All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I used the default cron schedule that is listed in Splunk's documentation. What would I need to set so it goes off as soon as there is a match? 
@livehybrid's idea is one possible way. Another way would be to render one bigger dashboard and use some clever CSS/JS to slide the contents within the visible area.
I am trying to suppress some specifc exceptions in Business transactions until the developers can handle them in code, because they are messing up my Availability percentages. And although I seem to... See more...
I am trying to suppress some specifc exceptions in Business transactions until the developers can handle them in code, because they are messing up my Availability percentages. And although I seem to be able to suppress the errors so that they don't show up in the Tier counting against availability, the seem to continue to show up in the Business Transaction, and in Service Endpoints. If I have successfully suppressed an exception so that it no longer counts against Availabilty in the Tier, should that error also be suppressed in Business Transactions and Service Endpoints? I need to have them suppressed in the Service Endpoints, primarily, because I have Custom Service Endpoints set up for api calls for particular clients, for example.  But even though I suppress the errors so that they no longer show up in the tier, they still show up in BT's and SEP's. Is there a way to suppress an error so that it no longer counts as an error in BT's and SEP's? Thanks.
mvdedup() helps. Thanks.  Still there is a one more question. If I have mvalues in manager name column, and both names are same. I want to let it be the same but want to display in separate lines.... See more...
mvdedup() helps. Thanks.  Still there is a one more question. If I have mvalues in manager name column, and both names are same. I want to let it be the same but want to display in separate lines. What to do?
If you edit the source of the dashboard you should be able to find a section called "layout" within the JSON, as below.  Adjust the "w" value for each of your visualization to 1/3 of the "width" val... See more...
If you edit the source of the dashboard you should be able to find a section called "layout" within the JSON, as below.  Adjust the "w" value for each of your visualization to 1/3 of the "width" value (in my case 1440/3 = 480). Set the second viz "x" position to 480 and the third viz "x" position to 2x480 (960) and this should give you an even 1/3 split. It doesnt look like there is an easier way (ie it "snapping" to 1/3 grid size) unfortunately. "layout": { "type": "grid", "options": { "width": 1440, "height": 960, "display": "auto" }, "structure": [ { "item": "viz_NFlIOSoJ", "type": "block", "position": { "x": 0, "y": 0, "w": 480, "h": 250 } }, { "item": "viz_ZN3u7AG0", "type": "block", "position": { "x": 480, "y": 0, "w": 480, "h": 250 } }, { "item": "viz_6G8sJ2GL", "type": "block", "position": { "x": 960, "y": 0, "w": 480, "h": 250 } } ], "globalInputs": [ "input_global_trp" ] },   I hope this helps!
I know this is an older post, but we are experiencing the same issue, and are using the same curl statement parameters.  What did the support team do to correct the issue for you?
Dashboard studio gives me the ability to drop panels and and move them around, which I love.  I can drag a panel on top of another and quickly create two equal size panels, each 50% of the size of th... See more...
Dashboard studio gives me the ability to drop panels and and move them around, which I love.  I can drag a panel on top of another and quickly create two equal size panels, each 50% of the size of the dashboard.  If I drag a 3rd panel into the same area though, I get three panels, one of which is 50% of the screen, and the other two are 25% each.  Is it possible to get them to be three equal sizes (~33%) or is my only option to fiddle with the sliders a bit and settle for good enough?
@JLange  you're welcome 
The way we've achieved this in the past is to use a "Tab Rotator" browser extension and then open the intended dashboards in different tabs of the browser, rotating between. You will also need to en... See more...
The way we've achieved this in the past is to use a "Tab Rotator" browser extension and then open the intended dashboards in different tabs of the browser, rotating between. You will also need to ensure that the refresh on your dashboard searches is configured to refresh at the desire interval. For Dashboard Studio dashboard you can set the following within the "options" JSON object for each of your searches: "refresh": "30s"  For XML dashboard set the refresh attribute in your <dashboard> or <form> stanza. See docs for more info I hope this helps! Will
I have few Dashboards in splunk I want to play them on TV. Expectation is dashboard 1 will be shown then after 1 sec gap dashboard 2 will appear on screen then again pause for few seconds and dashbo... See more...
I have few Dashboards in splunk I want to play them on TV. Expectation is dashboard 1 will be shown then after 1 sec gap dashboard 2 will appear on screen then again pause for few seconds and dashboard 3 will come.   if not possible through splunk then how can I achieve this?  
Hi @isoutamo ,   I will do that next time I post, thank you.  I have checked the search and aside from the XXXXXX values being the address for the different vendors, each panel uses the exact same ... See more...
Hi @isoutamo ,   I will do that next time I post, thank you.  I have checked the search and aside from the XXXXXX values being the address for the different vendors, each panel uses the exact same search, it is just for 1 I get NULL values even though the messages are there when I look at the events
Thanx. Next time when you paste something please use </> code block to avoid character changes etc.  Based on those I suppose that your data haven't correct values what you are looking for. You shou... See more...
Thanx. Next time when you paste something please use </> code block to avoid character changes etc.  Based on those I suppose that your data haven't correct values what you are looking for. You should check it by clicking magnifying class on right bottom corner of your dashboard's individual panel. This opens exactly same search you to separate window/tab and you can see what events it found. Then you can debug it by e.g. commenting rows away from bottom to top. 
Here is the source code all together for those panels - left to right, might be easier to debug <row> <panel> <chart> <title>SchedConnect Messages to [nnnnn]</title> <search> <query>index="emh_... See more...
Here is the source code all together for those panels - left to right, might be easier to debug <row> <panel> <chart> <title>SchedConnect Messages to [nnnnn]</title> <search> <query>index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYYY | timechart count by DR1</query> <earliest>$TimePickerKielToken.earliest$</earliest> <latest>$TimePickerKielToken.latest$</latest> <refresh>1m</refresh> <refreshType>delay</refreshType> </search> <option name="charting.axisTitleX.text">Time</option> <option name="charting.chart">column</option> <option name="charting.drilldown">all</option> <option name="charting.legend.placement">right</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <chart> <title>SchedConnect Messages to {nnnnn]</title> <search> <query>index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYY | timechart count by DR1</query> <earliest>$TimePickerKielToken.earliest$</earliest> <latest>$TimePickerKielToken.latest$</latest> <refresh>1m</refresh> <refreshType>delay</refreshType> </search> <option name="charting.axisTitleX.text">Time</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.chart">column</option> <option name="charting.drilldown">all</option> <option name="charting.legend.placement">right</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <chart> <title>SchedConnect Messages to [nnnnn]</title> <search> <query>index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYYY | timechart count by DR1</query> <earliest>$TimePickerKielToken.earliest$</earliest> <latest>$TimePickerKielToken.latest$</latest> <refresh>1m</refresh> <refreshType>delay</refreshType> </search> <option name="charting.axisTitleX.text">Time</option> <option name="charting.chart">column</option> <option name="charting.drilldown">all</option> <option name="refresh.display">progressbar</option> </chart> </panel>
here is the source for the 1st panel <row> <panel> <chart> <title>SchedConnect Messages to [nnnnn]</title> <search> <query>index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYYY | t... See more...
here is the source for the 1st panel <row> <panel> <chart> <title>SchedConnect Messages to [nnnnn]</title> <search> <query>index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYYY | timechart count by DR1</query> <earliest>$TimePickerKielToken.earliest$</earliest> <latest>$TimePickerKielToken.latest$</latest> <refresh>1m</refresh> <refreshType>delay</refreshType> </search> <option name="charting.axisTitleX.text">Time</option> <option name="charting.chart">column</option> <option name="charting.drilldown">all</option> <option name="charting.legend.placement">right</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <chart>
Here is the source for the 2nd panel <chart> <title>SchedConnect Messages to {nnnn]</title> <search> <query>index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYYY | timechart count by... See more...
Here is the source for the 2nd panel <chart> <title>SchedConnect Messages to {nnnn]</title> <search> <query>index="emh_prd" ACXForm="TTYIN:MULEOUT:TTYOUT" XXXXXX AND .YYYYYY | timechart count by DR1</query> <earliest>$TimePickerKielToken.earliest$</earliest> <latest>$TimePickerKielToken.latest$</latest> <refresh>1m</refresh> <refreshType>delay</refreshType> </search> <option name="charting.axisTitleX.text">Time</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.chart">column</option> <option name="charting.drilldown">all</option> <option name="charting.legend.placement">right</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.size">medium</option> </chart> </panel> <panel> <chart>
This is panel 2 [the one showing NULL]  
This is panel 1  
Are you sure that those queries are used on those panels? Or are there some other filtering after those queries which remove all results? Can you share those panels source and also your sample data ... See more...
Are you sure that those queries are used on those panels? Or are there some other filtering after those queries which remove all results? Can you share those panels source and also your sample data (with anonymous values when needed)?
OK. Yes.  I found it. https://docs.splunk.com/Documentation/Splunk/latest/DistSearch/PropagateSHCconfigurationchanges#Set_up_the_deployer "Deploy to multiple clusters The deployer sends the same c... See more...
OK. Yes.  I found it. https://docs.splunk.com/Documentation/Splunk/latest/DistSearch/PropagateSHCconfigurationchanges#Set_up_the_deployer "Deploy to multiple clusters The deployer sends the same configuration bundle to all cluster members that it services. Therefore, if you have multiple search head clusters, you can use the same deployer for all the clusters only if the clusters employ exactly the same configurations, apps, and so on. If you anticipate that your clusters might need different configurations over time, set up a separate deployer for each cluster." But honestly,  I can't think of any reasonable use case for this.