Hi, I am providing sample data below: [2021-12-07 03:50:14,666] {{taskinstance.py:1532}} INFO - Marking task as FAILED. dag_id=any_bash_command_dag, task_id=bash_command, execution_date=20211207T035010, start_date=20211207T035013, end_date=20211207T035014 [2021-12-08 01:02:14,491] {{taskinstance.py:1192}} INFO - Marking task as SUCCESS. dag_id=Parent_dag, task_id=trigger_archive_files_dag, execution_date=20211207T000000, start_date=20211208T010213, end_date=20211208T010214 SPL: index=cloud sourcetype=lambda:Airflow2Splunk "\"logGroup\"" "\"airflow-OnePIAirflowEnvironment-DEV-Task\"" "Marking task as*" dag_id=* | rex field=_raw "task_id=(?P<task_id>\w+)" | table _time dag_id task_id | sort _time Current Results in tabular form: _time                                                         dag_id                                                    task_id                                           Task_Status -------------------------------------------------------------------------------------------------------------------------------------- 2021-12-06 22:50:14.756               any_bash_command_dag              bash_command                          2021-12-07 20:02:14.626               Parent_dag                                            trigger_archive_files_dag Expected results in tabular form: _time                                                         dag_id                                                    task_id                                           Task_Status -------------------------------------------------------------------------------------------------------------------------------------- 2021-12-06 22:50:14.756               any_bash_command_dag              bash_command                         Failed 2021-12-07 20:02:14.626               Parent_dag                                            trigger_archive_files_dag      Success Can you please help me in modifying the SPL above which should result an additional column "Task_Status" and the values "Failed" for dag_id= any_bash_command_dag and "Success" for dag_id=Parent_dag? Thanks, Sumit

Hello, We have a usecase where the Json payloads are more than 1 million bytes, our current truncation limit is set to default 10000 bytes, we don't have an option to set this to 0 since our env is splunk cloud and splunk support didn't agreed to set it to 0, is there an alternative way to overcome this situation? Please let me know if anyone ever faced this situation   Thanks  

I've created a custom dashboard for one of our clients and each of the entities that I'm reporting on a pie chart displays as such: {className}.{methodName} Since the class name is the same for each of the entities that are displayed, the client wants to know if it's possible to trim off className for each of these entities as it isn't very aesthetically pleasing. I'm currently just displaying the entity using ${e} under the Advanced options for Metric Display names and it appears that it won't evaluate regular expressions. Do I have any options to trim this display name or am I doomed? Any advice you can provide will be extremely helpful!

Hi everyone,  Recently, I have tried to install the OCI addon in a test enviroment but it does not work. According to docs that are posted on https://github.com/oracle-quickstart/oci-arch-logging-splunk I contacted to Oracle Support and then they sent a link with the addon and i followed the steps that are specified in the previous link. Unfortunately  I can not lunch the add-on because OCI addon is not visible ( I tried to change the add-on to visible but when I lunch the add-on appears a horse saying "oops").   Has anyone achieved integrate OCI in Splunk?

i am tryring to add a base search for a query and use the same for drop down and table. I see after adding search  adding to base search , panel table shows no results. my expectation is based on one of drop down selection i need my table to updated with that selected value. please help <form version="1.1"> <label>RH_Release_Information</label> <description>FC-002 release info</description> <search id="base_search"> <query> index="wtqlty" source=pdf_07 sourcetype="release_pdf_results_json" | table pdf_name, pdf_state, main_line, req_report, patch_name, patch_tag, started_on, Stream_start, Handover, planned_stopped_on, fco_state, snapshot, stakeholders.project_leader.name, stakeholders.developer.name, air_issues{}.short_description , Quality, description | rename pdf_name AS PDF, pdf_state AS "PDFState", fco_state AS FCOState, main_line AS "Mainline", patch_name AS Project, patch_tag AS Tags, started_on AS "PDF start", planned_stopped_on AS "Planned Stop", stakeholders.project_leader.name AS PL, stakeholders.developer.name AS Developer, air_issues{}.short_description AS Description, description AS Questionnaire | search PDFState = "$form.PDFState$" PL ="$form.PL$" FCOState = "'$form.FCOState$" </query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> <sampleRatio>1</sampleRatio> </search> <fieldset submitButton="false" autoRun="true"> <input type="time" token="time" searchWhenChanged="true"> <label>Time</label> <default> <earliest>0</earliest> <latest></latest> </default> </input> <input type="dropdown" token="pdf_state_token"> <label>PDFState</label> <choice value="*">All</choice> <fieldForLabel>PDFState</fieldForLabel> <fieldForValue>PDFState</fieldForValue> <search base="base_search"> <query>| dedup PDFState | top PDFState</query> </search> <default>*</default> </input> <input type="dropdown" token="main_line"> <label>Assembly</label> <choice value="*">All</choice> <default>*</default> <fieldForLabel>Mainline</fieldForLabel> <fieldForValue>Mainline</fieldForValue> <search base="base_search"> <query>| dedup Mainline | top Mainline</query> </search> </input> <input type="dropdown" token="fco_state"> <label>FCOState</label> <choice value="*">All</choice> <default>*</default> <fieldForLabel>FCOState</fieldForLabel> <fieldForValue>FCOState</fieldForValue> <search base="base_search"> <query>| dedup FCOState | top FCOState</query> </search> </input> <input type="dropdown" token="snap_shot"> <label>ServicePacks</label> <choice value="*">All</choice> <default>*</default> <fieldForLabel>snapshot</fieldForLabel> <fieldForValue>snapshot</fieldForValue> <search base="base_search"> <query>| dedup snapshot | stats by snapshot</query> </search> </input> <input type="dropdown" token="PL"> <label>PL</label> <choice value="*">All</choice> <default>*</default> <fieldForLabel>PL</fieldForLabel> <fieldForValue>PL</fieldForValue> <search base="base_search"> <query>dedup PL | stats by PL</query> </search> </input> <input type="dropdown" token="developer"> <label>Developer</label> <choice value="*">All</choice> <default>*</default> <fieldForLabel>Developer</fieldForLabel> <fieldForValue>Developer</fieldForValue> <search base="base_search"> <query>| dedup Developer | stats by Developer</query> </search> </input> <input type="text" token="main_line" depends="$hidden$"> <default>*</default> </input> </fieldset> <row> <panel> <title>RH_Release_Information</title> <html> <style> #tableRowColorWithoutJS table tbody td div.multivalue-subcell[data-mv-index="1"]{ display: none; } </style> </html> <table> <search base = "base_search"> <query> </query> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <format type="color" field="FCOState"> <colorPalette type="expression">case (match(value,"DRAFT_DEV"), "#DC4E41",match(value,"ACCEPTED"),"#53A051"</colorPalette> </format> <format type="color" field="PDFState"> <colorPalette type="expression">case (match(value,"handover_to_integration"), "#DC4E41",match(value,"accepted"), "#53A051", like(value,"integrated"), "#FFFF00", true(),"#C3CBD4")</colorPalette> </format> <drilldown> <condition field="PDF State"> <set token="form.pdf_state_token">$click.value2$</set> </condition> <condition field="PL"> <set token="form.PL">$click.value2$</set> </condition> <condition field="FCOState"> <set token="form.fco_name">$click.value2$</set> </condition> <condition field="Developer"> <set token="form.developer">$click.value2$</set> </condition> <condition field="Snapshot"> <set token="form.snap_shot">$click.value2$</set> </condition> <condition field="Mainline"> <set token="form.main_line">$click.value2$</set> <link target="_blank">https://at.patchtooling.asml.com/pdf/RH/ML/patches/$click.value2$/</link> </condition> <condition field="Project"> <set token="form.patch_name">&gt;$click.value2|n$</set> <link target="_blank">https://stream-dashboard.asml.com/db/overall/$click.value2$/</link> </condition> <condition field="PDF"> <set token="form.pdf_name">$click.value$</set> <link target="_blank">https://at.patchtooling.asml.com/pdf/RH/ML/patches/$row.Project|n$/</link> </condition> <condition field="req_report"></condition> <condition field="PDF start"></condition> <condition field="Stream_start"></condition> <condition field="Handover"></condition> <condition field="Planned Stop"></condition> <condition field="Description"></condition> <condition field="Quality"></condition> <condition field="Questionnaire"></condition> </drilldown> </table> <html depends="$form.show_clear_filter$"> <p> <a href="#" data-set-token="form.main_line" data-value="*" data-unset-token="form.show_clear_filter" class="btn btn-secondary clear-filter">Clear Filter</a> </p> </html> <html depends="$stayhidden$"> <style> #id-of-panel div.multivalue-subcell { text-decoration: line-through !important; } #id-of-panel div.multivalue-subcell[data-mv-index="0"] { text-decoration: none !important; } </style> </html> </panel> </row> </form>    

Hello, I am planning to setup some custom metrics indexes using this guide: https://docs.splunk.com/Documentation/ITSI/4.10.2/Entity/CustomIndexes First question: There are two linux metrics macros. I am planning to modify both to be safe but I assume I only need to modify the ta one since that is what I am using to collect data. What is the other one for? 1. itsi_entity_type_nix_metrics_indexes 2. itsi_entity_type_ta_nix_metrics_indexes   Second question: I did a ctrl+f on itsi_im_metrics and noticed that the itsi_im_metrics_indexes macro uses a similar definition to the itsi_entity_type macros that I listed above. I cannot find any information about this macro. Do I need to modify it? What is it used for? Thank you!

I have a search which looks at rare events in Windows Event Logs and provides output shown below. source="winevtlog:security" EventCode=4688 | rare limit=50 New_Process_Name I've been unsuccessful in filtering these results further, such as searching for programs running from a Temp folder, or other non-standard folders. Looking under the 'match_regex(input, pattern)' section in the https://docs.splunk.com/Documentation/DSP/1.2.1/FunctionReference/Stringmanipulation documentation has one example, but I'm not able to figure out how to modify the example to fit my search. For example, reducing the search to only show VMware processes. Below is an attempt I made, which gave me: Error in 'where' command: The expression is malformed. An unexpected character is reached at '/VMware/);'. source="winevtlog:security" EventCode=4688 | rare limit=50 New_Process_Name | where match_regex(cast(New_Process_Name, "string"), /VMware/); The documentation mentions using the RegEx Start and End characters ^ $, but I get the same error listed above.  I've looked at several other posts here below, but haven't been able to find a good example that fits. https://community.splunk.com/t5/Splunk-Search/Search-for-a-string-containing-X/m-p/120450 https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-where-if-a-certain-string-is-found-in-a/m-p/136680 https://community.splunk.com/t5/Splunk-Search/How-to-match-and-filter-by-substr/m-p/155912#M43866

Did an upgrade from Splunk ES 6.1.1 to 6.6.2 and now any dashboard that uses the Downsampled Line Chart viz fails to load with a "Failed to load source for Downsampled Line Chart visualization. " In fact, any of the visualiztions below the "More" header when selecting a chart type (includes histogram, box plot, 3D scatter plot.) Has anyone run into such an issue after upgrading?

Hi, I have the below query, I need the scatter point visualozation for this. time on the x axis and the count on the y axis. How to achieve this. |inputlookup hsbc_es_pr_mapping.csv | eval "Configuration Item" = lower('Configuration Item') | lookup hsbc_dc_app_eim_lookup_eim_basic_extract.csv hostname as "Configuration Item" OUTPUT IT_SERVICE | search Status = Open | fields "Problem Number" IT_SERVICE | stats count as "Count of PR's" by IT_SERVICE | sort 10 - "Count of PR's" Thanks

i have a query like index = xyz | eval assignment= upper(assignment) | eval SO = upper(SO) | eval Ser = upper(Ser) | join type=inner assignment,SO,Ser [ I inputlookup xyz.csv | table assignment,SO,Ser | eval assignment= upper(assignment) | eval SO = upper(SO) | eval Ser = upper(Ser) ] is this is a valid query because i want only the events containing the common fields (assignment,SO,Ser).

I have a quite unusual case. One of my sources emits logs with a very stupid timestamp format. It consists of a date and time glued together, which on its own is quite ok, but followed with a timezone info in form of time difference vs UTC expressed... in minutes. So it's not your typical "+0200". No. It's "+120". There's no such timezone format in your strptime format specification so I have to do it some other way. Since _time is crucial to the proper event processing, of course I have to adjust it in ingest time. I thought about parsing the offset from the timestamp as an independent field and then correcting the _time field before indexing the event. Does it make sense? I don't see any other way of producing correct timestamp from such data.

I have an alert. which runs every minute "cron" and the setting is set to "time range last 4 minutes" but for some reason my alert works 30 minutes ago and in this interval look for 4 minutes    create at 4:46:04 PM  search 4:16:00 pm to 4:20:00 pm      Time is correct on SH servers.