Scenario: I have a dropdown with options: East, West, South and North. When i pick East from my dropdown and East populates in my panel, I'd like to show my panel. However if East is not populated in my search i want to hide the panel. Is there a way to do it dynamically?   Thank you.

Hi, I'm trying to calculate the number of events per day so I can then divide by 86400 to get the daily EPS. I know I can get the EPS "directly" using various queries like the below but I don't really understand the logic as what is the ev field and how is it calculated? index=_internal sourcetype=splunkd Metrics TERM(group=per_sourcetype_thruput) component=Metrics | fields ev series _time | rename ev as events, series as sourcetype | timechart limit=15 partial=f minspan=30s per_second(events) as EPS by sourcetype | append [ | tstats dc(source) as Sources, dc(sourcetype) as Sourcetypes, dc(host) as Hosts where index=* by _time | timechart partial=f sum(Sources) as Sources, sum(Sourcetypes) as Sourcetypes, sum(Hosts) as Hosts ] | timechart partial=f first(*) as * | addtotals | fields _time Total | appendpipe [| stats count | where count=0 | eval Total="0"]  

We have a Splunk app, that needs to be disabled by the users themselves as per the systems health and maintenance mode. Curious to know which role/capability in splunk is responsible for granting this level of access. Already have revisited `edit_local_apps` capability as part of https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/Rolesandcapabilities#Add.2C_edit.2C_and_remove_capabilities_from_roles and this doesn't seems to answer the query.   Thanks

Hi We already use Splunk internally and we would like to know if Splunk could be used in scoring uses cases. We would like to reproduce the same type of example as the one presented in this following article with ELK. https://www.compose.com/articles/using-query-string-queries-in-elasticsearch/ We have seen that the score command appears with the Splunk Machine Learning toolkit addition but it seems much more complex. Would it be possible as in the example to have a classified search (in the example with ELK, a scoring on the title of a movie against keywords)  

hello I try to add a csv file manually but when I do it I receive the message "is not supported, only utf-8 encoded files are supported" I checked the file with notepad++ and the file is encoded with UTF-8 so what is wrong please?  

TL;DR; I need to set a value on one SH in a cluster, and then tell the other SH what it is using Python. Tried using the RESTapi (see below) but any tips where someone has done it before would be great!  Full Version I'm working on a clustered instance of Splunk. It talks to another tool using an access token which expires after so long (1 hour). When the user calls the tool and the token has expired a new token is generated and needs to be shared between the other SHs so they can use it until it expires again. The token is set in Python and I looked to use the services.post command to update a custom conf file/stanza     service.post('/servicesNS/nobody/APP/configs/conf-app/session')     And when I run it under admin it works fine, but when I run it as a user I get an error:     HTTP 403 Forbidden -- You (user=barry) do not have permission to perform this operation (requires capability: admin_all_objects).     But I don't want the user to have admin_all_objects.   I have given the user a role which has write access to the conf file:     [APP/session] owner = nobody access = read : [ app_role ], write : [ app_role ]     Can anyone suggest how I can get the API to update the local conf without admin or come up with a better way to share the token between SHs?

Hi Folks,   I'm using splunk 9.0.1 and I installed the event gen and splunk windows add-on 8.5.0. looks like is not present the eventgen.conf on this add-on version. it not possible generate fake windows event any more? Regards

How do I return the points from an Outlier chart that are identified as outliers?  Specifically, I'm looking for the times that the outliers happen.  I need to do some secondary querying at those times only. Thank You

Hi Guys, We recently setup Splunk to use OKTA SAML as SSO authentication .  But upon configuring, the username format for users in Splunk was employeeNumber@domain which is incorrect. We need to update the username format as first name-last name. We got in touch with the OKTA team and they updated the same at their end and sent me new updated metadata file, which I uploaded to Splunk but still username format is same and incorrect. Can you guys help in figuring out what settings do I need to change in Splunk to make this work? I am not too good with this so try to be a bit detailed in your answers. Thanks, Neerav Mathur  

Hi We use Splunk internally for log consultation. But we have a new need for our web application. We would like to have a word or phrase search functionality to get a list of results that fully match or come close to matching the search. For example, if I search "field="It's raining today", I get events that contain. It's raining today It's raining today Its raining today today It's raining ... Can machine learning apps enable this kind of thing? Is there a module or addon to do this kind of thing with Splunk.   Thanks for your help

Hi please I have 3 questions regarding the splunk enterprise solution (500 mega free log) infact I am a student and I want to master this solution 1/ after 3 quota overruns, what exactly happens? does splunk server stop receiving logs or what?? 2/ what is the difference between: Free license and Enterprise Trial license? 3/ in case I had 2 splunk servers and I want to put one of the 2 as slave because I will need it but I only need the logs that analyzed it, what happens technically?

Hello, Like any other ES user, we have threat intel feeds configured that came along with box.  How can i view the actual data of this threat intel feed ?   For example:   Lets take the cisco_top_one_million_sites OR  emerging_threats_ip_blocklist  sources. All of these 4 commands error out.   Well,  how can i find what is being downloaded ? How to view these collection s ? | inputintelligence emerging_threats_ip_blocklist OR | inputlookup emerging_threats_ip_blocklist OR | inputintelligence cisco_top_one_million_sites OR | inputlookup cisco_top_one_million_sites