I'm trying to create a dashboard panel that shows my F5 SSL Certificates and their expiration dates, and sorts the columns from left to right by date so the leftmost column would be the certificate expiring soonest. Here's what I have for a search: index=f5_tstream source="f5.telemetry" telemetryEventCategory=systemInfo | convert timeformat="%m/%d/%Y" ctime(sslCerts.*.expirationDate) AS *c_time | stats latest(*c_time) by host | rename host as Host My results look something like this: Host latest(Certificate#1c_time) latest(Certificate#2c_time) latest(Certificate#3c_time) latest(Certificate#4c_time) Device#1 1/1/2023   7/7/2024   Device#2   10/10/2022   9/9/2023 Device#3 1/1/2023   7/7/2024               So basically I want to sort all columns containing "latest(*c_time)" by the date they're returning. Not sure if this is possible. 

Hi, My classifier (SGDClassifier) is allowing only 100 distinct cat values. I followed the link Configure algorithm performance costs - Splunk Documentation and modified the file mlspl.conf as follows :     [SGDClassifier] max_distinct_cat_values=2000 max_distinct_cat_values_for_classifiers=2000     However my splunk search is giving me the error : I had already change this value for another classifier (LinearSVC) and everything was fine, what did i miss here ? I just copied and pasted from it and change the Stanza name  I'm using MLTK 5.3.1

Hi I'm new to Splunk and what to create a search that shows what savedsearches where used in a dashboard? This is how far I got: | rest /servicesNS/-/-/data/ui/views splunk_server=local | search title="test_dashboard" | rename eai:acl.app AS app, eai:data AS data | fields title app author data I have no clue how to go from this data to an actual list of savedsearches used in this dashboard. Is there anyone who can put me on a good track?

I'm trying to create a table that displays the following result Appname Amount of users with read access amount of users that have accessed in the last 2 months Open Access Protected Access AppX <number> <number> O P   I know that I can use the rest api for most (maybe all) of this. The following tells me which apps there are and with what roles a user has read access.     | rest /servicesNS/-/-/apps/local splunk_server="local" | fields label, eai:acl.perms.read | rename eai:acl.perms.read as roles | sort by label | search label!=_searchhead_config     The following tells me what users there are and what roles they have.     | rest /services/authentication/users splunk_server=local | fields title roles | mvexpand roles | rename title as userName     What I want to do now is to combine those and by the roles, match which users have access to a certain app, and than count how many there are. I'm a newbie and I've tried all kinds of things with join, append, appendcols but it never gives me the results I need. Can someone point me in the right direction?    

Good Morning, I am pulling zeek (Bro) logs into my Splunk to view events. However some of these events will display proper syntax highlights while others will just display raw text only, regardless of their log source. The main difference between the 2 I've noticed is that the events that display proper syntax highlights only have 1 time stamp while other events with multiple time stamps will display as raw text. Multiple searches have led me to create my own local props.conf and transforms.conf files that contains this information at this current time: transforms.conf: [TranSON] SOURCE_KEY = _raw DEST_KEY = _raw REGEX = ^([^{]+)({.+})$ FORMAT = $2 props.conf [my_source_type] KV_MODE = JSON TRANSFORMS-JSON = TranSON SHOULD_LINEMERGE = false LINE_BREAKER=([\r\n\s]*)(?=\{\s*"ts":) TIME_FORMAT=%m-%d%-%Y %H:%M:%S.%4n TIME_PREFIX="timestamp":\s*" MAX_TIMESTAMP_LOOKAHEAD=25 TRUNCATE = 0 EVENT_BREAKER_ENABLE = true   Here is also 2 examples of the events ( I will write them both out in raw text), one that is displaying the syntax highlights and one that doesn't. Event that shows Syntax highlights:  {"ts":1659441156.916498,"host":"1.1.1.1","port_num":123,"port_proto":"udp","service":[""]}   Even that does not show Syntax highlights: {"ts":1659441445.280528,"id.orig_h":"1.1.1.1","id.orig_p":123,"id.resp_h":"1.1.2.2","id.resp_p":456} {"ts":1659441456.795169,"id.orig_h":"1.1.3.4","id.orig_p":789,"id.resp_h":"1.1.7.9","id.resp_p":456}   Any information would be greatly appreciated, I don't know if I'm missing something or I am approaching this wrong.