Hi everyone, Just wanted to know how to show alert dynamically like we use  dashboard panel to search query for every drop-down option likewise is it possible to show how many alerts are occured with in that period  for that drop down option in dashboard panel? Please help me out with this thing.

We are currently using a Splunk Enterprise environment with one search head and one indexer. We enabled data model acceleration because the performance of the search became poor as we used the system. We are planning to increase the number of search heads by one in order to accommodate more users in the future. Will the data model acceleration enabled for the first search head automatically be enabled for the next search head? I do not believe that any additional configuration is necessary, especially since the .tsdix file is configured in the indexer, not in the search head. If there are any settings required to enable data model acceleration for additional search heads, please let me know.

hi I stats events like this But my distinct count is wrong because some events have the same site How to agregate Pb1, Pb2 and Pb3 separatively by site and to have the sum of the site please?     | stats count(eval(cit >= 40)) as Pb1, count(eval(cit2 >= 15)) as Pb2, count(eval(cit3 >= 20)) as Pb3 by site | eval Total=Pb1 + Pb2 + Pb3 | search Total > 10 | stats dc(site)        

Hi Splunkers, I'm performing some searches to monitor Windows user failure attempts. The failure itself is not a problem, I know the proper windows event code to monitor failures attempts; the focal point is that in every of this try I have to add a particular condition to check. Between these searches, two makes me some difficults: I have to monitor login failures performed by an expired account, while in another one I have to track attempts by disabled account. In my scenario, where I have the Windows addon installed on my environment, how can I track the 2 above scenarios?

In our enterprise, there is already another team which has setup Splunk Search Heads and Indexers in their own AWS account (say A). We are planning to index and store new data in our AWS account (say B). For our dashboards, we would like to pull in data indexed in Account A as well. So, trying to determine the best approach here 1. Is is possible to setup Search Heads in Account B and add indexers to it from account B and A as well ? 1.1. In such case, will existing setup in Account A get affected any way? Overall, is it possible to share indexers across multiple AWS accounts and still maintain its own Search Heads and dashboard UI ? As we are different teams, we would like to have independence in maintaining our dashboards/splunk enterprise instances and also not share indexed confidential data.  The documentation here lists command to edit indexer cluster config but not add a new search head from other aws account. So, it would be helpful to know if its possible to share indexes across aws accounts. https://docs.splunk.com/Documentation/Splunk/8.2.5/DistSearch/SHCandindexercluster  

hi In my dashboard, I use 2 similar searches in the first, I am doing a dc of  "s"     index=test earliest=@d+7h latest=@d+19h | search rtt >= 150 | stats count as Pb by s | search Pb >= 5 | stats dc(s)     the result is 12  in the second search, i use the same search but I need to gather events also by "s" and also _time     index=test type=* earliest=@d+7h latest=@d+19h | bin span=1h _time | search rtt >= 150 | stats count as Pb by s _time | search Pb >= 5 | timechart dc(s) as sam span=1h | where _time < now() | eval time = strftime(_time, "%H:%M") | stats sum(s) as nbs by time | rename time as Heure     the pb I have is that the results is not equal to 12 but to 6 Why I can retrieve the same resulst that in the first search please?