All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Honestly, I have no idea. I just did a search, chose visualization, switched to stacked and did "save as" and chose "new dashboard".
Thanks for the response @PickleRick , I have copied the charting options to my html and still see single line as below. Although when I copied the fill code as a new panel it is working as expected. ... See more...
Thanks for the response @PickleRick , I have copied the charting options to my html and still see single line as below. Although when I copied the fill code as a new panel it is working as expected. Do I need to change anything to make the charting options work for my search ?  
The answer will depend greatly on your particular use case. If it's a simple count, @dural_yyz 's answer is what you're looking for. But if you're trying to calculate some more complicated stats it m... See more...
The answer will depend greatly on your particular use case. If it's a simple count, @dural_yyz 's answer is what you're looking for. But if you're trying to calculate some more complicated stats it might be more troublesome to do and it might turn out that it's easier to just have two separate searches (possibly appended within one aggregating search). The approach I'd probably use would be to find unique values, mark them and use eval-based stats to calculate "deduped" stats.
<dashboard version="1.1" theme="dark"> <label>vertical_stacked_chart</label> <row> <panel> <chart> <search> <query>| makeresults format=csv data="a,b,c,d a,1,2,3 b,2,3... See more...
<dashboard version="1.1" theme="dark"> <label>vertical_stacked_chart</label> <row> <panel> <chart> <search> <query>| makeresults format=csv data="a,b,c,d a,1,2,3 b,2,3,4 c,1,3,4"</query> <earliest>-15m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">bar</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> </row> </dashboard>
@dural_yyzYou got me here. I was pretty sure this setting was for monitor input only. But come to think of it, it makes sense in batch context as well (you don't want to batch-read a file while it's ... See more...
@dural_yyzYou got me here. I was pretty sure this setting was for monitor input only. But come to think of it, it makes sense in batch context as well (you don't want to batch-read a file while it's still being - for example - rsynced from remote). But that should not change much in terms of deleting files. I reckon it could only make Splunk end reading prematurely. But together with a lock on an open file from another process that could make file undeletable (windows has different concurrent access paradigm than unices).
@PickleRick wrote: @dural_yyzYou're quoting from the monitor input spec, @NoSpaces is asking about batch input. Yes - admittedly I'm not as familiar with batch so I verified with the docs where... See more...
@PickleRick wrote: @dural_yyzYou're quoting from the monitor input spec, @NoSpaces is asking about batch input. Yes - admittedly I'm not as familiar with batch so I verified with the docs where I found this under batch.  I guess they did not write out the config definitions twice but just did a reference back to how it works with monitor. # The following settings work identically as for [monitor::] stanzas, # documented previously host_regex = <regular expression> host_segment = <integer> crcSalt = <string> recursive = <boolean> whitelist = <regular expression> blacklist = <regular expression> initCrcLength = <integer> time_before_close = <integer>  @PickleRick answers are more likely a good place to start.  It's possible you can did into the default debug logging levels at the UF but I wouldn't start with trying to increase logging until exhausting all other options first.
Hi All, I’m trying to create a stacked Vertical bar chart in Splunk, where each bar represents a unique field (e.g., SWC), and the bar is segmented into multiple colors based on a specific status fi... See more...
Hi All, I’m trying to create a stacked Vertical bar chart in Splunk, where each bar represents a unique field (e.g., SWC), and the bar is segmented into multiple colors based on a specific status field (e.g., RAG_Status with values Green, Amber, and Red). Here’s what I’m trying to achieve: • Each horizontal bar corresponds to a unique SWC. • The bar is segmented based on the RAG_Status (e.g., Green, Amber, Red). • The length of each segment represents the count of records for that combination. • I want the segments to be stacked within the bar, with distinct colors for Green, Amber, and Red. Sample Query:   | inputlookup example_data.csv | eval RAG_Status = case( KPI_Score >= KPI_Threshold, "Green", KPI_Score >= (KPI_Threshold - 5), "Amber", KPI_Score < (KPI_Threshold - 5), "Red" ) | chart count BY SWC RAG_Status | sort SWC   Visualization Requirements: 1. Chart Type: Vertical Bar Chart. 2. Stacked Mode: Each bar should show Green, Amber, and Red segments stacked horizontally. 3. Color Scheme: • Green: #28a745 • Amber: #ffc107 • Red: #dc3545. Screenshot for Reference: The above is an example of horizontal but I am looking for vertical.  Current Issue: I’m unable to configure the Splunk visualization settings or XML code to properly display this data as a Vertical stacked bar chart. Either the entire bar shows as one solid color, or the segments are not stacking as expected. Any guidance or sample XML code to achieve this would be greatly appreciated! Current XML code:-    <dashboard version="1.1" theme="light"> <label>SWC KPI Performance and RAG Distribution_new</label> <row> <panel> <title>RAG Status Distribution by SWC</title> <chart> <search> <query>| inputlookup example_data.csv | eval RAG_Status = case( KPI_Score >= KPI_Threshold, "Green", KPI_Score >= (KPI_Threshold - 5), "Amber", KPI_Score < (KPI_Threshold - 5), "Red" ) | chart count BY SWC RAG_Status | sort SWC</query> <earliest>@d</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.chart">column</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.seriesColors">#28a745,#ffc107,#dc3545</option> <option name="charting.legend.placement">right</option> <option name="charting.axisTitleX.text">SWC</option> <option name="charting.axisTitleY.text">count</option> </chart> </panel> </row> </dashboard>   Current situation:-  Thanks in advance!
@dural_yyzYou're quoting from the monitor input spec, @NoSpaces is asking about batch input. @NoSpacesThere are two reasons that file might not get deleted even if it theoretically should. 1. Permi... See more...
@dural_yyzYou're quoting from the monitor input spec, @NoSpaces is asking about batch input. @NoSpacesThere are two reasons that file might not get deleted even if it theoretically should. 1. Permissions - check that the user splunkd.exe runs with has proper permissions to the directory and log files 2. Locking - if the file stays opened for writing, Splunk might not be able to remove it. Unfortunately while monitor input is typically relatively verbose about its problems with reading files, I'm not sure about how batch input behaves in that regard.
Handling structured data (and this looks like JSON; the question is whether it is a well-formed JSON or a JSON with headers or any other similar invention) with regex is prone to cause problems soone... See more...
Handling structured data (and this looks like JSON; the question is whether it is a well-formed JSON or a JSON with headers or any other similar invention) with regex is prone to cause problems sooner or later. When a source produces structured data there is no guarantee that it will always output the fields in any particular order (that's why you use structured formats so you don't have to worry about stuff like position within a line and so on). If your event is well-formed JSON data you should be better off with KV_MODE=json - let Splunk handle parsing.
Hi @., Thank you for asking your question on the community. It's been a few days with no reply, have you been able to find any new information or a solution you can share here as a reply? If you... See more...
Hi @., Thank you for asking your question on the community. It's been a few days with no reply, have you been able to find any new information or a solution you can share here as a reply? If you still need help, you can contact AppDynamics Support: How to contact AppDynamics Support and manage existing cases with Cisco Support Case Manager (SCM) 
Hi @Yash .Gore, Thanks for asking your question on the community. We're you able to find any more information in your problem or even a solution you can share here? If you're still looking for h... See more...
Hi @Yash .Gore, Thanks for asking your question on the community. We're you able to find any more information in your problem or even a solution you can share here? If you're still looking for help, you can contact AppDynamics Support: How to contact AppDynamics Support and manage existing cases with Cisco Support Case Manager (SCM) 
Hi @Pondani.Chisi, I asked around and this is what I was told.  There is not a way to do this. It’s possible that the actual deletion takes place later and is somewhere in the DB, but then we ar... See more...
Hi @Pondani.Chisi, I asked around and this is what I was told.  There is not a way to do this. It’s possible that the actual deletion takes place later and is somewhere in the DB, but then we are talking about involving ops, engineering, etc. to fetch it.
Please share your anonymised raw event in a code block (using the </> button)
The cluster/manager/info endpoint should have what you want.  See https://docs.splunk.com/Documentation/Splunk/9.3.2/RESTREF/RESTcluster#cluster.2Fmanager.2Finfo
Is this an XML or Studio dashboard example?  What viz are you using? custom vs OOTB?
https://docs.splunk.com/Documentation/Splunk/9.3.2/RESTREF/RESTcluster#cluster.2Fmanager.2Finfo  
If this is a report then put both inside the same timechart and trellis the results to get your 2 graphics.  If this is a dashboard then create a base search and then 2 viz that pull from the same ba... See more...
If this is a report then put both inside the same timechart and trellis the results to get your 2 graphics.  If this is a dashboard then create a base search and then 2 viz that pull from the same base search but augment each with a unique timechart command.
time_before_close = <integer> * The amount of time, in seconds, that the file monitor must wait for modifications before closing a file after reaching an End-of-File (EOF) marker. * Tells the inp... See more...
time_before_close = <integer> * The amount of time, in seconds, that the file monitor must wait for modifications before closing a file after reaching an End-of-File (EOF) marker. * Tells the input not to close files that have been updated in the past 'time_before_close' seconds. * Default: 3 Is it possible that the file is not producing an EOF marker? or that something keeps chatting to the file?
Thank you for your reply and sorry for the confusing description. I have a basic search and want to output two graphics by timecahrt: -first contains timechart of my search -second contains the sa... See more...
Thank you for your reply and sorry for the confusing description. I have a basic search and want to output two graphics by timecahrt: -first contains timechart of my search -second contains the same timechart of the same search, but with a dedup of one specific field in the search.   Hope it clarifies a bit my request.   Thanks
| timechart count(field) as TotalVolume, dc(field) as UniqueFieldValues Depending on what you need the above might not be it, it was a little confusing so the other option from what I speculate you ... See more...
| timechart count(field) as TotalVolume, dc(field) as UniqueFieldValues Depending on what you need the above might not be it, it was a little confusing so the other option from what I speculate you need is. Do the timechart to 'count by field' and then eventstats to calculate the total.