Dear Splunk Community, I have the following search:   index=websphere 200 OK POST   And I have different platforms that I find like this:   index=websphere 200 OK POST LINUX index=websphere 200 OK POST Windows index=websphere 200 OK POST zLinux   I am currently using the following query to count all 200 OK POST events per platform:   index=websphere 200 OK POST LINUX | stats count | rename count AS "Linux" | append [search index=websphere 200 OK POST WINDOWS | stats count | rename count AS "Windows"] | append [search index=websphere 200 OK POST ZLINUX | stats count | rename count AS "zLinux"]   This is just an example, I have way more platforms that I search like in the query above. I have two issues: Its slow It counts per platform and generates table headers horizontally that I don't want I would like to change the above so that I get the following output: Platform | Count Linux | 24 Windows | 50 zLinux | 0 Also, using append search seems a bit devious. There must be a simpler, faster and better way to do this, but how? Thanks in advance   EDIT: Please note that the results are all shown in _raw , there are no platform fields or anything generated

Hi  I am trying to send data into a cluster with 1 SH, 1MN and 3 indexers. I am unsure if I A: Send data to the search head then use the output groups to send the data to the indexers B: Send the data directly to the indexers (However I don't have a way to load balance this data) Regards Robert

Trying to figure out how to loop in Splunk.  I have the below query and my end result is to map/chart into a timechart by the percentage over _time. index=anIndex sourcetype=aSource StringA earliest=-480m latest=-240m | stats count as A | appendcols [search index=anIndex sourcetype=aSouce StringB earliest=-480m latest=-240m | stats count as B ] | eval _time = relative_time(now(), "-240m@m") | eval percentage = round(( A / B) * 100) | fields + _time, percentage   Variables that need to change with each loop. Lets assume I want to show percentage starting from 4 hour in the past to the current time by 30 minute increments. 1) Index: the earliest and latest need to increment by +30 minutes starting at (latest=-480, earliest = -240) till I get to 0 2) _time will need to be relative to when I start (beginning @ time now(), -240) and be adjusted on each loop by + 30 mins till I get to 0   I have looked at many examples but do not understand how to apply it to my requirements...

Hi - We have been using OT to send data into a single Splunk install and it is working very well. I am now looking to move this to production and send the data for my Cluster. 3 indexers, but I am unsure how to tell the exporter to do this? In a forwarder I would give it the host and post of the 3 indexers, but how do I do this in an exporter? Configure the exportor exporters: otlp/aggregation: # push to the aggregator endpoint: ${AGGREGATOR_HOST}:${AGGREGATOR_PORT} insecure: true splunk_hec: # pushed to splunk token: "a04daf32-68b9-48b2-88a0-6ac53b3ec002" endpoint: "https://mx33456vm:8088/services/collector" source: "mx" sourcetype: "otel" index: "metrics_test" insecure_skip_verify: true Thanks for you help in advance

Hi Experts! ,                       Wondered if there was a way of doing this. I have a need to compare a timestamp of a log to an EPOCH time also on the same log line and show the Diff Example 2021-10-05 04:49:10.138 [pool-1-thread-1] INFO order - [Pool]Book={inst=example,1=[],2=[feed-|time=1633427347600000000} Manually looking the difference is  2021-10-05 04:49:10.138 -(Standard time) 2021-10-05 04:49:07.600 -(EPOCH time) Difference 2.54 seconds Thanks in advance

Hello Splunkers, I have a HTML button on my splunk dashboard, i want a pop-up when i click that button. That Pop-up will have a splunk Query Output. Please find my below code: Button: <html> <button class="btn btn-primary button2" style="margin-left: 950px; margin-top: -75px; position: absolute;" token="button">Report Of Killed Processes</button> </html> Button.js require([ 'splunkjs/mvc/searchmanager', 'splunkjs/mvc/tableview', 'underscore', 'splunkjs/mvc', '/static/app/abcd/Modal.js', "splunkjs/mvc/simplexml/ready!" ], function(SearchManager, TableView, _, mvc, Modal) { $(".button2").on("click", function (e){ e.preventDefault() console.log(e) var myModal = new Modal("mod1", { title: "Movie Details", backdrop: true, keyboard: false, destroyOnHide: true, type: 'wide' }); myModal.body .append($('<p>Please find the movie details below</p><div id="modal_dtl_tabl"></div>')); $(myModal.$el).on("show", function() { setTimeout(function() { var epoch = (new Date).getTime() var modal_movie_dtl_srch = new SearchManager({ id: "modal_tbl_srch" + epoch, earliest_time: "@d", latest_time: "now", preview: true, cache: false, search: "|inputlookup kill_log.csv  |table *" }); var myCustomtable = new TableView({ id: "modal_example-table" + epoch, managerid: "modal_tbl_srch" + epoch, pageSize: "10", el: $("#modal_dtl_tabl") }).render(); }, 300) }); myModal.show(); }) });   Also i am using Modal.js from Splunk Dev For All, placed it in my app ABCD. Now when i click the button, nothing happens.

Currently working on a project where instead of dedicating only a single instance of Splunk only for ES they actually have ES installed on every Search Head. From my experience in tinkering with "https://splunk-sizing.appspot.com/" any time I would pick ES for Search Heads, the automatic amount required for Indexer nodes gets trippled. I was just wondering maybe if this would help ease the critical pressure that is going on in the indexers at the moment. Thanks,  

https://answers.splunk.com/answers/562629/how-to-configure-pie-chart-to-display-count-within.html same as above post, would like to have a pie chart with its count, so followed the post and its work, it can show the Count in Pie Chart ... |stats count by sc_status |eval status_slice =sc_status+" - count:"+count   Beside, we still have a token to Pass the sc_status as 404/500/304... to customised search string in drilldown unfortunately, it's now passing sc_status as 304 - count:21088 instead of passing 304 to dilldown to search we click on it, which cause the search not working. <drilldown> <eval token="test">replace('click.value',"(\?&lt;=\d\d\d)(\?s)(.*\$)","")</eval> </drilldown> in drill down its not replacing the value as expexted would like to seek any way can fulfill both requirements ( Show Count in Pie Chart + Pass the correct Value to customised search)