Hi there! I have a server that will be down for sometime, and I would like to not be inundated with "missing forwarder" alerts.  Is there a way to "pause" that alert for just that server?   Thanks in advance!

I have an index with name applications which contains list of applications: app1 app2 . . . app10 I have created a simple dashboard showing count of events for app1. Is there a way to add panels using a loop so that I don't have to copy the panel xml code 10 times, once for each app?   <?xml version="1.0" encoding="UTF-8"?> <dashboard> <label>Demo Apps</label> <row> <panel> <single> <title>app1</title> <search> <query>index=appindex (app1) | stats count</query> <earliest>-24h@m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="colorBy">value</option> <option name="colorMode">block</option> <option name="drilldown">none</option> <option name="numberPrecision">0</option> <option name="rangeColors">["0x53a051","0xf8be34","0xdc4e41"]</option> <option name="rangeValues">[0,10]</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="useThousandSeparators">1</option> </single> </panel> </row> </dashboard>    

I have a strange issue where when I run a tstats query against a data model for the last 7 days in smart mode, 24million events are searched. When I run that same search for the last 30 days, only 950k events are searched. This means less results are returned upon completion when last 30 days is selected. Anyone why less events are searched when I expand the time range to last 30 days?

Hello, We have a clustered environment which collects 2000gb+/day with indexes.conf settings below and the rest of the settings is default. When does the frozenTimePeriodInSecs starts its count? Is it when the data is in the hot, warm or cold buckets? When will the buckets roll from hot to warm, and from warm to frozen in my case? Is it after 90 days since MaxHotSpanSecs default is 90 days? What is the approximate retention time for data with this config? And the maxWarmDBCount = 4294967295 seems really high in this case. See config below: [index_name] homePath = volume:hot_warm/index_name/main/db coldPath = volume:cold/index_name/main/colddb thawedPath = /opt/splunk/indexes/index_name/main/thaweddb maxWarmDBCount = 4294967295 frozenTimePeriodInSecs = 31104000 maxDataSize = auto_high_volume maxTotalDataSizeMB = 4294967295 repFactor = auto   Thanks in advance!

Hello, We have multiple Cisco Switches that are configured to send logs to Splunk.  When comparing the logs on the switch and the logs in Splunk, they do not match up.  Splunk does not seem to catch all of the logs, and seems to miss entries in large chunks, and it does not seem to be any single type of entry.   I've searched by the IP of the switch and the information in the log thinking that it might have been mislabeled, but it is not in Splunk at all. We have our switches set up to log at an informational level.  This is happening across most switches in our environments - not all logs are entering Splunk.   Is this is a known issue? Thanks!

Hello Splunk users For my company internal purpose i needed to publish dashboards to very limited number of users. The limitation was not based on user role, but strictly on ID and I didn't find a solution suitable on forums. While tinkering with "depends" based on a couple of posts here  i came up with panels show hide combo with env:user token which I'm sharing right now. Users white list is managed by a simple eval/case statement directly inside dashboard's xml code for fast update. Panels visibility changes based on dropdown input controlled by that eval command. Since I have only basic user role I cannot make any server changes. If you have some idea on how to improve this concept please let me know. (ie. how to use "in" syntax instead of many case options) <form> <label>user_authority_test</label> <fieldset submitButton="false"> <input type="dropdown" token="field1" depends="$user_ok$"> <label>Limited input</label> <choice value="1">Limited visability</choice> </input> <input type="checkbox" token="field2"> <label>Unlimited input</label> <choice value="1">Visible for all</choice> <delimiter> </delimiter> </input> </fieldset> <row depends="$user_not_ok$"> <panel> <title>Message for limited users and/or some other panels</title> <html> <div>Message body</div> </html> </panel> </row> <row depends="$hide$"> <panel> <html> <h2>Debug</h2> <div>authority: $authority$</div> <div>user: $env:user$</div> </html> </panel> <panel> <table> <title>auth</title> <search> <query>|makeresults |eval user="$env:user$" |table user </query> <earliest>-1s</earliest> <latest>now</latest> <done> <!-- insted of user1, user2 etc. add desired user ID --> <eval token="form.authority">case($result.user$=="user1","on", $result.user$=="user2","on", 1=1, "off"</eval> </done> </search> </table> </panel> <panel> <!-- changing visibility of panels based on two step process, eval command modifies value of dropdown. Another token's embedded inside the dropdown controls which panels are visible and which are not You can actually create many sets of values in condition for more felxibility--> <input type="dropdown" token="authority"> <label>authority set</label> <choice value="on">On</choice> <choice value="off">Off</choice> <change> <condition value="on"> <set token="user_ok"></set> <unset token="user_not_ok"></unset> </condition> <condition value="off"> <unset token="user_ok"></unset> <set token="user_not_ok"></set> </condition> </change> </input> </panel> </row> <row depends="$user_ok$"> <panel> <table> <search id="MainSearch"> <query>index=_internal |head 5 |table sourcetype, _time</query> <earliest>-60m@m</earliest> <latest>now</latest> </search> </table> </panel> <panel> <chart> <search base="MainSearch"> <query> |chart c(_time) by sourcetype</query> <progress> <set token="Area_Name">$Area_placeholder$</set> </progress> </search> <option name="charting.chart">pie</option> <option name="charting.chart.sliceCollapsingThreshold">0</option> </chart> </panel> </row> </form>  

Hi Team, I am trying to remove the view permission of a particular user for a dashboard. I want the user should be able to view only 1 dashboard. This worked for the standard dashboard part but in the dash studio though the user was not able to see the data inside the dashboard but was able to see the list of dash studio dashboards. Can anyone help?  What do I need to do so the user can see only the dashboard that I want them to see? Regards, Shubhangi ^ Post edited  by @Ryan.Paredez formatting 

    12/27/21 6:42:50.000 AM PSComputerName Name Memory -------------- ---- ------ Host1 dfdf_Svc.exe 16024 Host1 sssService.exe 13142056 Host1 abcservice.exe 31380 Host1 xyzservice.exe 114340 Host1 rrrrr.exe 29304 12/27/21 6:42:50.000 AM PSComputerName Name Memory -------------- ---- ------ Host2 dfdf_Svc.exe 16064 Host2 sssService.exe 13144028 Host2 abcservice.exe 114708 Host2 xyzservice.exe 32248 Host2 rrrrr.exe 33616 I have these splunk output event in splunk logs. 1 event is for one specific server only. Under one server we have 5 services running and associated memory information. These output is in table format. I like to create regular expression so that I can create table format output as below: Servername Servicename Memory(in MB) (since above memory in bytes)    

Hi, want to create a search to find anyone who does changes to the sAMAccountName  So sAMAccountName could be sAMAccountName=cdf or sAMAccountName=abc sAMAccountName=abc  if anyone changes this to sAMAccountName=abc1 triggers an alert.     

Hi Team, We could see paloalto network add-on parsing informational messages to alert datamodel (having tag=alert) assigned. Sharing the snap-shot for ref. Can anyone assist me to identify & some business justification behind this please. Thanks in advance