Dear all, There are 5 columns in one chart output and the output used to create one dashboard panel. When enable the drill down function for this dashboard, all cells for 5 columns appear as click-able status. Is  there any way to disable the click or disable cells selection for particular column? So user cannot click the cells for that column, or even click nothing happen from system behavior point of view. Thanks.

I hope everyone is having a great time today, I am here to first thank you guys for being so helpful and assertive! you people rock! and second to ask for assistance regarding a regular expression. I have a field that will contain a string that will start by "check-in unavailable due to external cause the ref code is ##AIUI- 989 K-IOJ##" I want to be able to extract the string that is between the "##"  but... sometimes this field may have a string that starts by "the auth was..." I want to be able to extract any string   between two "#" whenever the value of the field starts with  "check-in unavailable due to external cause the ref code is"     for example  if I have this: FIELD CODE "check-in unavailable due to external cause the ref code is ##AIUI- 989 K-IOJ## AIUI- 989 K-IOJ "the auth was denied code ## uik-55855##" N.A   thank you guys SO MUCH   Kindy, Cindy

I cannot figure out which component to enable HEC and where to send the events. We have an on prem Splunk Enterprise distributed configuration with a Deployment server, Indexer and SearchHead. We also have an independent "sandbox" environment for testing where I'm trying to set this up. Sandbox is 1 server with the whole Splunk Enterprise installation, however we do use the deployment server to setup and configure the sandbox universal forwarders, etc.  I setup HEC tokens on the sandbox and could not figure out how to get it working. I am testing using Curl commands. I then added HEC tokens on the deployment server and still testing with Curl, cannot figure out how to send events to it.  I get these errors: 1) Sending curl to sandbox URL with either deployment server HEC token or sandbox HEC token "The requested URL was not found on this server.","code":404 2) Sending curl to indexer URL with either deployment server HEC token or Sandbox HEC token Failed to connect to spidxa.open-techs.local port 8088: Connection refused 3) Sending curl to deployment server URL with either deployment server HEC token or Sandbox HEC token Failed to connect to spmgta.open-techs.local port 8088: Connection timed out 4) Sending curl to SearchHead URL with either deployment server HEC token or Sandbox HEC token, and this is likely a firewall issue, but it doesn't make sense to me to send the event to the search head, so I haven't pushed security to open this port. Failed to connect to spsha.open-techs.local port 8088: No route to host This is my curl command with escaped double quotes and {variable substitutions} curl -g -k --location --request POST 'https://#{server I am testing}:8088/services/collector/event' --header "Authorization: Splunk {token}" --header "Content-Type: text/plain" --data-raw "{\"event\": \"Test kong_dev\"}" Can anybody tell me which components do which part of the HEC event collection? The introspection\http_event_Collector_metrics.log on both deployment and sandbox just show one minute intervals of 0 transactions going through there.   

I have a Splunk Enterprise deployment. I want to get Windows logs in (Application, system). I am using the Windows TA for Splunk (https://splunkbase.splunk.com/app/742/) because I want it's field extractions/transforms. I also have my own TA with a custom inputs.conf which I use to specify which logs I want to collect. So 2 apps Windows TA - for transforms My custom app - for the inputs.conf The Windows TA app has been installed on the deployment clients via the server. The stanzas in inputs.conf have `disabled=1` . The custom app has also been deployed via the deployment server with all stanzas in inputs.conf having `disabled=0`.  There is no TA installed on the Splunk server, only on the UF (deployment client). Hence, I _assume_ that it will collect the logs specified in my custom inputs.conf and apply the transforms from the Windows TA. Below is a snippet of my custom inputs.conf       [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 renderXml=true evt_resolve_ad_obj = 1 index = windows [WinEventLog://System] disabled = 0 renderXml=true evt_resolve_ad_obj = 1 index = windows [WinEventLog://Application] disabled = 0 renderXml=true evt_resolve_ad_obj = 1 index = windows         However, in Splunk, I see the data but without any extractions as below I tried to set a stanza in the Windows TA to `disabled=0` and I still don't no extractions. Do I need to enable the transforms somewhere? Or any ideas why extraction isn't happening for me regardless of whether I use my custom inputs.conf or the Windows TA inputs.conf? Additionally, can I ask - how does one know whether an app is to be installed on the server or indexer or UF/HF, etc.? I did not find any indication on the app page of this. Hence here, I've only installed the app on the UF.  

Hi, I have a MV field that I need to split apart into other mv fields Here is the result of the query   What I want it to look like is   I've been fighting with MV commands but nothing seems to work quite like I wanted it to sooooo I figured I'd raise my hand and ask the Splunk Wizards