I have a dashboard with cascading dropdowns which when a value selected in first dropdown populates the second dropdown with values based on the selection made. For example the first dropdown has values A, B, and C. When A is selected from the first dropdown, the second dropdown should display A1, A2, and A3. Similarly should display B1, B2, B3 and C1, C2, C3 respectively. My dashboard is populating the dropdown correctly. I am unsetting the second dropdown tokens when the first dropdown changes, to make sure the second dropdown do not contain previous token value. But this is causing me an issue while page reload. When the page is refreshed, the second dropdown token gets unset like shown below. Before refresh After refresh If I do not unset the second dropdown tokens when the first dropdown changes, the second drop down shows the previous selected token as shown below. My xml looks like this   <form> <label>Dependent Drilldown</label> <fieldset submitButton="false"> <input type="dropdown" token="tokElement" searchWhenChanged="true"> <label>Element</label> <choice value="A">A</choice> <choice value="B">B</choice> <choice value="C">C</choice> <change> <unset token="tokSubElement"></unset> <unset token="form.tokSubElement"></unset> </change> </input> <input type="dropdown" token="tokSubElement" searchWhenChanged="true"> <label>Sub Element</label> <fieldForLabel>$tokElement$</fieldForLabel> <fieldForValue>$tokElement$</fieldForValue> <search> <query>| makeresults | fields - _time | eval A="A1,A2,A3",B="B1,B2,B3",C="C1,C2,C3" | fields $tokElement$ | makemv $tokElement$ delim="," | mvexpand $tokElement$</query> </search> </input> </fieldset> </form>   I would like my second dropdown tokens to be unset when first dropdown value changes and also maintain those tokens on page refresh. Let me know if you have any thoughts.

I have a bar chart with a few categories as displayed in the below image which when clicked, drills down into its own table. I would like to highlight the clicked bar so that it is known which bar graph is drilled down. I am expecting it to look something similar to the below image.  

I am importing in splunk many tables of data of 500 to 10000 events each and I need to use them to enrich events with scheduled searches. At the moment I import these tables using a modular input and dumping them into an index, I then join my saved searches results with the latest data from this index. The tables are imported once a day to update if something changed (they usually are mostly unchanged).     index=my_events | join type=left common_field [ search index=imported_data source=src earliest=-24h stats latest(*) as * ]     I know join is bad for performance and was wondering if importing the data in a KVStore and setting up an automatic lookup for the index with the data I want to enrich would be a better solution. in this case i would overwrite the KVStore once a day with the new data. Other solutions are welcome, these are the ones I came up with. Thanks.

Hey, I am trying to sum values based on type. I have a column of numbers and multivalues. I want to sum all the multivalues together and display the sum of all multivalues. How can I achieve this? Please refer to the diagram below: As you can see there are two column. One column displays the numbers and the other column displays the type of each cell. I want to get the sum of cell that have a multivalue type.

Hi, after an upgrade from 7.3 (to 8.1.0 and then) to 8.2.5, there are some errors on splunkd.log. SH1:  ERROR DistHealthFetcher [115123 DistHealthReporter] - failed to execute health transaction to instance at uri=https://<my_uri>:8089, error=Non-200 status_code=401, uri=https://<my_uri>:8089/services/server/health/splunkd/local, status_description="Unauthorized". SH2 and SH3: ERROR DigestProcessor [107884 TcpChannelThread] - Failed signature match ERROR LMHttpUtil [107884 TcpChannelThread] - Failed to verify HMAC signature, uri: /services/server/health/splunkd/local?output_mode=json  Besides, if I try to push some apps' configurations, it doesn't work. The environment consists of a Deployment Server/Cluster Master (same instance), 3 Search Heads and 2 Indexers. All the files in server.conf in the DS/CM and SHs have the same pass4SymmKey:       [clustering] master_uri = <my_master_uri> pass4SymmKey = <my_crypted_pass>         Does anyone have an idea about what's wrong? Thanks in advance

Hi Its my first week in the job and I am finding creating alerts is not the issue but how to create useful alerts is more of what I am looking for. We turned on in the User Case Library - Access - Short-lived Account Detected  in user cases and its causing way to many alerts. I wanted to narrow the field down to just admin accounts instead of the whole company. Anybody got ideas on how to do this? Or point me the an article I where I can edit these types of searches? In the correlation search I have got: | tstats `summariesonly` count from datamodel=Change.All_Changes where nodename="All_Changes.Account_Management" (All_Changes.action="created" OR All_Changes.action="deleted") by _time,All_Changes.dest,All_Changes.user span=1s | `drop_dm_object_name("All_Changes")` | streamstats range(_time) as delta,sum(count) as count by user,dest window=2 global=f | where count>1 AND delta<`useraccount_minimal_lifetime` | `uptime2string(delta,timestr)` | table user, dest, delta, timestr `wineventlog_security` EventCode=4698 OR EventCode=4699 | xmlkv Message | transaction Task_Name startswith=(EventCode=4698) endswith=(EventCode=4699) | eval short_lived=case((duration<30),"TRUE") | search short_lived = TRUE | table _time, ComputerName, Account_Name, Command, Task_Name, short_lived | `short_lived_scheduled_task_filter`

I want to filter eventcode 4624 and user_type=computer using transforms and props.conf Transforms.conf [setnule] REGEX = \<EventID\>4624\<\/EventID\>.+\<Data\s+Name='WorkStationName'> DEST_KEY = queue FORMAT = nullQueue props.conf [XmlWinEventLog] TRANSFORMS-set=setnule

We have installed following two apps in our splunk environment to get data into our splunk enterprise environment   1) GitHub App for Splunk [https://splunkbase.splunk.com/app/5596/] 2) GitHub Audit Log Monitoring Add-On for Splunk[https://splunkbase.splunk.com/app/5595/]   We have configured both webhook and access token based ingestion setup to get logs into splunk but we are getting following errors and not able to see the data in dashboard    05-11-2022 20:59:00.164 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/github-audit-log-monitoring-add-on-for-splunk/bin/ghe_audit_log_monitoring.py" RuntimeError: Could not fetch audit log data. Please check your configuration, access token scope / correctness and API rate limits. status_code: 404 - url: https://github.dowjones.net/api/graphql/enterprises/enterprise-name/audit-log?phrase=&include=all&after=&before=&order=asc&per_page=100 - Response: {"message":"Not Found","documentation_url":"https://docs.github.com/enterprise/3.3/graphql"} host = xxxxxxxxs.netlog_level = ERRORsource = /opt/splunk/var/log/splunk/splunkd.logsourcetype = splunkd 5/11/22 8:59:00.164 PM 05-11-2022 20:59:00.164 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/github-audit-log-monitoring-add-on-for-splunk/bin/ghe_audit_log_monitoring.py" response.status_code, response.url, response.text host = **************   any troubleshooting steps would be helpful   

Hi Splunkers, I have a dashboard done in Splunk Dashboard Studio (cannot be done in simple XML) and I'm struggling to find a way how to hide "Edit" button and Splunk Bar in there. In the previous solution it was easy, just to paste the following in the source of the dashboard: hideSplunkBar="true" hideEdit="true" I tried to add it in json format in various portions of the code, but with no success. Any ideas? Is this even doable? 

Hello,  I need to setup an alert that triggers if I got an event on an specific timeshift. The reason is that  in my company there are employees which connects to an AWS Workspace and when they log in out of their shift Security department needs to be updated.  This is the main search request: (index=aws_description sourcetype="aws:cloudwatchlogs") ( NOT eni ) actionType"successfulLogin" and I'm not pretty sure how to place it into a time range and get a triger when I get an event from 19:00 PM until 06:00 AM So far the alert runs on Cron Schedule in a time range "last 5 mins" and a Cron expression 0/5 **** in order to check every 5 minuts, but it will get me all the time range and I only need the metioned below. Any Idea? Thank you, Iván

Hi All,   We have now fine tuning our environment  for that purpose we need your favor. We want to check few parameters for every dashboard ,report and alert which is mentioned in the below screenshot . We request you ,could you provide the query which gives this required output as mentioned in the below.    

Hi Guys, We have an on prem server where the Software run and provide the API URL. I'm testing the API URL with the Splunk add-on builder with a custom app.  When I run the API rest url on my browser, I get the warning "you connection isn't private" ERR_CERT_AUTHORITY_INVALID pass that and I get prompt to login.  I login and I get the data just fine. BUT when I try to do it with the add-on builder I get the error:  File "/opt/splunk/lib/python3.7/ssl.py", line 1139, in do_handshake self._sslobj.do_handshake() ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1106) I pass the user and password on the inputs but I always get the same error. Anyone had this issue and know how to solve it? is it any path I could add the server certificate? Thanks  

Hi Team, Could you please help me with the below requirement? Java application which is enabled for monitoring in Appdynamics. Currently, only Business Transaction related to Web services are configured.  But java specific business transactions are not configured.  Customer requirement is  custom Business transactions for for java are to be configured. Kindly guide me how configure custom BTs for Java. Thanks in advance Thanks&Regards Srinivas

Hi Team, Could you please help me with the below requirement? (I am new to appdynamics) I have to configure health rule for a Business Transaction when the volume (calls per minute) is less than the baseline. I have configured  based on baseline.  But, alert is not being triggered even when there is a low volume of or call volume is below baseline.  Please find the attached screenshot of health rule configured and the chart showing the volume of calls (volume of calls is below baseline which should trigger an alert). Below is the expectation from the customer. " . I would prefer you to advise on an appropriate deviation to be configured to avoid too many false alarms. Ex.: is a deviation of 30% appropriate ? (=30% less call than usual)" Kindly help me to configure the health rule properly. Thanks&Regards Srinivas