Hi All, I have a code, that uses the output to fetch data from another Panel. First Panel   <title>Juniper Mnemonics</title> <table> <search> <query>index=nw_syslog | search hostname="*DCN*" | stats count by cisco_mnemonic, hostname | sort - count</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="drilldown">row</option> <option name="refresh.display">progressbar</option> <drilldown> <condition field="cisco_mnemonic"> <set token="message_token">$click.value$</set> </condition> <condition field="hostname"> <set token="hostname_token">$click.value$</set> </condition> <condition field="count"></condition> </drilldown> </table>     From this panel 2 contents are fetched for second panel search. Second Panel   index=nw_syslog | search hostname="*DCN*" | search cisco_mnemonic="$message_token$" | search hostname="$hostname_token$" | stats count by message | sort - count     Issue:  When ever i click the first panel table.( given ROW as Click Selection). its not getting fetching correctly. Only fetching "cisco_mnemonic" only for both cisco_mnemonic and hostname. Please guide me how can i get both in single click.    

Hello Guys,  We have to integrate one of the SQL server with Splunk and the current version is  SQL 2014. We are using splunk db connect app to configure it.  Kindly confirm if SQL team can upgrade to 2017 , is it compatible with splunk db connect or do they need to upgrade it to SQL 2019 ?  Provide any solutions/documents on this .

index name = my_index source name = my_source sourcetype = my_sourcetpye host = 192.168.0.10 ----------------------------- The field action is =allow -> my_allow. Action = deny -> my_deny other -> my_myontype I want to change it to this. help me

Hi Everyone, I'm running Splunk Enterprise 8.2.2.1 on my MacOS (Big Sur), and it runs quite well, except that there is no search history available using a user id with admin role. But from the CLI in: etc/users/bd/search/history There is actually a file called <hostname>.idx.csv which holds all my history. 1. Can anyone please explain what's going on here? PS. I have 5 instances running on my Mac (A combined SH/IDX, DPL, HFWD, and 2 UF's), and it all works nice together. The difference is that I have an internal created user on the SH (the one with no history above), but on IE the HFWD I use the user "splunk" (this user also runs all the instances on OS level) to log in with, and here history work just fine. 2. There is gotta be a missing link, but which? Cheers, Bjarne

Hi Everyone, I have 5 instances of Splunk running my Mac (Big Sur v11.6): SH+IDX DPL HFWD UF (sending to HFWD) UF (sending to IDX) All working pretty well, but there are a few hick-ups running on MacOSX (Big Sur, 11.6), and the new major one I've run it to is there is NO introspection (Resource Usage) collected! The "resource_usage.log" is completely empty, and running :        /opt/splunk_dpl/bin/splunkd instrument-resource-usage -p 8087 --with-kvstore --debug       Writes:       I-data gathering (Resource Usage) not supported on this platform. DEBUG RU_main - I-data gathering (IOWait Statistics) not supported on this OS WARN WatchdogActions - Initialization failed for action=pstacks. Deleting. DEBUG InstrumentThread - Entering 0th iter (thread KVStoreOperationStatsInstrumentThread) DEBUG InstrumentThread - Entering 0th iter (thread KVStoreCollectionStatsInstrumentThread) DEBUG InstrumentThread - Entering 0th iter (thread KVStoreServerStatusInstrumentThread) DEBUG InstrumentThread - Entering 0th iter (thread KVStoreProfilingDataInstrumentThread) DEBUG InstrumentThread - Entering 0th iter (thread KVStoreReplicaSetStatsInstrumentThread)         1. Does this really mean there is no support for resource usage on Mac, og am I getting something wrong here? To me there is not really that much difference between a Mac and a Linux box (while knowing there are some differences) , and most commands run on a linux are run the exact same way on a mac. 2. If this does not come out of the box, how can it be enabled? 3. Which processes are run on linux to exactly fulfill the "Resource Usage" and IOWait stats, that one could try move into the mac? 4. Does anyone know exactly how and where the scripts/processes are configured in Splunk to facilitate this? Any core details would be most appreciated. Cheers, Bjarne

I am taking events from three source types (same index; two common fields present across all three) and creating a table with the results. The events are indexed using a "timestamps" field that is present in the raw data (the result of an API call to a monitoring tool and a subsequent JSON payload retrieval of synthetic test metrics; the value is in epoch time and pushed into _time using a transform aligned with the source types). Here's the query I'm using: index=smoketest_* sourcetype=smoketest_json_dyn_result OR sourcetype=smoketest_json_dyn_duration OR sourcetype=smoketest_json_dyn_statuscode | rename dt.entity.synthetic_location AS synLoc, dt.entity.http_check AS httpCheck | stats values(*) AS * by httpCheck, synLoc, _time | rename "responseTime{}" AS "Response Time (ms)" | table _time, synLoc, httpCheck, status, "Response Time (ms)", "Status code" The common fields found in all three source types are "synLoc" and "httpCheck". 95% of the time, I get the desired result pictured here (requested fields from all three sourcetypes align as a single row on the table): In this example, you can see the results of two unique tests (executing every five minutes, over a 15 minute period). Since the events being grabbed from the three source types all have the same _time value, this works as expected. If, however, one or two of the source types have events with a _time value that does not match the others, this happens: Again, there are two unique tests represented here. However, note that one row reflects a value from one source type at 10:01 while the two values from the other two source types are on a separate row at 10:02. Ideally, all three values should be on the same row (much like the 10:06 and 10:11 entries). How can I alter my search query to account for this behavior?

Hi, I am stuck implementing below use case , please help me on this : I have a lookup say url_requested.csv.  http_url host *002redir023.dns04* test *yahoo* test Another csv file :  malicious.csv url Description xyzsaas.com C&C http://002redir023.dns04.com malicious I have to check the url values in "url_requested.csv" with that in "malicious.csv" and get only those url and description which has a match in "malicious.csv" . url_requested.csv lookup has url column with wildcard prefixed and suffixed. I have added the wildcard configuration in transforms.conf following this : https://community.splunk.com/t5/Splunk-Search/Can-we-use-wildcard-characters-in-a-lookup-table/m-p/94513. My query : | inputlookup malicious.csv | table url description | lookup url_requested.csv  http_url as url outputnew host | search host=* | fields - host I am getting no results running this query. Please let me know where I am going wrong and help me with the solution. Result I am looking for : url Description http://002redir023.dns04.com malicious