Is there a way to customize which additional fields to show for which Notable event /Co-relation search without affecting other notable events that may be displaying the same additional fields? If so, please help.

So here is what I am thinking. In a nutshell, I am looking to have a main dashboard which displays the status of multiple servers as well as display a status indicator for each of them to show the servers current "health". This "health" value would be derived ideally by a secondary dashboard which has multiple status indicators which work in a similar fashion, but are tied to one specific servers sub-systems. I may also incorporate another level that goes into the sub-systems similarly. However, lets just say I am only doing the two levels. I am struggling to find a way to make the second sub-system level dashboards for each server, store and send their health values to the main dashboard so the color of the main dashboards status indicator can be determined for that specific server.  The intent is to have these dashboards on different screens throughout the office but also make following the issues easier. As in you just follow the drilldowns of the indicators showing an issue until you get to a diagnostic dashboard of some sort which can aid in troubleshooting. Some Ideas: Idea One: Have a JavaScript script for each dashboard which uses the Search Heads file structure to communicate between dashboards.  Problems with Idea One: There are many, though I am unsure if I can make the scripts update regularly and communicate while also updating the status indicators on each dashboard at the same time. Also, I am unsure of how to use the search of each of the indicators in a way that will work with the scripts. Even if I make all of this work it may also involve a decent amount of upkeep to keep all the pieces working together. Idea Two: Use Tokens or something similar to share the health values from the lower levels of dashboard up to the Main dashboard. Problems with Idea Two: Put simply I don't know if this is possible. So far as I can tell Tokens are meant to be used as inputs only, can't be changed by search results, and are meant to be sent downstream via drilldowns. Not upstream. Though maybe I could just start at the lowest level of dashboard and create drilldowns that will eventually end up back at the Main dashboard. Though this has its own issues such as needing multiple drilldowns to converge their data onto the same dashboard to get the level of information I would need to calculate an average health of the system.  I am quite open to suggestion. I have spent quite a while brainstorming and attempting to test different ideas to no avail. I am using Splunk Enterprise version 8.1.2. Please let me know if you have any questions. Thank you for taking the time to read this.  

we are using splunk cloud trying to monitor URL"s using website monitoring app but while checking its not showing latest data and last_checked is not updating. is there anything configuration settings i need to update for this Website MonitoringVersion: 2.9.1 Build: 1579823072

Hello, I have a question regarding the indexing of search results. So, I have an alert that's currently active performing and search and passing the results to a particular event through log events, I would like to modify this job to run in a specific past time window, however I can't edit the job so I would like to be able to run the same search through the splunk search bar and pass the results to the index. I can run the search and get the results through the search but can't output it to the index. Is there a command that I can add to the search query in order to pass the results to the index? Thanks in advance.

Hi, We have 3 search head in cluster environment under a load balancer.  We are observing that one of the search head (non caption) CPU utilization is very high in compression to other 2 search head. Can anyone please suggest that why this is happening and how to troubleshoot this? Thanks.  

Hi everyone, I have observed that some of my lookup files that are intended to get updated on daily basis by reports, does not always have latest data. I have used 2 approaches so far: 1) Used report add action feature to add data to lookup files. 2) Used Outputlookup command with append. In both the cases, I have scheduled them to run on daily basis. But have observed that my lookup always do not gets updated (appended) with daily chunk of data. I have verified by running individual searches for the data availability for those particular days for which lookups were not added with data. Can someone please help me in understanding at the possible cause behind this. Thanks in advance.

hi, i am trying to run splunk on docker for my research project. unfortunately after i connected to splunk in browser, i want to go to docker shell to do some configurations. so i command this: docker start -i <CONTAINER ID> but i did not get response for too many minutes, until i had to close my cmd! pleas tell me why? by the way! i try all process (from download image to run docker) 2 times! and got this result every 2 times. Could it be cause image has system prerequisites Linux-based operating system (Debian, CentOS, etc.) and i try to use it on windows 10? Thanks for your help

Hello Team, I am getting timeout error while adding data to Splunk cloud index from REST API. I am using below endpoint. (or) help me how can i add data to Splunk cloud index through REST API's. URL : http://*********:8088/services/collector Thanks, Venkata.

Hi! We are trying to push alerts into Swimlane using the swimlane add-on. But getting error as below: 06-28-2022 04:45:08.234 -0500 ERROR SearchScheduler [4094 AlertNotifierWorker-0] - Error in 'sendalert' command: Alert script returned error code 1., search='sendalert push_alerts_to_swimlane results_file="/opt/splunk/var/run/splunk/dispatch/scheduler_Xghedjhwqklahd" 06-28-2022 04:45:08.234 -0500 WARN sendmodalert [4094 AlertNotifierWorker-0] - action=push_alerts_to_swimlane - Alert action script returned error code=1   Swimlane App link: https://splunkbase.splunk.com/app/3708/   Any help with this is much appreciated.    Thanks

Hello,  For the context, I created a dashboard on the Splunk cloud app where a pie chart is displayed. The purpose of the pie chart is to display the different types of events and the associated percentages. However the separation between the value and its percentage is quite confusing  because it is two numbers separated by commas.  Is there a way to format the values displayed or change the separator?     Thanks in advance

Hi All, Im trying use Splunk to produce a table which will highlight the duration between the RUNNING event of one and the SUCCESS event of another Autosys job. In this case the start job for each environment is denoted by a prefix ending *START_COMP_0 and the last job is *OSMPCONTROL_0. If I only compare a single environment (ENV1...) then the search works fine however I would like to grab the duration between two events for multiple environments (ENV1, ENV2...).  Using the SPL below or something similar, is it possible to group the ENVs together based on matching string?  Multiple Envs: index=_* OR index=* sourcetype=autosys_vm1_event_demon AND (JobName=DWP_VME_DLACS_*_START_COMP_0 Status=RUNNING) OR (JobName=DWP_VME_DLACS_*_OSMPCONTROL_0 Status=SUCCESS) | transaction maxevents=2 | table JobName duration _time I have attached two screenshots, one of a single env which gives me my desired output and one where I stick a * in the search and how the search is grouping multiple events. Multiple:  multiple Single working: working single TIA, Cameron.