Hi  I have a table like below and I am looking to have a tooltip for several of its columns. I have looked at some solutions on questions, but nothing seems to answer this one correctly. Any ideas? Regards Robert Lynch  

Simplest things down, downloaded the msi and installed on windows (Enterprise/free version) and then the Splunkuniversalforwarder as well.  restarted the local host and attempted to get to 127.0.0.1, cannot connect. Opened up the directory in the C:... /splunk path and selected splunk.exe.  will this fix the issue?

Hello -  I was reading this:  https://docs.splunk.com/Documentation/SCS/current/Search/Timemodifiers But it is not very clear to me how to use the time modifiers properly. index=blah sourcetype=blah fields _time index sourcetype GB | timechart span=1d sum(GB) as Gigabytes How would I draw my time chart to the end of the previous day over a 7-day period using a time modifier? Would it be:   index=blah sourcetype=blah _index_earliest=-7d@d index_latest=-1d@d Please advise, thank you.

Hi, I have some application logs in the following format:   ERROR | 2021-07-20 06:55:54 EDT | Field1 = Value1 | Field2 = Value2 | Long Error String - Another long error string | Field3 = Value3 | ... | ...     Most of the tokens are in Field=Value format and Splunk is able to extract them just fine except the portion where there is no Field listed. Just two different error strings separated by a " - ".  (These strings may contain other special characters as part of the error) Is there a way I can extract both of them separately, e.g. signature_1, signature_2 without disturbing rest of the extractions? I would prefer doing this with props/transforms. I was thinking of using "DELIMS" option but not sure how to target just that particular part of the log.

Hi Splunk Experts, Below is a sample event, I have below spath msg.message.details, I am trying to extract certain  fields from the details datapath. How can I extract 'msg.message.details' into fields?, I am still a newbie and learning on the go in splunk world, I am guessing to use rex, but is there a way using spath? Our index has structured other json paths eg:y has other spath eg:msg.message.header.correlationId, etc,  { [-] cf_app_id: test123 cf_app_name: test event_type: LogMessage job_index: ebcf8d13 message_type: OUT msg: { [-] level: INFO logger: UpdateContact message: { [-] details: Data{SystemId='null', language='English', parentSourceSystemAction='null', contactId='cf4cae75-28b3', status='Active', birthDate='1991-01-15', eventAction='Create', Accounts=[CustomerAccounts{ Case='000899', accountid='4DA4F29E', contactRelationship=ContactRelationship{expiryDate='', contactType='owner', endDate=''}}],workContact=WorkContact{faxNumber='null', mobileNumber='null', emailAddress='null', phoneNumber='null'},homeContact=HomeContact{faxNumber='null', mobileNumber='null', emailAddress='', phoneNumber='null'},businessAddress=null,personalAddress=[PersonalAddress{addressId='9205', locality='PARK', internationalPostCode='null', internationalState='null', additionalInfo='null', isPrimary='Y', streetNumberStart='null', addressType='null', status='CO', streetNumberStartSuffix='null', postalCode='765', streetNumberEnd='null', streetName='null', country='null', streetNumberEndSuffix='null', streetType='null', state='null', subAddress=SubAddress{buildingName='null', numberStart='null', addressLines=[MIL PDE,], details=[Details{value='null', detailType='null'}, Details{value='null', detailType='null'}]}}],idv=Identification{doc=License{state='null', number='null'}}} header: { [-] correlationId: 707000J-52f6-10df-00f3-f859-1c5ed entityId: cf75-2b3-cb38-cef-a72ad88 entityName: test errorCode: null errorMessage: null eventName: testevent processName: process1 processStatus: SUCCESS serviceName: testservice serviceType: Dispatch } } timestamp: 2021-07-20 } origin: rep timestamp: 1626764261880766200 } Any help is much appreciated. Thanks