Hi everyone, I am currently having this issue where when I export my dashboard as a PDF, some of the Pie charts aren't showing up but their labels are. I initially thought that converting that panel to a report would solve this thinking it was an issue with data loading but that didn't seem to work. Any suggestions?

Hello everyone.  I have a dashboard with embedded queries that has stopped working since my update from 8.1 to 8.2.1. The query is as follows: host=sftpserver* source=/var/log/messages close bytes read written | rex "close \"(?<filename>.[^\"]+)" |rex "written (?<writebytes>\w+)" | rex "read (?<readbytes>\w+)" | eval rfile=if(readbytes == 0, null(), filename) | eval wfile=if(writebytes == 0, null(), filename) |eval writemb=(writebytes/1024/1024) | eval readmb=(readbytes/1024/1024) | eval readmb=round(readmb,2) | eval writemb=round(writemb,2) |eval datetimestr=strftime(_time, "%Y-%m-%d %H:%M")| chart count(rfile) The query just gives a count of the number of files download from my SFTP server. Since the update, the dashboard that includes this query (and several others) now only shows data from before the time when Splunk was updated. Copying the query from the dashboard into a search, I can get the query to work in verbose mode but neither Fast nor Smart mode will return any results.

Hi Everyone,  Please, What is the search query to find: 1- The current health status of URL check for API services if (regex extracted field=200) achieved, means successful, otherwise all other services are failed? 2- At any selected time, the API availability percent time that each service is 200 (success)?  Thank you   

Hello! I don't normally load data into Splunk as I am primarily a front end user. However, I would like to load some of the attack datasets that Splunk has provided in Github.  attack_data/datasets/attack_techniques at master · splunk/attack_data · GitHub Does anyone have config files for loading these windows log files posted here? My admin says they are a flat file and we do not currently have configuration files for ingesting them. Thank you so much, Cindy 

Disclaimer: This is an issue with VMware and not Splunk. But looking to see if others in the community have seen the same issue. Our infrastructure team has recently upgraded VMware to v7. We immediately started receiving an additional terabyte of logs from their hosts. They have a support case open with the vendor to figure out why, and the vendor agrees that this is not normal and we shouldn't have seen this volume spike. They're leaning more towards a misconfiguration than a bug. They're also wondering if others in the community have seen the same from VMware v7, and if so how was it handled. Has anyone who is using v7 of VMware seen the logging spike? If so, how did you resolve it? 

Hello, Can anyone kindly assist me with this item? I have multiple webservers and not all of them are forwarding the IIS logs into splunk. I have configured my input.conf  to: [monitor://G:\wwwlogs] disabled = 0 sourcetype = ms:iis:auto index=iislogs initCrcLength=2048 alwaysOpenFile = 1 I have attempted many different settings and scenarios. Any help is much appreciated. Thanks in advance  

We've been using the Splunk Add-on for F5 BIG-IP to forward F5 ASM events to our syslog cluster (two Linux servers) that have a Splunk UF installed and monitoring the F5 directory. This configuration has been running for two years with no problems as Splunk ingests the ASM F5 logs/events. Today in the F5 GUI, I enabled the forwarding of bot defense logs/events to the syslog cluster using the same port and when I check the log file on the syslog cluster, I see the raw bot defense events, but when I check Splunk, I am not seeing the events at all. Any ideas as to why these raw events aren't being picked up? Thx

Hey there, I just started with splunk. Currently I'm testing the new dashboard studio feature. I would like to count all searches with 1 or more found events on my dashboard. In case of the attached picture, I would like to display 3 in the upper SingleValue field. If the search for Event 2 has 0 results, i would like to display a 2, and so on. Is there a simple and scalable solution to this, if I want to add more searches to the dashboard later on? Thank you in advance!

We have a Splunk Alert set up with the following configuration: SETTINGS Alert type = Scheduled (Run on Cron Schedule) Time Range = Today Cron Expression = ***** Expires = 24 hours TRIGGER CONDITIONS Trigger alert when = Number of Results > 0 Trigger = Once Throttle = Ticked Suppress triggering for = 1 day TRIGGER ACTIONS When triggered - Add to Triggered Alerts - Send email The issue that we are experiencing is that if we have 3 events occur at different times throughout the day, we are only receiving an email for the first one.  Also, the following day (within the 24 hour period from the previous alert) we are not receiving any email notifications.  In all cases if I select the Splunk Alert and view the results I see all the events shown here, including those for which no email notification was received.. I believe the issue here has to do with the following settings: Trigger = Once Throttle = Ticked Suppress triggering for = 1 day From the Splunk documentation it is not clear whether all Splunk alerts would get suppressed after the first one, or just repeated Splunk Alerts for the same event.  I am assuming that it's the former as this would explain why we don't see any further email notifications until the 1 day / 24 hour period expires(?) I think changing the settings to the following: Trigger = For each result Throttle = Ticked Suppress triggering for = 1 day Will at least mean that we receive only one event in each email notification (for simultaneous alerts ... another issue that exists) but will not fix the suppressed email notifications.  Furthermore, removing the Throttle seems to just continuously alert on the same event. I want to keep the "Scheduled Alert" type (rather than "Realtime") due to the set-up that we have here and also I am unable to play around too much with the configuration in test as we do not have email notifications in this environment (only in our live environment). The goal, in case it's not yet clear from the above, is to receive a single email notification for each event.  Can you please advise / suggest the correct change that I should make to achieve this?

Hello, after upgrading our splunk development instance to 8.2.0, the page https://<splunk-ip>/en-Gb/manager/<app_name>/data/macros can not be found anymore in any app other than basic splunk search app. It just shows "404 Not Found". Has anyone else experienced that issue? I am asking for a friend.

Hi, i have a problem with a few queries. I have something actually like this:     index = nsw_prod_eximee ERROR | rex field=formInstanceNumber (?<pref>\w{3})\d{9} | rex field=applicationNumber (?<pref>\w{3})\d{9} | eval "Name" = case(pref=="USP", "mProtection", pref=="FGT", "mTravel", pref=="FGH", "HouseHold", pref=="FGS", "mMoto") | stats count as formInstanceNumber by "Name" | rename formInstanceNumber as "Errors"     And i have a table with a 4 values: But now i have a problem to count a column "Errors". I want to count all Errors.   2. The second problem i have, i can't do the timechart and i need help with it. I want to do timechart with that all values, but when i do that, there is no columns on timechart. How to get that query?   Thanks in advance.

Hi, I wanted to know if there is anything in particular to be considered if one intends to connect a Splunk instance which is on premise to an Oracle database on Cloud using Db Connect? Objective is to pull data from a table in the database. Thanks in advance.

Hi all, so I've been trying to ingest cisco netflow logs into my splunk environment, and finally got the logs in with Splunk Stream. However, there's a field "src_content" which seems to be unable to parse or read by splunk, and its appearing as symbols. I'm suspecting itt is due to cisco netflow sending them via High-Speed Logging. Is there a template for splunk to decode these? It looks like this for eg. src_content:
"��`��f
^P
,
d�
N�q������l��
z�so#(���