Our users have discovered that they can add data to indexes.  This could lead to a user accidently polluting a production index.  I searched the Splunk documentation and the Internet but was unable to find a solution.   Does anyone know how we can restrict write-access to indexes to the sc_admin role and allow read access for everyone else?

Hi Splunkers, I'm on an addon creation task, Glassfish in particular and, like other times I faced tese kind or request, I'm configuring the props.conf file. In this configuration I'm facing the following issue: I know that events starts with two kind of character sequences: [#| Date in format month (3 letters) and day, so for example Jun 07 So, in BREAK_ONLY_BEFORE, i putted the following regex:      [\[\#\|] | [\w{3}\s\d{2}]      and it works fine. A problem rise in the second case: when this events are present, they have a structure with many carriage return. Here a log sample:     Jun 07, 2022 8:29:52 PM <some_path_here>info INFO: JVM invocation command line: -XX:+UnlockDiagnosticVMOptions -XX:MaxPermSize=<size> -XX:PermSize=<size> -XX:NewRatio=<size> -Xms<size> -Xmx4096m <other lines that starts always with - symbol>      In such case, the default event line breaking split every info in this events in a different events. So, I set      SHOULD_LINEMERGE=1     but I have still problems; even with this configuration, the events are not properly merged. What I got are 3 different events splitted in such a way::     Jun 07, 2022 8:29:52 PM <some_path_here>info     first part of info starting with - symbol, so:     INFO: JVM invocation command line: -XX:+UnlockDiagnosticVMOptions -XX:MaxPermSize=<size> -XX:PermSize=<size> -XX:NewRatio=<size> -Xms<size> -Xmx4096m     remaining part of info starting with - symbol, so:     -Djavax.net.<remaining path> -Dcom.sun.enterprise.security.httpsOutboundKeyAlias=<value> -DANTLR_USE_DIRECT_CLASS_LOADING=<value>     To fix this, I tried to use:     MUST_NOT_BREAK_AFTER=[\r\n]+     but it does not work. The event is still divided in the above 3 different parts. How can I fix it?

Hi, Say I have the following table: Name  2022-06-07 10:01:14 2022-06-07 22:01:13 2022-06-08 10:01:11 2022-06-08 22:01:25 2022-06-09 10:01:22 2022-06-09 22:00:59 2022-06-10 10:01:28 a 301 300 302 303 301 400 412 b 200 220 235 238 208 300 302 Can I color a cell based on the increment rate from the previous value? for instance- if the value increased by 10%, it will be yellow, 20% would be Orange and so on.  I'm looking for a solution based on simple xml where no additional files are needed. Thanks.

Hello, First of all, sorry for my lack of knowledge if my question looks silly.   I have a datasource providing events as follows : State Start Timestamp / UserName / StateName / Duration of the State in seconds / State End Timestamp   I'm trying to produce a timechart that is showing the duration in each state for each user with a 1h span so that we could see clearly the time spent in each state by the users for each hour of the day.   The issue is that a user can start a state at a given time and have a duration bigger than 1h.   For exemple, a user logs in and is available at 8:32 and it stays in "available" state during 2h.   What I get so far with a basic timechart span=1h of the states by user : 2h in 8h span nothing in 9h span nothing in 10h span   I would need to manipulate the query or the events in a way that will make the timechart report in this example : 28 min in 8h span 1 hour in 9h span 32 min in 10h span   as the state lasted between 8h32 and 10h32.   Here's my query today :   | eval AvailableDuration = if(State="Available",Duration,0) | eval BusyDuration = if(State="Busy",Duration,0) | eval CallDuration = if(State="In Call",Duration,0) | timechart span=1h fixedrange=false useother=f limit=0 sum(CallDuration) as "In call" sum(AvailableDuration) as "available" sum(BusyDuration) as "Busy" by UserName     Is there a way to redistribute the durations by manipulating data so that each hourly span is properly populated ?   Thanks in advance for your help !

Hi, Say I have this table: Name Date Flows a 2022-06-13 23:01:26 200 a 2022-06-13 10:01:26 301 b 2022-06-13 23:01:26 504 b 2022-06-13 10:01:26 454   I'd like to create a table that's using the values of "Date" column as a new columns, and grouping all the identical "Name" values into one line as follows (where the values are "Flows"): Name 2022-06-13 23:01:26 2022-06-13 10:01:26 a 200 301 b 504 454   I tried several approaches but failed. Could you assist?

When using DBXQUERY, is the a |search needed after the query?       | dbxquery connection="DRTP-Connection" query=" SELECT <X, Y, Z> FROM <wherever> WHERE <wherever>;" | search | table X, Y, Z | sort - Z        My query appears to work either way, but I have often been critical about using extra 'search' commands within a query, so I am curious as to whether there is a performance hit.

OLD Query: source="http:Emerson_P1CDN" AND status_code=200 AND path=*/catalog* AND path!=*thumb* AND path!=*CartRefreshStatusJSON* AND path!=*PriceAjaxView* | bucket span=1m _time | stats count by client_isp,_time | where count >= 600 | convert timeformat="%m/%d/%Y %H:%M:%S" ctime(_time) | sort - count | transpose header_field=_time When I set this one as an alert, it considers the client_isp and _time as part of the query so even there where no result it is sending a blank alert only the client_isp and time on the first column. New Query: source="http:Emerson_P1CDN" AND status_code=200 AND path=*/catalog* AND path!=*thumb* AND path!=*CartRefreshStatusJSON* AND path!=*PriceAjaxView* | bucket span=1m _time | stats count by client_isp,_time | transpose header_field=_time | sort - count | where count >= 600 | convert timeformat="%m/%d/%Y %H:%M:%S" ctime(_time) While on this one, there were no result at all. What maybe wrong on this query?

Hello, I want to notify that some bug in version 22.6 , on controller can get information of CPU, RAM,... from AIX server.  Maybe something Script is wrong( same in the below pictute " ksh run_co: not found").. i fixed it by using 22.2 version for machine-agent...