly said I couldn't find any real use cases for this. Only one which comes my mind is that those SHC:s have different user bases and some configuration are managed with SHC GUI (which is not wise). Definitely it's better and easier way that every SHC has it's own Deployer. Using one Deployer with several SHCs will be road to issues.
Here is your original search  index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYYY | timechart count by DR1 You should do it like index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX... See more...
Here is your original search  index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYYY | timechart count by DR1 You should do it like index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYYY DR1=* | timechart count by DR1 or index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYYY | eval DR1 = coalesce(DR1, "DR1 N/A") | timechart count by DR1  https://docs.splunk.com/Documentation/Splunk/9.4.0/SearchReference/ConditionalFunctions#coalesce.28.26lt.3Bvalues.29  
Here is the events from left to right for the 3 panels. So here the DR1 is not showing but the 1st and 3rd panels work but the middle one does not.  The characters in the RED box is what the... See more...
Here is the events from left to right for the 3 panels. So here the DR1 is not showing but the 1st and 3rd panels work but the middle one does not.  The characters in the RED box is what the DR1 is looking for either SSM or ASM
Hi @gcusello ,   Thanks for the quick reply!  I am new to this, where would I add the DR1=* in my search?   Also not all the panels have the DR1 in there events but they still work.  This is part... See more...
Hi @gcusello ,   Thanks for the quick reply!  I am new to this, where would I add the DR1=* in my search?   Also not all the panels have the DR1 in there events but they still work.  This is part of why I don't understand why some work and not others.
Hi @DarrellR , are you sure that all the events have the DR1 field? you could try to add DR1=* to the main search. Ciao. Giuseppe
I have created a dashboard that reads a MQ flow that contains messages to different vendors.  I have created panels for the different vendors and am trying to group the messages for each of those ven... See more...
I have created a dashboard that reads a MQ flow that contains messages to different vendors.  I have created panels for the different vendors and am trying to group the messages for each of those vendors.  Each Vendor will receive 2 message types ASM and SSM.  2 panels work but the other does not, it only returns NULL yet there are messages. The search is exactly the same for all three with the exception of the Vendor address, here is the search index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYYY | timechart count by DR1 The XXXXXX is the Vendor address and .YYYYYYY is the sender address.  The sender address will stay the same but the each panel will have a different XXXXXX value I can not figure out why only that 1 does not work and returns NULL when it receives basically the same messages just with a different XXXXXX value   I hope someone here can help me
I forgot to mention that you also need to comment out the line in the systemd unit file that reaches out to github because the failure of that line causes the whole startup to fail. 
Open a case with Splunk Support.
Honestly, I've never heard about such possibility. Since you're bootstrapping a SHC member from a deployer, how would you decide which SH is a part of which cluster? Also if you're applying shcluster... See more...
Honestly, I've never heard about such possibility. Since you're bootstrapping a SHC member from a deployer, how would you decide which SH is a part of which cluster? Also if you're applying shcluster bundle, you're pushing it to one member and let others replicate their config from there. How would you expect to do it with two SHCs? (OK, you could do the push explicitly to two different SHs but I'm not sure if that would work). Why do you even want to to something like that? If you have enough machines and they are supposed to have the same config why not create a single SHC?
It is also worth remembering that some sources can have their specific characteristics. For example if you're getting WEF-forwarded events with pull-mode, you can receive events in batches every 15 o... See more...
It is also worth remembering that some sources can have their specific characteristics. For example if you're getting WEF-forwarded events with pull-mode, you can receive events in batches every 15 or 30 minutes. For other sources there can be a significant jitter in event delay so they can be backfilling your indexes past the search window. These are just some specific examples to general issues raised earlier. So there is no single answer that fits all possible cases.