How do I perform stats on a large number of fields matching a certain pattern without doing stats on each one individually? In a sample event below, there are 10+ fields with names beginning with "er_". My task is to fire an alert if any of the values in these fields increases from the previous event. Sample event:   er_bad_eof: 0 er_bad_os: 0 er_crc: 0 er_crc_good_eof: 0 er_enc_in: 0 er_enc_out: 0 er_inv_arb: 0 er_lun_zone_miss: 0 er_multi_credit_loss: 0 er_other_discard: 11 er_pcs_blk: 0 er_rx_c3_timeout: 0 er_single_credit_loss: 0 er_toolong: 0 er_trunc: 0 er_tx_c3_timeout: 0 er_type1_miss: 0 er_type2_miss: 0 er_type6_miss: 0 er_unreachable: 0 er_unroutable: 11 er_zone_miss: 0 lgc_stats_clear_ts: Never phy_stats_clear_ts: Never port_description: slot12 port46 port_name: 382   SPL where I run stats on just two of those fields and where the "er_..._delta" values will be used to fire an alert if they're > 0:   index="sandbox" source="HEC" | stats count AS events, min(er_enc_out) AS er_enc_out_min, max(er_enc_out) AS er_enc_out_max, min(er_other_discard) AS er_other_discard_min, max(er_other_discard) AS er_other_discard_max, by host port_name, port_description | eval er_enc_out_delta = er_enc_out_max-er_enc_out_min, er_other_discard_delta = er_other_discard_max - er_other_discard_min | sort -er_enc_out_delta -er_other_discard_delta -er_enc_out_max -er_other_discard_max port_name   How do I run similar stats on all fields with names beginning with "er_"? Thanks!

I want to perform a search query which can give me results with respective to a specific time. For example i have a particular time as this:  2022-07-29 18:33:20 My query: index="*" sourcetype="pan:threat" 10.196.246.104 url=*   earliest=relative_time("2022-07-29 18:33:20","-1h") AND latest = relative_time("2022-07-29 18:33:20","+1h") | stats values(url) as url by _time,dest_ip,dest_port,app,category,rule,action,user   I am not getting appropriate results with this, can anyone suggest how i can do the filtration on the basis of a particular time.

Hi,   just wondering for the Microsoft Cloud Services from the documentation it says it is only required on the search head cluster however it does say optional on the heavy forwarder. My question is usually I setup the inputs on the deployment server however as this is cloud data should the inputs.conf be on the heavy forwarder or the search head?   Thanks,   Joe

We have built one dashboard using splunk dashboard studio in absolute layout. We have added some rectangle shapes to the dashboard and added Color to it as well. Now we want to add the Color change hovering functionality to the rectangle shape. Is there any to achieve this dashboard studio?    

We have built one dashboard using Splunk Dashboard Studio method by using absolute layout. Now we want to remove or hide splunk enterprise bar from the dashboard since client doesn’t want it there in the dashboard. Since we use json in dashboard studio I ma not getting any workaround to hide splunk enterprise logo bar. Can someone help me on this?      

Hi,  I have 4 sources from one sourcetype . so i am getting data from 3 sources but not from other 1 source. Logs are present , but not showing up in splunk. checked inputs.conf  everything is--same configuration for all 4 sources. crccsalt=source  is also there in inputs.config. restarted the servers, but still not able to see the data Can you please tell me anything i am missing.

Hi there, I am using REHL 8.6 x86_64 (0otpa) / Kernel 4.18.0 and trying to update Splunk Add-on for Unix and Linux...I am getting this error - An error occurred while downloading the app An error occurred while downloading the app: [HTTP 404] https://127.0.0.1:8089/services/apps/local/Splunk_TA_nix/update; [{'type': 'ERROR', 'code': None, 'text': 'Error downloading update from https://splunkbase.splunk.com/app/833/release/8.6.0/download/?origin=cfu: Not Found'}] When I manually tried to download from this link, - https://splunkbase.splunk.com/app/833/release/8.6.0/download/?origin=cfu - I am getting Oops! 404 Error: Page not found. Please share your thoughts on how to update linux / unix app from the Splunk console

I am attempting to convert most of my xml to javascript in my dashboards.  I have several single values that I can click on and show that specific data in the table.  For example, one particular single value is Blacklisted.  When I click on the numeric value, it shows details of files, md5, sha256, dates, etc that have been tagged as blacklisted.  In XML my token is set as follows:   <set token="tkblacklist">blacklist IN (t)</set>   I filter on "true."  The token is used in my table, and I get a list of blacklisted entities.   ... | search $tkblacklist$      Screenshot below is a sample of the current dashboard functionality.   When I try to do this in javascript, I am confused how to apply the token using the SingleView and pass the token to the TableView.  I have done a lot of reading, watching videos, and trial and error, but I can't seem to get this right.  Most of the examples are for text inputs, dropdowns, and muti-select features. My test.js file   require([ 'underscore', 'backbone', 'splunkjs/mvc', 'splunkjs/mvc/searchmanager', 'splunkjs/mvc/postprocessmanager', 'splunkjs/mvc/singleview', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!' ], function(_, Backbone, mvc, SearchManager, PostProcessManager, SingleView, TableView) { var baseSearch = new SearchManager({ id: "baseSearch", preview: true, cache: false, search: "| tstats count values(modproc.process) AS process from datamodel=dmname.modproc where nodename=modproc by modproc.blacklist modproc.process modproc.md5" // Blacklisted var blacklistProcesses = new PostProcessManager({ id: "blacklistProcesses", managerid: "baseSearch", search: "| rename modproc.* AS * | search blacklist IN (\"t\") | stats count" }); new SingleView({ id: "blacklistProcesses_Dashboard", managerid: "blacklistProcesses", height: "50", el: $("#blacklistProc") }).render(); // Get your div var my_div = $("#blacklistProc"); // Respond to clicks my_div.on("click", function(e) { var tokens = mvc.Components.get("submitted"); tokens.set("mytoken", "| search blacklist IN (\"t\")"); }); // Process Table View var tableProcesses = new PostProcessManager({ id: "tableProcesses", managerid: "baseSearch", search: "| rename modproc.* AS * | $mytoken$" }, {tokens: true}); new TableView({ id: "tblProcess", managerid: "tableProcesses", pageSize: "50", el: $("#tableProc") }).render(); });    My XML   <dashboard script="test.js" stylesheet="test.css" theme="dark"> <label>Test Javascript Dashboard</label> <row> <panel> <html> <h3 class="MainHeading"> Blacklisted </h3> <div id="blacklistProc"/> </html> </panel> </row> <row> <panel> <title>My Table</title> <html> <div id="tableProc"/> </html> </panel> </row> </dashboard>     I have also tried to use drilldown in the SingleView, but that just opens the Search window. Thanks  

Hi Everyone, Here is some context,  one of our customers is using our Splunk App we created with the Add On builder. All it does is forward alerts into our platform and we use splunk.Intersplunk to get the search results.  The customer is getting the following error but we do not know why: "07-11-2022 15:31:37.179 +0000 ERROR sendmodalert - action=bigpanda_alert STDERR - backports.configparser.MissingSectionHeaderError: File contains no section headers.","2022-07-11T11:31:37.179+0000","bigpanda_alert",,,,,,,,,,,,,,,sendmodalert,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,15,11,31,july,37,monday,2022,0,,,,,,,,,,,"action=bigpanda_alert STDERR - backports.configparser.MissingSectionHeaderError: File contains no section headers.","err0r nix-all-logs nix_errors splunk_modalert splunkd-log",,,,,,lpec5009spksh03,,,"_internal",,,,,,1,,ERROR,,,,,,,,,,,,,,,,,,,,"--_::._+___-_=__-__..:_____.",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"/opt/splunk/var/log/splunk/splunkd.log",splunkd,,"URL-REDACTED-HERE",,,,,,,,,error,,,error,,,,,,29,,,0,,,,,,,,,,,,,,,,,   My initial suspicion is that it is related to enableheader  being overriden in etc/system/default/command.conf with false, but I tried it on my instance and I got no errors. Any insights into this would be greatly apreciated!

Hi everyone, I was looking at how I can ingest data from BitBucket Cloud to Splunk Cloud (8.2.2 Victoria).  The old bitbucket app gets rejected by the Splunk Cloud app upload. I saw the Lantern article (Atlassian: Bitbucket - Splunk Lantern), but it doesn't have any actual information. Does anyone have any working integrations of Splunk Cloud to Bitbucket Cloud?  Any source type/data type information? Thanks in advance!

Hey everyone, I'm pretty new to both splunk and jira but I'm trying to integrate them both to get real-time events/alerts from splunk sent over to jira as a task or open ticket, I've tried an addon called Atlassion Jira Issue Alerts but can't seem to get it working after the configuration, no alerts have been showing up, can someone guide me as to how to configure it since the details page for the addon doesn't really say much, or a different addon or even way of integrating through the use of the API's? (not that I've used one before but with proper guidance I can conduct the research to get it) thanks in advance!

i have index=main  user=Local Domain\abc it wont search any result but if i search with index=main  user=Local Domain\\abc it works, i tried rex as well but it didnt work for my dashboard as it wont display any search, any solution to search without adding another \ to the search