I have a macro that starts with a search command.  When I ran it, I noticed I was getting a different number of results than if I just ran the raw SPL vs using the macro. As an example my macro was named open_vulnerabilities and the SPL was:       search index="vulnerabilities" severity_id>=2 state!="fixed"       If I use the macro in the search bar like this:       `open_vulnerabilities`       I would get say 10 results.  But if I ran the full SPL (index="vulnerabilities"...) then I'd get 100 results. I ended up figuring out that if I used a | before the macro name, like this       | `open_vulnerabilities`        then I'd get the number of results I expected.  I just don't understand why.  If I got 0 results, then it would make some sense but the fact that it's returning 10 really has me stumped.  Any help would be greatly appreciated.  Thanks

Is it possible to allow users the interactive capability of selecting between light and dark mode theme by way of an input field?  I tried: <form theme="$background_theme_token$> along with an input field for that token ( light or dark selection ) and was not able to get it to work. Any suggestions or is this not doable in the Classic dashboard (XML) world? Thanks in advance, Bob

Hi everyone I am currently getting logs from microsoft 365 and one of its panels shows the impossible simultaneous locations. When I check the IP with any page for whois like virustotal or abuseipdb, for example, from Sweden, I find that it really is from another country. Is there something wrong with the iplocation command or something I need to adjust How can it be solved?

Hi All, There are lots of forum topics here on this but I'm really struggling to get my head around it.  I have the following information in JSON:      { "4": { "state": { "on": false, "bri": 254, "hue": 8418, "sat": 140, "effect": "none", "xy": [ 0.5053, 0.4152 ], "ct": 454, "alert": "select", "colormode": "ct", "mode": "homeautomation", "reachable": false }, "swupdate": { "state": "transferring", "lastinstall": "2020-03-03T14:19:37" }, "type": "Extended color light", "name": "Hue lightstrip plus 1", "modelid": "LST002", "manufacturername": "Signify Netherlands B.V.", "productname": "Hue lightstrip plus", "capabilities": { "certified": true, "control": { "mindimlevel": 40, "maxlumen": 1600, "colorgamuttype": "C", "colorgamut": [ [ 0.6915, 0.3083 ], [ 0.17, 0.7 ], [ 0.1532, 0.0475 ] ], "ct": { "min": 153, "max": 500 } }, "streaming": { "renderer": true, "proxy": true } }, "config": { "archetype": "huelightstrip", "function": "mixed", "direction": "omnidirectional", "startup": { "mode": "safety", "configured": true } }, "uniqueid": "00:17:88:01:04:06:ae:3d-0b", "swversion": "1.50.2_r30933", "swconfigid": "59F2C3A3", "productid": "Philips-LST002-1-LedStripsv3" }, "5": { "state": { "on": false, "bri": 144, "hue": 7676, "sat": 199, "effect": "none", "xy": [ 0.5016, 0.4151 ], "ct": 443, "alert": "select", "colormode": "xy", "mode": "homeautomation", "reachable": true }, "swupdate": { "state": "noupdates", "lastinstall": "2021-08-13T13:53:48" }, "type": "Extended color light", "name": "Upstairs Hall", "modelid": "LCT015", "manufacturername": "Signify Netherlands B.V.", "productname": "Hue color lamp", "capabilities": { "certified": true, "control": { "mindimlevel": 1000, "maxlumen": 806, "colorgamuttype": "C", "colorgamut": [ [ 0.6915, 0.3083 ], [ 0.17, 0.7 ], [ 0.1532, 0.0475 ] ], "ct": { "min": 153, "max": 500 } }, "streaming": { "renderer": true, "proxy": true } }, "config": { "archetype": "sultanbulb", "function": "mixed", "direction": "omnidirectional", "startup": { "mode": "safety", "configured": true } }, "uniqueid": "00:17:88:01:04:ff:49:53-0b", "swversion": "1.88.1", "swconfigid": "76B74E79", "productid": "Philips-LCT015-1-A19ECLv5" },     I am wanting information for "4" and "5" to be ingested as separate events at index time. I understand that one could use regex to filter this properly, but honestly I'm struggling to wrap my head around how.  Any help would be massively appreciated. Many Thanks, John

I didn't find the cloud documentation very clear... Do I need to install splunk enterprise separately to have heavy for warder and then configure my splunk cloud license? Do I need to ask splunk support for an enterprise license? After all, how do I configure a heavy forwarder? And what address do I put in Universal forwarder? From the IP or hostname cloud? I've read the following threads and it gets more and more confused: https://www.splunk.com/en_us/resources/videos/splunk-cloud-tutorial.html https://community.splunk.com/t5/Getting-Data-In/How-to-set-up-a-heavy-forwarder-to-forward-data-to-Splunk-Cloud/m-p/250588 https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Admin/WindowsGDI  Step2 Can you help me please?   Regards

Hello I'm using the new dashboard studio, and have a couple of single value and single value + trending components. I want these to show a "0" when no results are available for a given component instead of the default icon:   the single value has a |timechart count at the end and shows results when available, however it shows the default when no results are available and is something I want to fix, to make it clearer to the user. While I tried with |fillnull , |fillnull value=0 count and even adding "shouldSparklineAcceptNullData":true in the code section for that single value, nothing seems to address this problem.   Any idea how can I have a 0 showing ? I have read multiple questions around the same topic, however no of the answers I found seems to work for me sadly. Thanks in advance for any help this awesome community can provide.  

I am running Splunk Enterprise and am trying to create a dashboard panel "Events" search string that pulls multiple Windows Event Log Codes. I am using variations of the code below: index=windows* sourcetype="WinEventLog:Security" (EventCode>="630" AND EventCode<="640") OR EventCode="641" OR (EventCode>="647" AND EventCode<="668") OR (EventCode>="4726" AND EventCode<="4736") OR EventCode="4737" OR (EventCode>="4743" AND EventCode<="4763") OR EventCode="4764" OR (EventCode>="4782" AND EventCode<="4793") I also tried this search to no avail: sourcetype=wineventlog source="WinEventLog:Security" host="xxxx*" EventCode=4625,4624 When I used the second code without the (,4624) it will populate events with 4625 but I have not figured out how to make it pull more than one Event Code properly. It doesn't populate any errors or text failures. It simply presents "no results found. Try expanding the time range" which I went from 15 mins up to YTD. Does Anyone have a Windows Event Search command bank they could share or tell me what to read/explain how to correct my line of code? Thanks! P.S. the (host=XXXX*) is used as a place holder for my organizations host name

Log Lines are as given below Reports obtained. MyId=NameOne, sId=s0, Reports=true, LogString= url=status.com, Type=base, Available=true, Tag=112434, Token=2356 url=status2.com, Type=error, Available=false, Tag=12345, Token=23567 Reports obtained. MyId=NameTwo, sId=s1, Reports=true, LogString= url=status3.com, Type=base, Available=true, Tag=12345876, Token=2356  I want to create a table as below MyId  sId Reports url Type Available Tag Token NameOne  s0 true status.com base true 112434 2356 NameOne  s0 true status2.com error false 12345 23567 NameTwo  s1 true status3.com base true 12345876 2356