Hi  Team, The below screen shot in prod environment Splunlk App displaying app when ever select , but dev environment when ever select app not displaying , i had verified the permissions also visible,   please help me what is the exact issue.        

Hello, We have a lookup/kvstore containing over 3.M records*. We need to count the number of times each value is found over all of the records. Ex: Count the occurrence of the same LAST_NAME Field Name: LAST_NAME Values: JONES, SMITH, DAVIS, GARCIA Counters Values: 12, 34, 16, 23 This is just one of several different counters: BIRTH_YEAR, CITY, STATE, etc. Because of the limits within Splunk, this code would result in blanks and inaccurate counts.   | eventstats count(ID) as count_same_city by CITY   Any suggestions? * The number of records increases by 10K every week. Thanks in advance, and God bless, Genesius

Hi  I am referring below table for example,  I want add CSS for both values in Office column in the table.   Name Position Office Age Airi Satou Accountant Tokyo 33 Angelica Ramos Chief Executive Officer London 47 Ashton Cox Junior Technical Author San Francisco 66 Bradley Greer Software Engineer London 41 Brenden Wagner Software Engineer San Francisco 28 Brielle Williamson Integration Specialist New York 61 Bruno Nash Software Engineer London 38 Caesar Vance Pre-Sales Support New York 21 Cara Stevens Sales Assistant New York 46 Cedric Kelly Senior Javascript Developer Edinburgh 22   I want highlight both values Tokyo and San Francisco. I have added script it will work but problem is its will work one value only. It will highlight San Francisco only. I have add script as follows      require( [ 'underscore', 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!' ], function (_, $, mvc, TableView) { function cssLoad(tableName, field_name, field_val) { var CustomLinkRender = TableView.BaseCellRenderer.extend({ canRender: function (cell) { return _([field_name]).contains(cell.field); }, render: function ($td, cell) { var cell_value = cell.value; if (cell.field == field_name) { if (cell_value == field_val.trim()) { $td.css('color', '#1717E6'); $td.css('font-weight', 'bold'); $td.css('text-decoration', 'underline'); $td.css('text-decoration-color', 'blue'); } } $td.text(cell_value).addClass('string'); } }); var selectedTable = mvc.Components.get(tableName); if (typeof (selectedTable) != "undefined") { selectedTable.getVisualization(function (tableView) { tableView.addCellRenderer(new CustomLinkRender()); tableView.render(); }); } } //Single table Hardcode call cssLoad('table1', 'Position', 'Software Engineer'); cssLoad('table1', 'Age', '66'); cssLoad('table1', 'Office', 'Tokyo'); cssLoad('table1', 'Office', 'New York') });        Please Help me!.  For highlight multiple values. 

Good day, We have an issue where when we try to setup email notifications with our email server with Splunk, no emails will send to the respective email addresses. We tried adding the adding the information: "ipaddress:port" to the mail host section but no luck. We do not require a username and password. We also tried following the instructions from the documentation here: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sendemail There was no luck there either. Is there an alternative way to setup email notifications through SSH or something else? This has to satisfy a STIG requirement. Please let me know if I need to provide additional information to the forum. Thank you

index=idx_rdap source="*f5*" "*member*" "RO1B4-0JLSM4000S" "/Common/pool_d2i_*gkrgkl" | rex field=member "\/Common\/(?<server>[^:]*)" | stats latest(status) as Last_status, values(pool), as pool_name, values(_time) as _time by pool, server | stats values(Last_status) as Last_status, values(server) as server by pool | eval severity=case(server="XC001X02" AND server="XC001X03" AND Last_status="down", "1", server="XC001X03" AND Last_status="down", "3", server="XC001X02" AND Last_status="down", "3",true(),"0" ) | table pool, Last_status, severity, server | eval hour_of_the_starttime=strftime(_time, "%H") | eval support_group=if(hour_of_the_starttime>=19 OR hour_of_the_starttime<7,"WW-XX-TFORMEGI-L3", "WW-XX-MSEGI-L2") | eval ressource="GKR-GkL-I:" + pool | eval service_offring="GKR-GkL-I" | eval description="VIP GMS got a service status down \n \nDetail : One or more legs Impacted service on :" + pool + "\n On server(s): " + tostring(server) + " \n\n\n\n; " + support_group + " ;KB=KB00000" | table ressource description pool service_offring severity server support_group

Hi Community, For some reason, the extension does not work anymore since I've upgraded to tlsv1.3. Does anyone know if they're compatible or maybe some config adjustments are necessary to collect metrics? Thanks

i am using splunk cloud and need to about splunk status page  in that there are multiple services are there while opening the link https://status.scp.splunk.com/ can anyone let me know the description about those services and impact if not working 

Hi, I'm configuring SSL in a test environment on version 8.2.6 of Splunk Enterprise before upgrading to Splunk 9.0.0.  I have managed to encrypt traffic between my Splunk servers, however, I am now unable forward data to my Indexers as they're are refusing connections from my Forwarders. Do I have to have a certificate on all of my Forwarders to make use of SSL/TLS? I'm trying to avoid the overhead of having to manage certificates on all of my  servers that I have in the Production environment. Thanks. Mike.

I scheduled a search to run at 0 2,8,14,20 * * *  The timezone of the search head is UTC.  Therefore I expect the next run tiem to be 2am UTC, yet Splunk says the next run time would be 6am UTC.  How could this be? And where is this configured? I suspect there is a setting somewhere which is making the cron expressions be interpreted in US Eastern Time. Since we are observing Daylight Savings Time, Eastern Daylight Time would be UTC-4. The documentation (Use cron expressions for alert scheduling - Splunk Documentation) says "The Splunk cron analyzer defaults to the timezone where the search head is configured. This can be verified or changed by going to Settings > Searches, reports, and alerts > Scheduled time." I find no "Scheduled Time" under Settings > Search, reports and alerts. I did post this to the feedback on that documentation page in case it is actually inaccurate. Where can I check and verify?   Thanks!

Can Splunk DBConnect use the SQL WITH statement?   WITH TABLE_BASE AS ( -- this section is the base query and matches the Smart reporting logic SELECT DISTINCT The WITH command is not highlighted in red as the other commands.