I have a dashboard containing two radio buttons, one for 'Current quarter' and one for 'Previous quarter'.  I also have a timepicker input field for customizing the time range for a query.  Following is the XML code for the input fields: <input type="radio" token="quarter_token" searchWhenChanged="true"> <label>Select quarter...or...</label> <choice value="earliest=@qtr latest=@d">Current quarter</choice> <choice value="earliest=-1qtr@qtr latest=@qtr">Previous quarter</choice> </input> <input type="time" token="time_token" searchWhenChanged="true"> <label>Select date range</label> <change> <set token="form.quarter_token"></set> </change> <default> <earliest>@qtr</earliest> <latest>@d</latest> </default> </input>   My question is: How can I reset the timepicker Label text to match the radio button selected time range?  Currently, if a user selects a custom time range, then selects one of the radio buttons, the timepicker label doesn't match the radio button time range selection.  For example, can I simply do the following to reset the timepicker label? <set token="form.time_token.earliest">@qtr</set> <set token="form.time_token.latest">@d</set>   In the example attachment, the timepicker lable shows 'Last 55 days' as well as the 'Previous quarter' radio button being selected.  This situation presents an inconsistent UI. thanks in advance, Bob

Hi,  I have the Forescout Technology Add-on and the Forescout Adaptive Response Add-on installed on my ES SH. The integration is working fine in respect to retrieving events from Forescout, however I am having a problem with the Adaptive Response Add-on. I installed the Add-on but when i restart the ES SH it gives an error message (screen shot attached). When i go into /opt/splunk/var/log/splunk and check the log file TA-forescout_response_init.log, it shows ... [splunk@dub2splk203 splunk]$ tail TA-forescout_response_init.log 2021-11-03 15:42:29 - fsct_rest_api_wrapper.py:30 - INFO - Posting new message to bulletin. 2021-11-03 15:42:29 - fsct_rest_api_wrapper.py:44 - DEBUG - REST API request succeeded 2021-11-03 17:15:17 - ta_forescout_response_init.py:35 - DEBUG - Initializing app: [TA-forescout_response]... 2021-11-03 17:15:18 - fsct_ar_actions_reader.py:34 - INFO - Read usessl: [1], verify_cert: [1] from app: [TA-forescout] 2021-11-03 17:15:18 - fsct_ta_config_reader.py:59 - DEBUG - Getting credentials configured in app: [TA-forescout]. 2021-11-03 17:15:18 - fsct_ar_actions_reader.py:38 - INFO - Read fsct_emip: [dub2fst202.syncreon.local] from app: [TA-forescout] 2021-11-03 17:15:18 - fsct_ar_actions_reader.py:56 - DEBUG - Action url: https://dub2fst202.syncreon.local/splunk/actions_info?auth=CounterACT%20 2021-11-03 17:15:18 - ta_forescout_response_init.py:41 - CRITICAL - Error while getting alert actions from CounterACT: Unsuccessful Actions Info API call. Invalid status: [401] or request ID mismatch 2021-11-03 17:15:18 - fsct_rest_api_wrapper.py:30 - INFO - Posting new message to bulletin. 2021-11-03 17:15:18 - fsct_rest_api_wrapper.py:44 - DEBUG - REST API request succeeded There is no problem with regards access to my CounterAct server (on-prem) as I verified that the HTTPS connection can be made. Has anybody have any experience with this add-on or this error, as Im kind of lost and there is very little from Forescout on this? Thanks!

suppose i hAVE 3 DATES AND ONE SUBMIT BUTTON WHEN I M CLICKING ON DASHBORAD NAME After that i selected the date one by  one and click the submit button then down of the dashborad chart has been displalyed..   Plz help to implement the same as its very critical .  

Is it possible to have a UF/HF automatically restarted when they stop working or not sending expected rate of events? There has been times the a UF went down / froze on Friday nights & we found out about it on Monday!! Appreciate your feed back.

Last week a large portion of our Windows hosts reported in with a different "host" value. This is causing all sorts of issues with dashboards that think our number of monitored hosts have doubled. The issue we're seeing is that for around a week they all began being logged under their FQDN, not just the host name. (Similar to what was seen here: https://community.splunk.com/t5/Getting-Data-In/Where-does-windows-get-its-host-field-from/m-p/17422#M2242) I've compared 2 logs from the same host, with the same event ID. The only difference I can see in the logs is that dvc_nt_host is different between the 2, while dvc is the fqdn on both. Which is super off because this line is in the props.conf of the Windows TA app  FIELDALIAS-dvc = host as dvc, host as dvc_nt_host So it appears that the FQDN is always available, however, sometimes its used and sometimes it is shortened to just the hostname. I've hit a wall trying to work out what is causing this to happen, as no changes have been made to Splunk in the last week.

From time to time we can see that if you try to access the search head GUI that you get a proxy error. When this happens we also can see that the count of apache processes increases from around 50 to 200. After around 20 minutes the apache count drops and you can access the GUI again. Has somebody has seen such an behavior and knows what the reason is?  

I would like the background to be either Red or Green based on the text of "deviceSeverity." The value of deviceSeverity can either be "Up" or "Down." No matter what I do, the background is staying grey. I am new to Splunk formatting and tried searching through these various messages here, but have not had any luck. This is the latest that I have and am probably over-complicating things (just want background to be red if deviceSeverity is "Down" and background to be green if deviceSeverity is "Up"):     <query>index=arcmisc dvc = $psmserver$ AND deviceProduct = "ApplicationMonitor" name="VIP Health Check Status" deviceSeverity=* | stats latest(deviceSeverity) | eval range=case(deviceSeverity == "Up", "low", deviceSeverity == "Down", "severe")</query> <earliest>-24h@h</earliest> <latest>now</latest> <refresh>30s</refresh> <refreshType>delay</refreshType> </search> <option name="colorMode">block</option> <option name="drilldown">none</option> <option name="classField">deviceSeverity</option> <option name="refresh.display">progressbar</option> <option name="useColors">1</option> <option name="charting.fieldColors"> {"severe": 0xFF0000, "low": 0x00FF00, "NULL":0xC4C4C0} </option>      

Hi Team, We installed these apps on our License Master as part of IT Essentials Work app SA-ITSI-Licensechecker SA-UserAccess https://docs.splunk.com/Documentation/ITEWork/4.10.2/Install/Install#Install_IT_Essentials_Work_in_a_distributed_environment Then we saw this License "IT Service Intelligence Internals *DO NOT COPY*" appeared Can this license be used for production data ingestion? Can you confirm that this license is included on the IT Essentials Work app itself?  

Hello Everyone, I am looking to find the splunk product published date from internal logs, anyone know if this information is already being logged somewhere? I know README.txt file contains the product release month & year, but looking to get this info from internal logs. Please guide me if anyone noticed this information logged somewhere? Thanks for your help in advance! Regards, BK

    Our app has a functionality where users can create alerts for specific events. Unfortunately the users do not have the rights to create saved searches (we are on a multi-tenant platform, so we cannot change user rights).  The code for this is:   var service = mvc.createService(); var mySavedSearches = service.savedSearches(); mySavedSearches.init(admin_service, {app:"APP", sharing:"app"}); // Create a saved search/report as an alert. // service.savedSearches().create(alertOptions, function (err, alert) { mySavedSearches.create(alertOptions, function (err, alert) { console.log("ALERT"); // Error checking. if (err && err.status === 409) { console.error("ERROR: A saved alert with the name '" + alertOptions.name + "' already exists"); error(alertOptions.name); return; } else if (err) { console.error("There was an error creating the alert:", err); return; } // Confirmation message. console.log("Created alert: " + alert.name); });   When logged in as an admin user, the saved searches are created. However, when logged in as a normal user, the following error appears:   User 'user' with roles { db_connect_user, user } cannot write: /nobody/APP/savedsearches/test_saved_search { read : [ admin, user ], write : [ admin ] }, export: app, removable: no, modtime: 1559130962.504602000   Would it be possible to create these saved searches as admin, by for instance creating a service with the admin user? How could I do this? I have tried:   var service = mvc.createService({ owner: "admin" })   but this did not work.

Database agent doesn't start and give the below error message. port already opened to both Controller and Event service.  main] 03 Nov 2021 14:31:07,366 INFO Agent - Agent Install Directory [/appdynamic/db-agent-21.9.0.2521] [main] 03 Nov 2021 14:31:07,366 INFO Agent - Using Agent Version [Database Agent v21.9.0.0 GA compatible with 4.5.2.0 Build Date 2021-09-22] [main] 03 Nov 2021 14:31:07,367 INFO Agent - JVM Runtime: java.home=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-7.b13.el7.x86_64/jre java.vm.vendor=Oracle Corporation java.vm.name=OpenJDK 64-Bit Server VM java.version=1.8.0_181 java.specification.version=1.8 java.runtime.version=1.8.0_181-b13 java.io.tmpdir=/tmp user.language=en user.country=US user.variant= Default locale=en_US [main] 03 Nov 2021 14:31:07,367 INFO Agent - OS Runtime: os.name=Linux os.arch=amd64 os.version=3.10.0-957.el7.x86_64 user.name=aurahman user.home=/home/aurahman user.dir=/appdynamic/db-agent-21.9.0.2521 [main] 03 Nov 2021 14:31:07,367 INFO Agent - JVM Args : -XX:+HeapDumpOnOutOfMemoryError | -XX:OnOutOfMemoryError=kill -9 %p | -Xms1024m | -Xmx11264m | [main] 03 Nov 2021 14:31:07,368 INFO Agent - JVM Runtime Name: 5493@apdyn-pr-da1.moh.gov.sa [main] 03 Nov 2021 14:31:07,368 INFO Agent - JVM PID: 5493 [main] 03 Nov 2021 14:31:07,368 INFO Agent - Default Database Agent is resolving bootstrap info.... [main] 03 Nov 2021 14:31:07,418 INFO AgentUtil - Default Host Identifier Resolver using host name for unique host identifier [apdyn-pr-da1.moh.gov.sa] [main] 03 Nov 2021 14:31:07,421 INFO AgentUtil - Default IP Address Resolver found IP addresses [[192.168.122.1, fe80:0:0:0:215:5dff:fef6:695b%eth0, 10.0.195.152]] [main] 03 Nov 2021 14:31:07,421 INFO AgentUtil - Full Agent Registration Info Resolver found system property [appdynamics.agent.applicationName] for application name [Database Monitoring] [main] 03 Nov 2021 14:31:07,422 INFO AgentUtil - Full Agent Registration Info Resolver found system property [appdynamics.agent.tierName] for tier name [Database Monitoring] [main] 03 Nov 2021 14:31:07,422 INFO AgentUtil - Full Agent Registration Info Resolver found system property [appdynamics.agent.nodeName] for node name [Database Monitoring] [main] 03 Nov 2021 14:31:07,453 INFO AgentUtil - Full Agent Registration Info Resolver using selfService [false] [main] 03 Nov 2021 14:31:07,453 INFO AgentUtil - Full Agent Registration Info Resolver using application name [Database Monitoring] [main] 03 Nov 2021 14:31:07,454 INFO AgentUtil - Full Agent Registration Info Resolver using tier name [Database Monitoring] [main] 03 Nov 2021 14:31:07,454 INFO AgentUtil - Full Agent Registration Info Resolver using node name [Database Monitoring] [main] 03 Nov 2021 14:31:07,476 INFO AgentUtil - XML Controller Info Resolver found controller host [appmon.moh.gov.sa] [main] 03 Nov 2021 14:31:07,476 INFO AgentUtil - XML Controller Info Resolver found controller port [443] [main] 03 Nov 2021 14:31:07,498 INFO AgentUtil - XML Agent Account Info Resolver using account name [customer1] [main] 03 Nov 2021 14:31:07,499 INFO AgentUtil - XML Agent Account Info Resolver using account access key [****] [main] 03 Nov 2021 14:31:07,513 INFO AgentUtil - Keystore file /appdynamic/db-agent-21.9.0.2521/conf/cacerts.jks was not found [main] 03 Nov 2021 14:31:10,004 INFO Agent - Default Database Agent resolved bootstrap info! [main] 03 Nov 2021 14:31:10,151 INFO Agent - Started [Default Database Agent] Schedulers [main] 03 Nov 2021 14:31:10,151 INFO Agent - Scheduling Default Database Agent Registration .... [DBAgent-1] 03 Nov 2021 14:31:10,245 INFO RegistrationChannel - Controller host [appmon.moh.gov.sa]; Controller port [443] [DBAgent-1] 03 Nov 2021 14:31:10,278 INFO RegistrationChannel - setting agent hostname [apdyn-pr-da1.moh.gov.sa] [DBAgent-1] 03 Nov 2021 14:31:10,278 INFO RegistrationChannel - setting agent version [Database Agent v21.9.0.0 GA compatible with 4.5.2.0 Build Date 2021-09-22] [DBAgent-1] 03 Nov 2021 14:31:10,278 INFO RegistrationChannel - setting agent properties [{dbagent-name=Default Database Agent, dbagent-launch-id=e726f4a3-517c-48ea-be67-77cdc4db9688}] [DBAgent-1] 03 Nov 2021 14:31:10,278 INFO RegistrationChannel - setting agent install dir [/appdynamic/db-agent-21.9.0.2521] [DBAgent-1] 03 Nov 2021 14:31:10,278 INFO RegistrationChannel - setting agent type [DB_AGENT] [DBAgent-1] 03 Nov 2021 14:31:10,279 INFO RegistrationChannel - setting agent application [Database Monitoring] [DBAgent-1] 03 Nov 2021 14:31:10,279 INFO RegistrationChannel - setting agent tier name [Database Monitoring] [DBAgent-1] 03 Nov 2021 14:31:10,279 INFO RegistrationChannel - setting agent node name [Database Monitoring] [DBAgent-1] 03 Nov 2021 14:31:10,279 INFO RegistrationChannel - Sending Registration request [DBAgent-1] 03 Nov 2021 14:31:44,386 ERROR ControllerHttpRequestResponse - Fatal transport error while connecting to URL [/controller/instance/UNKNOWN_MACHINE_ID/systemagentregistration]: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake [DBAgent-1] 03 Nov 2021 14:31:44,387 WARN RegistrationChannel - Could not connect to the controller/invalid response from controller, cannot get registration information [DBAgent-1] 03 Nov 2021 14:32:04,391 INFO RegistrationChannel - Controller host [appmon.moh.gov.sa]; Controller port [443] [DBAgent-1] 03 Nov 2021 14:32:04,391 INFO RegistrationChannel - setting agent hostname [apdyn-pr-da1.moh.gov.sa] [DBAgent-1] 03 Nov 2021 14:32:04,391 INFO RegistrationChannel - setting agent version [Database Agent v21.9.0.0 GA compatible with 4.5.2.0 Build Date 2021-09-22] [DBAgent-1] 03 Nov 2021 14:32:04,391 INFO RegistrationChannel - setting agent properties [{dbagent-name=Default Database Agent, dbagent-launch-id=e726f4a3-517c-48ea-be67-77cdc4db9688}] [DBAgent-1] 03 Nov 2021 14:32:04,391 INFO RegistrationChannel - setting agent install dir [/appdynamic/db-agent-21.9.0.2521] [DBAgent-1] 03 Nov 2021 14:32:04,392 INFO RegistrationChannel - setting agent type [DB_AGENT] [DBAgent-1] 03 Nov 2021 14:32:04,392 INFO RegistrationChannel - setting agent application [Database Monitoring] [DBAgent-1] 03 Nov 2021 14:32:04,392 INFO RegistrationChannel - setting agent tier name [Database Monitoring] [DBAgent-1] 03 Nov 2021 14:32:04,392 INFO RegistrationChannel - setting agent node name [Database Monitoring] [DBAgent-1] 03 Nov 2021 14:32:04,392 INFO RegistrationChannel - Sending Registration request [DBAgent-1] 03 Nov 2021 14:32:40,544 INFO Agent - Full certificate chain validation performed using default certificate file [DBAgent-1] 03 Nov 2021 14:32:40,755 ERROR ControllerHttpRequestResponse - Fatal transport error while connecting to URL [/controller/instance/UNKNOWN_MACHINE_ID/systemagentregistration]: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

I am doing eval response = if ("msg.RESPONSE"="200", "Success", "Fail" ), and I have all msg.RESPONSE as 200 but still i get Fail in output. As per splunk docs, value after condition should be returned if condition is true but it's reverse in my case. The logs are in JSON format like below msg.RESPONSE : 200