Hi Team,   Im looking to Integrate Splunk to tableau and able to do it successfully till Tableau Desktop but when I tried to publish the dashboard im getting error  [unixODBC][Driver Manager]Can't open lib 'Splunk ODBC Driver' : file not found Generic ODBC requires additional configuration. The driver and DSN (data source name) must be installed and configured to match the connection. Unable to connect to the server "Splunk ODBC Driver". Check that the server is running and that you have access privileges to the requested database. I reached out to the Tableau admin team and they are saying there are no supported ODBC drivers for Linux and this cant be done. anyone in this group has successfully integrated Splunk with tableau (All Linux) , let me know the process to overcome this error. Thanks    

We use Splunk Enterprise and would like to know if there a way if we can disable email alerts for multiple Splunk alerts. I dont want to manually disable each alert  during that window. Is there a curl command that I can run so that multiple alerts are disabled? Can I feed all the alerts in a .csv and a command which will pull the alert names and disable them all at once? @titleistfour ?  Referring to your thread: https://community.splunk.com/t5/Alerting/Is-there-an-easy-way-to-use-the-REST-API-to-disable-Splunk/m-p/183961#M3085   https://stackoverflow.com/questions/51799979/splunk-disabling-alerts-during-maintenance-window 

Binning/timecharting seems quite straightforward regarding time... unless you want to span day+ ranges. From experience I might say that if you bin or timechart with span of a day or more, the value of _time gets snapped to midnight in user's timezone. That's what experience shows. But the question is (because I can't find any) is there an official Splunk documentation stating that this is the designed behaviour?

I have data as follows:   time=1 msgid=1 event=new_msg time=2 msgid=1 delivery=1 event=start_delivery time=3 delivery=1 event=deferred_delivery time=4 msgid=1 delivery=2 event=start_delivery time=5 delivery=2 event=successful_delivery time=6 msgid=1 event=end_msg   What I would like to achieve is to group events together from "new_msg" to "end_msg", including all "*_delivery" events. I have tried to use    ... | transaction msgid delivery startswith="new_msg" endswith="end_msg"   The problem is that I never get all the events together in one transaction, but mostly the events from time=1,2,3. I also did some experiments with the "keepevicted", "keeporphans" and "connected" transaction parameters. Sometimes I also get the "final" events from time=4,5,6 as a separate transaction. What never worked out is to have a single transaction for all of those events. Note that there may be more than just two delivery attempts than in the example. My assumption is that "transaction" is unable to follow changing values in one of the provided fields, as it is the case with "delivery". I'd appreciate any help – thank you!

Hi, I have below panel on dashboard, however, bar chart is not displaying the colors as per range specified.     <row> <panel> <title>Usage Prediction (Month To Date)</title> <chart> <search> <query>index="license_summary"| table _time, Used, Quota| eval Consumption=round(Used , 2) |timechart span=1d latest(Consumption) as lConsumption | predict lConsumption period=7 | rangemap field=lConsumption green=0-50 yellow=50-100 blue=100-125 red=125-500</query> <earliest>@mon</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.fieldColors">{"green": 0x00FF00, "yellow": 0xFFFF00, "blue":0x0000FF, "red":0xFF0000}</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisLabelsY.majorUnit">25</option> <option name="charting.axisLabelsY2.majorUnit">25</option> <option name="charting.axisTitleX.text">Time</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.text">License Usage (GB)</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.text">Prediction</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.maximumNumber">155</option> <option name="charting.axisY.minimumNumber">0</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">1</option> <option name="charting.axisY2.maximumNumber">155</option> <option name="charting.axisY2.minimumNumber">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">column</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.overlayFields">Prediction</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">none</option> <option name="charting.lineWidth">2</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> </row>     Can you suggest a fix.

Hi, I'm trying to use Splunk to monitor exception logs, Splunk will send me an email if there is an exception. I try to set Throttle for 6 hours to avoid getting too many emails. Most of the times 6 hours is fine but sometimes it’s  too long for us, I have to wait 6 hours for the alert come back.  Are there any options can turn the Alert back? Thanks  

Hi, I'm planning a new splunk architecture and was thinking about placing the syslog-ng on the same virtual machine as the Heavy Forwarder to read the files locally. How will a large data volume impact the performance or stability? What do i need to consider for memory and diskspace if i combine? When is this advised to seperate to a dedicated syslog-ng server? Will a dedicated syslog-ng server allow for more syslog traffic? Would it be beneficial to install a Universal Forwarder on the HF for local file reading? Is it more advised for better data buffering? Thank you, Jay

Hi All, For Windows Service Monitoring extension by AppD. Few of the services metrics are fluctuating every couple of minutes, even though services are running fine on the server.  monitor.xml monitor.xml is attached. Please help us if you have any suggestions to solve this issue. Thanks & Regards, Maktumhusen

Hi,  using logs i am generating some stats that are needed to track the performance of my app on daily basis using the below query.  search ...| rex "elapsedTime=(?<ElapsedTime>.*?),\s*MLTime" | rex "X\-ml\-timestamp\: (?<TimeStamp>.*?)\s*\n*X-ml-maxrows" | rex "X\-ml\-size\: (?<size>.*?)\s*\n*X-ml-page" | rex "X\-ml\-page\: (?<page>.*?)\s*\n*X-ml-count"  | rex "X\-ml\-elapsed\-time\: (?<MLelapsed>.*?)\s*\n*X-ml-timestamp" | stats max(size) AS Page_Size max(_time) AS End_Time min(_time) AS Start_Time max(page) as Pages count(page) AS Total_Pages max(ElapsedTime) AS Max_ElapsedTime min(ElapsedTime) AS Min_ElapsedTime avg(ElapsedTime) AS Avg_ElapsedTime max(MLelapsed) AS Max_MLElapsedTime min(MLelapsed) AS Min_MLElapsedTime avg(MLelapsed) AS Avg_MLElapsedTime | eval CASS_Date=strftime(Start_Time, "%Y-%m-%d") | eval CASS_Duration= (End_Time-Start_Time)/60 | eval End_Time=strftime(End_Time, "%Y/%m/%d %T.%3Q") | eval Start_Time=strftime(Start_Time, "%Y/%m/%d %T.%3Q") | table CASS_Date Start_Time End_Time CASS_Duration Page_Size Pages Total_Pages Max_ElapsedTime Min_ElapsedTime Avg_ElapsedTime Max_MLElapsedTime Min_MLElapsedTime Avg_MLElapsedTime can someone please help me to perform the same above for multiple days with single query instead of i manually collecting these stats on daily basis

Hi all, I am passing some data in JSON format to Splunk using curl. When i try to pass the URL it gives an error " nested brace in URL position 19". Not getting where went wrong even though all the braces are proper. Can anyone help me in this?

Please help to extract payload data from logs entries and extract the PlatformVersion and PlatformClient values. Need in python code. Log Entries:  "tracking~2015~526F3D98","2015:1302",164,1,"2022-02-07 11:10:08.744 INFO [threadPoolTaskExecutorTransformed5 - ?] saving event to log =core-server-event-tracking-api, payload={""PlatformVersion"":""6.34.36 - 4.18.6"",""PlatformClient"":""html""},53 "tracking~2015~526F3D98","2015:130",164423,1,"2022-02-07 11:10:08.744 INFO [threadPoolTaskExecutorTransformed5 - ?] saving event to log =core-server-event-tracking-api, payload={""PlatformVersion"":""6.34.37 - 4.18.7"",""PlatformClient"":""xml""},54   Thanks

I am attempting to configure Microsoft Graph Security API Add-On for Splunk (https://splunkbase.splunk.com/app/4564/#/details) Per the documentation, after installing the app you must configure it. Under the "Configuring Microsoft Graph Security data inputs" section it details the account information you need to enter (Account Name, Application ID and Client Secret registered). However, when I click Add (Configuration > Account) I'm prompted for Account name, Username, and Password. Not those other values. I've installed 1.2.3 and 1.2.4 and I see the same Add Account options in both. Is there another way I can configure those values? I'm running Splunk Enterprise 8.1.0.1 on Centos. Thanks, Rob

Dear Team, We are planning to use  "Salesforce Commerce Cloud Add-on for Splunk" We are looking for a sample reference for connecting strings via UI to an SFCC instance. Kindly guide us https://splunkbase.splunk.com/app/6098/#/details Thanks Sreeharinath