hi I  use a "link to the search" drilldown from a table panel  When I have a look to my xml, I have a lot of special characters     <drilldown> <link target="_blank">search?q=%60index_mesuresc%60%20sourcetype%3D%22ez%3Acitrix%22&amp;earliest=&amp;latest=</link> </drilldown>      as far as I know, we can use cdata to correct this? so I dont know how to use cdata tag for not displaying characters I have tried this but it doesnt works     <drilldown> <link target="_blank"><![CDATA[search?q=%60index_mesuresc%60%20sourcetype%3D%22ez%3Acitrix%22&amp;earliest=&amp;latest=]]></link> </drilldown>     Could you help please?

As I wrote few times already I have in my care a relatively strange environment - a quite big installation with RF=1. Yes, I know I don't have data resilence and high availability - the customers knew it and accepted at the start of the project. But since we're approaching the upgrade and as I'm reading the upgrade instructions, some questions pop up. The normal procedure includes rolling upgrade of cluster member nodes. The rolling upgrade starts with splunk upgrade-init cluster-peers and ends with splunk upgrade-finalize cluster-peers (or proper calls to REST endpoints). Question is - what does those two commands really do and how it affects the RF=1 situation? As I asked before - it's pointless to put my cluster in maintenance mode and there is no bucket rebalancing after offline/online because there is nothing to rebalance. So do I have to bother with all this or can I simply take the indexers down one by one, upgrade and start them up again? Yes, I know I won't have full search capacity during the indexer's downtime - it's obvious that if the data is not there I can't search it and my searches would be incomplete. The customers knows it and we'll schedule a "partial downtime". What do you think?

Hi all, Does anyone know if it's possible to use Cyberark to rotate the Splunk SOAR admin account password? If it is, do you have any pointers to get this solution implemented? As always, any help is most gratefully received, Mark.

We would like to monitor Spring Boots HikariCP Connection Pool using AppDynamics. We saw an possibility in doing so using JMX MBeans, but can't get it to work. The MBean in JConsole looks as follows:  And the JMX Metric Rule looks as follows: Did I make mistake in the configuration? Is there another way to monitor the connection pool?

Hi, I have this search:     | spath | rename object.* as * | spath path=events{} output=events | stats by timestamp, events, application, event_type, account_id, context.display_name, | mvexpand events | eval _raw=events | kv | table timestamp, payload.rule_description, "context.display_name", account_id, "event_type", "application", "payload.rule_url" | rename account_id as "Account ID", timestamp as "Timestamp", context.display_name as "System", context.host_url as "Host URL", event_type as "Event Type", "title" as "Title", "application" as "Application", "payload.rule_url" as "URL"       I have a json with multiple `events,  inside this event  I have "payload.rule_description", but, some record, doesn't have this "payload.rule_description" object, so, I don't have the "payload.rule_description". How can I check if the record has the "payload.rule_description" if not, brings `event_type`  instead? Tried to use `eval title=if(payload.rule_description, payload.rule_description, event_type)`  doesn't work. Thanks

I am looking for “failed login for ADMIN detected” but because the time in Time is two years late it doesn’t alert. My log sample is: I also have _time 2020-02-23T23:02:20.000+01:00 My search so far is:   index=abc sourcetype=def "Failed login for ADMIN detected" | rex field=_raw "(?ms)(?=[^c]*(?:cs2=|c.*cs2=))^(?:[^=\\n]*=){5}(?P<DatabaseEventDate>[^ ]+)" | stats count by duser cs1 cs2 DatabaseEventDate   This gives me a new field with the correct time: DatabaseEventDate 23.02.2022,13:11:39   How can I correct the timestamp without changing the props file (since the basics of the search works for another use case)? Please help!! Thanks in advance

Hello All,    One of our indexes ( Name: okta ) has a searchable retention period of 90days as shown in the screenshot. Is there a way to pull data earlier than the 90 day mark ? We want to go back upto last 1 year.    If i change this value to 365 days will it me search thru the old data ( older than 90d ) ? OR is there something more that needs to be done.. ? Thanks in advance    

Nagios — Splunk Observability Cloud documentation Please assist as I not able to start OTEL service due to the error  "found unknown escape character". Below is the script and how to escape the character in the argument?  "LC_ALL=\"en_US.utf8\" C:\Program Files\NSClient++\check_nrpe -H pool.ntp.typhon.net"