I know this question has been asked a lot before, and I've tried implementing the answers, but I must be doing something wrong because it is not working for me. I have a graph with rooms on the x axis and count on the y axis. Each room could be in any of 6 buildings in the data set. I want to color the bars based on the building that the room is in.    This is my search index="example"  Point_Name=Count  |$v_hours$ |where isnum(value) |stats max(value) as PeakCount by Building, Room |eval building=case(Building=="Building1", "B1") |sort -PeakCount |rename PeakCount as Count |head 10 |table Room, Count   This is my xml     <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">-90</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">column</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">all</option> <option name="charting.seriesColors">{"B1":0xFF0000}</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.placement">right</option> <option name="height">462</option>       If I table building, count then B1 is labeled on the xaxis under the correct bar, but the color still does not change. What am I missing?

Hello, Does anyone have any idea why this keeps occuring? It happens to me about every 10 minutes. The session timeout is set to 60 minutes. We use SAML with Okta for authentication. I asked the Okta personnel and they said they have a 2 hour time out session.    Any help is greatly appreciated! V/r, mello920

So, I am trying to use a lookup table spammer.cvs to filter out results from my search but can't get the filtering logic down to make it work completely. Table A1Sender, A1Sender_domain, A2Sender, A2Sender_domain, Recipient{} fred@flintstone.com, ,tinker@sbuggy.com, , ,  ,*@bbunny.com,mmouse@wd.com, , ,  ,*@wd.com, ,*@bbunny.com, ,  , , , ,myemail@me.com I can get this to work; {my search} | search NOT [ | inputlookup spammer.csv | fields A1Sender, A2Sender] | table _time, A1Sender,  A2Sender How do I code something like; {my search} | search NOT [ | inputlookup spammer.csv | fields A1Sender, A2Sender | fields A1Sender_domain, A2Sender | fields A1Sender_domain, A2Sender_domain | fields Recipient{}] | table _time, A1Sender,  A2Sender

Hello Splunkers, How can i rename all the OrderNumber1, OrderNumber2, OrderNumber3 as OrderNumber. And Country1, Country2,Country4 as Country. I have attached the screenshot also.    Appreciated in advance    

Hello there,  For context, I got some remote logs from different sources on my universal forwarder, and I'm trying to index logs from the same source with the same index, but the thing is, I don't know how to that I tried to follow this Create custom indexes - Splunk Documentation, but even trying to index everything that comes from my universal forwarder using this [tcp://<ip_addr_forwarder] index=<name_of_index] can someone help please ? Best regards,

Hi all,  I would like to configure the splunk on call slack add on but when an admin wanted to approve the integration, it requested the following permissions: 11 permissions and scopes required On behalf of the app: - View messages and other content in public channels that VictorOps has been added to channels:history - View messages and other content in private channels that VictorOps has been added to groups:history - Add shortcuts and/or slash commands that people can use commands - View the name, email domain and icon for workspaces VictorOps is connected to team:read - Send messages as @victorops chat:write - Send messages as @victorops with a customised username and avatar chat:write.customize On behalf of the user: - View information about a user’s identity identify - View basic information about public channels in a workspace channels:read - View basic information about a user’s private channels groups:read - Manage a user’s public channels and create new ones on a user’s behalf channels:write - Manage a user’s private channels and create new ones on a user’s behalf groups:writeAll actions on a request will affect the entire workspace Question 1: Just doing due diligence here, does the last permission "Manage a user’s private channels" give it the ability to read messages on other private channels on the workspace?  reading in the knowledge base it states: "Note: The scope of private channels is limited to the channels that the person who integrates Splunk On-Call to Slack has access to. If you would like all private channels to be mapped to Splunk On-Call, we recommend creating a “Service Account” that has access to all private channels for this use." Question 2 - does this mean the app would have access to all channels the admin user who approves to integration by default? Or would they approve it per channel? 

I'm trying to calculate the milliseconds between two events by same transactionId, and then show in a timechart Here my current query   "My event 1" | stats latest(_time) as time_login by transactionId |join transactionId [search "My event 2" | stats latest(_time) as time_finish by transactionId] | eval difference=time_finish-time_login   This query works really slow and half of the time it does not work, but if I try to add this to the end of the query   | timechart avg(difference) 

I've recently installed Splunk_TA_nix and started using the "ps" script. The data is ingested into my ES. However it is not translated into CIM Endpoint.Processes object, because it lacks "report" tag.  I know I can add it by crafting my own tags.conf file. However, most of the default configurations in Splunk are configured as they are for some reason. So, what it the reason not to have "report" tag for Linux scripted sourcetypes? Below an example of tags.conf part for ps eventtype stanza: [eventtype=ps] performance = enabled cpu = enabled success = enabled ps = enabled oshost = enabled process = enabled

Hi All,    I have number of events with error srtring in event. I need to fetch al the events with error string except hibernet errors. "ERROR org.hibernate.engine.jdbc.spi.SqlExceptionHelper - ORA-00001: unique constraint" I am not sure about the logs with other errors..as there are multiple logs with hibernate error ..i cant be able to fetch it. i need to extract all other logs with error keyword in the event. Can anyone please help me on the same. Thanks in advance.