Hi,  I have a dashboard that I have to create on Dashboard Studio, but I also have to use a dropdown input that gets its values from a lookup. So far I didn't find any way to create the input based on " | inputlookup <lookup_name>" search results. Can someone assist with that? Thanks in advance.

Hello Splunkers ,   I am trying to figure out what is the best approach or steps to migrate all the knowledge objects(searches, dashboards , fields alias etc) and apps from one search head cluster to another search head cluster.   What would be the steps to perform and things to do in order to move them.   Thanks in advance 

I've got a handful of files that seem to be ingested multiple times, though can't quite figure out why. File is a tomcat log and name is in the format hostname-stderr-dd-mm-yyyy.log, and does not roll. Around once a day, but sometimes every other day or twice a day the file will be re-ingested with splunkd.log entry indicating :       02-23-2022 08:43:33.602 -0500 INFO WatchedFile [10484 tailreader0] - Checksum for seekptr didn't match, will re-read entire file='C:\Tomcat.....       I've set crcSalt=<SOURCE> and played with initCrcLength to no avail and everything in Answers referencing these splunkd entries that I've found indicates to change the crcSalt or initCrcLength settings, so I'm just trying to ensure I understand what exactly seekptr is referring to here. Please correct me if I'm mistaken but I think the 'seekptr' is the 'seekAddress' (making the checksum for it the 'seekCRC') referenced in the below doc page, so my assumption is that the seekAddress is found but the CRC has somehow changed, so Splunk assumes the file is different. The problem is, after looking at the file before/after this happens, I see no reason why this CRC would have changed, and any amount of toying with crcSalt or initCrcLength won't make a difference here as it isn't the 'init' bit that's changing. I've got a dashboard set up showing the same events repeated with the same timestamp but different ingest times correlating with the above splunkd.log entries. My only theory is that somehow Splunk indexed the file mid-write by the application if this is even possible? Other log files for this same application and location don't seem to do this and I've not been able to find any known bugs specific to Tomcat stderr files (though certainly possible our people are doing something weird with log config). Relevant inputs.conf stanza:       [monitor://C:\Tomcat-*\logs\*stderr*.log] index=app_logs sourcetype=stderr ignoreOlderThan=1d crcSalt=<SOURCE>       I've also manually put CHECK_METHOD=endpoint_md5 in props.conf in case somehow the check_method for stderr got changed from the default somewhere along the way, and I've also confirmed that this isn't happening when the file modified timestamp is updated. Next time I have some free time I plan to grab another copy of the file before/after and figure out a way to grab the seekptr and associated crc and compare them myself based on debug logs. ref: https://docs.splunk.com/Documentation/Splunk/8.2.4/Data/Howlogfilerotationishandled

Hi,    I would like to create a dashboard to display uptime. I have a CSV file where we have time field (15 mins bin) start at 00:00:00 to 23:45.. there is a value field had sum up to calculate outage time. how do we calculate uptime from outage time.

I have a small environment.  I have 3 users that are allowed to login to a particular server.  If I search: index=<index name>  user=<username>  OR user=<username> OR user=<username> I find all instances of them logging in.  How can I find users that are not equal to those 3 users?  I want to set up an alert that will let me know when someone other than those 3 are trying to log in.

I am trying to setup our Splunk architecture to be able to receive events from clients/workstations outside our local network. The simplest solution is just making the main indexer externally accessible, but we don't want to do that. Is there a way to setup a Heavy Forwarder like a proxy to receive events from external clients and then send them to the main indexer? I haven't been able to find anything related to this when I try to research. Thanks.

Hi, i am trying to force user to use en-US as locale even if they try to use any other. If they try to replace en-US in url to any other locale, it will redirect back to en-US. Are there any ways to solve my problem ?

Hi all, I'm trying to set up the Splunk Ad-On for Microsoft O365  https://docs.splunk.com/Documentation/AddOns/released/MSO365/Configuretenant When adding a tenant I receive an error message: "ConnectionResetError 104" What could be the reason? What are all the required Azure URL's that need to be connected by the add-on?  Thank you in advance

Hi I'm trying to group items by a specific field, and get all the values returned (i.e. without aggregation). I have the following: I'm trying to convert that to: I have tried      | chart values(value) by field | transpose header_field=field     However the values(value) only selects unique values - I'm looking for all values.