Installed DB connect pluging, when i try to use  the plugin it tried to open up but in the background the splunk app is cracshing.   i1) i tried resinstalling previous version 3.6  its same issue 2) re installed slunk ( same issue)    looks like no work around ? is it because i am using trial version ?   please help.   A

We hare using dashboard studio to create multiple dashboards for summaries of our security data ,  We have almost tried all way out to see if font size of the values  in different visualizations   can be changed.   The values for different dashboards in studio are very small and there is no option available to increase the font size for better representation of these dashboards for management overview.   Any one tried new dashboard studio extensively and found any such issues fixes ??

I'm unable to get Splunk to run in docker using a newer MBP with an M1 Max chip on a fresh install of Monterey, as well as a fresh install on an M1 Mac mini. I've played with as many settings as I could think, but can't seem to find an error that indicates what's really going on. As far as I can tell, splunkd starts and binds to port 8089, but Splunk Web fails to bind to port 8000, despite the port being available.  Things I tried and some thoughts:  - My initial thought is that port 8000 was being used by something else, so I tried many other ports with no success. Though, I had no evidence of this (using netstat) - I then thought that maybe there was a firewall entry not being added correctly so I checked iptables, it doesn't exist. I then checked firewalld, also doesn't appear to exist. so no firewall?  - I had a friend take my exact docker compose file and install the everything on an older, non-up-to-date MacBook Air running on an intel chip. That worked... - I also tried adjusting the timeout values listed in the sensible vars list, that didn't seem to work. Where am I supposed to mount the docker.yaml file to? Where I mounted it didn't work. the var, SPLUNK_CONNECTION_TIMEOUT, added directly to the compose file didn't make a difference either - I even tried starting Splunk with debug mode and saw nothing helpful there. The actual output, noticing the time taken under Start Splunk via CLI and failed=1: sh1  | PLAY RECAP ********************************************************************* sh1  | localhost                  : ok=51   changed=7    unreachable=0    failed=1    skipped=48   rescued=0    ignored=0    sh1  |  sh1  | Friday 14 January 2022  21:48:52 +0000 (0:04:22.382)       0:05:46.139 ********  sh1  | ===============================================================================  sh1  | splunk_common : Start Splunk via CLI ---------------------------------- 262.38s sh1  | splunk_common : Get Splunk status --------------------------------------- 8.02s sh1  | splunk_common : Update Splunk directory owner --------------------------- 6.01s sh1  | Gathering Facts --------------------------------------------------------- 5.73s sh1  | splunk_common : Generate user-seed.conf (Linux) ------------------------- 4.70s sh1  | splunk_common : Cleanup Splunk runtime files ---------------------------- 4.30s sh1  | splunk_common : Update /opt/splunk/etc ---------------------------------- 3.87s sh1  | splunk_common : Check for scloud ---------------------------------------- 3.00s sh1  | splunk_common : Hash the password --------------------------------------- 2.77s sh1  | splunk_common : Find manifests ------------------------------------------ 2.52s sh1  | splunk_common : Remove input SSL settings ------------------------------- 2.22s sh1  | splunk_common : Check for existing installation ------------------------- 2.21s sh1  | splunk_common : Create .ui_login ---------------------------------------- 2.21s sh1  | splunk_common : Check if /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key exists --- 2.19s sh1  | splunk_common : Enable splunktcp input ---------------------------------- 2.18s sh1  | splunk_common : Enable Splunkd SSL -------------------------------------- 2.18s sh1  | splunk_common : Enable Web SSL ------------------------------------------ 2.18s sh1  | splunk_common : Trigger restart ----------------------------------------- 2.17s sh1  | splunk_common : Remove splunktcp-ssl input ------------------------------ 2.16s sh1  | splunk_common : Set Splunkd Connection Timeout -------------------------- 2.16s sh1 exited with code 2 Here's the docker-compose  (worked on the older Mac): version: "3.9" services:   sh1:     platform: linux/amd64     image: splunk/splunk:latest     container_name: sh1     environment:       - SPLUNK_START_ARGS=--accept-license       - SPLUNK_PASSWORD=Passw0rd!       - SPLUNK_ROLE=splunk_search_head       - SPLUNK_HTTP_PORT=8000       - SPLUNK_CONNECTION_TIMEOUT=300    ports:      - 8000:8000      - 8089:8089   Any thoughts? Can someone on OS12.1 with an M1 chip get this to work? Additionally, can someone running OS12.1 with an intel chip validate that this works? Maybe the issue is with the M1 chip, not the OS version. Or maybe it's just an issue with 12.1.    Edit:  I now have evidence that the the compose file I posted works on an intel based Mac running the 12.1. Therefore, I think it's safe to say the issue is one of compatibility between the Splunk-Docker image and the M1 Mac.

Hey guys I'm trying to create a dashboard that shows any host with a group of specified hosts that are not returning data from a specific source type So what I have been trying so far to no success is  Index=xyz Host=abc  Sourcetype=def  |  timechart span=30min count by host Where count < 1 usenull=f useother=f This won't show anything because it going to have no events to report but I'm not sure how I can create a variable base upon have no results back within a specific time then do a timechart base upon the new variable by host Unless I'm going about this completely wrong lol please help 

I am trying to install PIP on the splunk provided python - python3.7.  From what I can see, python is located on /opt/splunk/bin directory, so I am using the command: python3.7 get-pip.py --user after getting in that directory. However, I am getting errors, such as: ModuleNotFoundError: No module named 'distutils.command'   Is there already pip installed here? How    What do I do? As far as I know pip usually comes with python3 but I do not see it here. Without pip, it is extremely difficult to install any package so I am in a loop.   

| rex field=Uptime "(?<Uptime_Days>^([^d]+))" | eval Uptime_Years=(Uptime_Days/365) | dedup Host_Name | eval Description=(case(Uptime_Years>=7, "Over 7 Years", Uptime_Years<7 AND Uptime_Years>3,"3 to 7 Years", Uptime_Years<3, "Less than 3 Years" )) | rename Description as "Uptime_Category" | stats count(Host_Name) as total by Uptime_Category | eventstats sum(total) as grand_total | eval percentage = round((total/grand_total)*100,1) | table Uptime_Category percentage | eval Description=(case(Uptime_Category="Over 7 Years" AND percentage>="10%","Poor",  Uptime_Category="3 to 7 Years" AND percentage>="20%","Needs Attention", Uptime_Category="Less than 3 Years" AND percentage>="80%","Good" )) | rename Description as "Health Status" | stats count by "Health Status" Need help with Color Coding Poor to "Red", Needs Attention to "Yellow", & Good to "Green" @niketn 

We have multiple searchmanager objects running different searches, and we need to wait until all of them are done to execute some other code. It works using <search>.on("data") state for individual searches, but we need a way to wait for them all. What is the best way to accomplish this? Regards. Javier.

i have parent dropdown have cc as token and in for this parent there is child multislect having different value for different country..So..it is having depends=$cc$ so how to reset the multislect when it's cc is changing..  

Hello! I am looking to add color to a table I have in Dashboard Studio. I notice in the UI there are no coloring options when you select Column Formatting for a string type - the color formats only show for number types. So I tried to replicate the color formatting onto a string type via the source code but am not getting anywhere. Is there something I am missing? Is this possible to color strings in tables with the current release of dashboard studio? TIA!

I have data like below Date File User 1/10/2022 F1 U1 1/10/2022 F1 U2 1/10/2022 F2 U1 1/11/2022 F3 U3 1/11/2022 F1 U1 1/11/2022 F2 U2 1/11/2022 F3 U3 1/11/2022 F1 U1 1/12/2022 F2 U1 1/12/2022 F3 U2 1/12/2022 F1 U1 1/12/2022 F2 U1     I would like to Group the data with File & user and needs to get count for each per day as below. Please let me know how can I get like this?   File User 1/10/2022 1/11/2022 1/12/2022 F1 U1 1 2 1 F2 U1 1   2 F1 U2 1     F2 U2   1   F3 U2     1 F3 U3   2  

Hello    After running the Python readiness app and upgrading many, there are still 11 apps that show as fail. Is there a  query or ability to scan affected apps to determine if they 1) have data, and 2) are being used so team can prioritize which apps need to be upgraded or removed to satisfy Upgrade to Python 3

I have a log line for when the ip is added to the blacklist and another log line with ips that were removed from the blacklist. What I need to do is search for this ip that was added in the removed line, can you help me? Here is an example of my log and my research: -------------------------------------------------------------------------------------------------------------------------------------------- index="my search" | rex field=_raw "Message: Host (?<ip>.*?) w" | rex field=_raw "Message: Hosts (?<ips>.*?) w" | eval ips=mvjoin(ips,", ") | rex mode=sed field=ips "s/, /\n/g" | table ip ips   I need to loop through the list of ips in column <ips> to find the ip of column <ip>

I am trying to create a dash which uses  tokens for different clients capturing any attachments sent externally.    I have extracted the domain name from my search using regex so I can then exclude the internal "to" address  so that all emails being recorded are external.  The exclusion is where I am getting stuck if anyone has any ideas?   index=test  sourcetype="messagetracker" attachments=true client_code=$client$ | eval timestamp=strftime(_time, "%m-%d-%Y %H:%M:%S") | rename fromEnv.emailAddress as from_envelope_address, fromHdr.emailAddress as from_header_address, from.displayableName as from_displayname, fromHdr.displayableName as from_header_displayname, to.displayableName as to_displayname, to{}.displayableName as to_array_displayname, from.emailAddress as from_address, fromHeader.emailAddress as from_header2_address, to.emailAddress as to_address, to{}.emailAddress as to_array_address | search from_envelope_address=* | rename to_array_address as to | rename from_envelope_address as from |search to="***" from="***" | rex field=from "\@(?<domain>[^ ]*)" |search NOT (to in domain) | dedup from,to, subject, status, info, route | fillnull value="n/a" from_header_address | table timestamp, from, to,domain, attachments, status, info, route, spamScore, client_code