hello , i wanted to add a drilldown, where if any user clicks on the column name a new dashboard should open.   col1  col2  col3 1          2          3 4          5          6   if user clicks on only col2 name it should open a new dashboard

I am trying to get data into Splunk APM from my python and Golang applications deployed in Kubernetes. But I am not able to see the data from both app.  I also tried running the app on Linux System but from there also not getting any data. 

Hey people, my requirement is as such I have extracted these columns from my data using the query    my query | rex "filterExecutionTime=(?<FET>[^,]+)" | rex "ddbWriteExecutionTime=(?<ddbET>[^)]+)" | rex "EXECUTION_TIME : (?<totalTime>[^ ms]+)" | eval buildAndTearDowTime=(tonumber(FET)) + (tonumber(ddbET)) |table totalTime FET ddbET buildAndTearDownTime     I want to have buildAndTearDown as totalTime - (FET+ ddbET)   once I have all the three values required (FET, ddbET, buildAndTearDown) I want to put these values in a pie chart.   Thanks  

We have a distributed deployment consisting of  2 Search heads, 1 indexer, Deployment server, 2 Heavy Forwarders, Universal Forwarders and a Syslog server. We need to shut it down and then boot it back up. What is the best sequence to shutdown and boot up the environment gracefully?  Also anything to keep in mind while doing so to avoid errors. 

Based on the article provided below we have updated our Atlassian settings to pull the Bitbucket logs into our Audit Logs hence we want to how can get them ingested into Splunk. So do we any specific add-on to get this audit logs pulled and ingested into Splunk? Or how do we get them integrated and get them ingested into Splunk. Article: https://bitbucket.org/blog/bitbucket-audit-logs-are-now-available-in-atlassian-access https://support.atlassian.com/security-and-access-policies/docs/track-organization-activities-from-the-audit-log/ So can anyone help me on this requirement.

hi all, we  are creating one dashboard having two tables , in that we have set different folder locations for monitoring.  BAU table 1 query = source="F:\\Logshipping\\Export\\BAU\\*" host="FinIQDB-DR" index="index_bau" EP_ER_QuoteRequestId= * EP_ER_QuoteRequestId != "EP_ER_QuoteRequestId"| dedup EP_ER_QuoteRequestId| table EP_ER_QuoteRequestId, orderStatus,EP_ExternalOrderId,ER_Created_At,ER_Created_By,EP_Order_Requested_At,EP_Order_Response_At,ER_Type,EP_ordertype,ER_UnderlyingCode,ER_LimitPrice1,ER_LimitPrice2,ER_LimitPrice3 ,source   DR table 2 query = source="F:\\Logshipping\\Export\\DR\\*" host="FinIQDB-DR" index="index_dr" EP_ER_QuoteRequestId= * EP_ER_QuoteRequestId != "EP_ER_QuoteRequestId"| dedup EP_ER_QuoteRequestId| table EP_ER_QuoteRequestId, orderStatus,EP_ExternalOrderId,ER_Created_At,ER_Created_By,EP_Order_Requested_At,EP_Order_Response_At,ER_Type,EP_ordertype,ER_UnderlyingCode,ER_LimitPrice1,ER_LimitPrice2,ER_LimitPrice3 ,source ** Screenshot   1. We are getting updated records  in BAU table ,whenever file is updated into folder  2. We are not able to get updated records in DR table , when file is updated, in that case we have to  delete an index and re-create it .  then new records are populated in the grid. thanks.                  

I have a event like this 02.09.2022; seller david address 434 xyz house price 20000  [color:green] {noffloors: 5] status sold 02.09.2022; seller lenin address 222 abc  house price 30000  [color:red] {noffloors: 7] status sold Assuming address, price, color and noffloor are not indexed as fields. How do I obtain output like this ? I am thinking of using regex but i dnt know the exact experssion address     price      color      nofloor 434 zyz    20000   green      5 222 abc    30000  red            7  

I have two lookups RLQuotas: Endpoint, Endpoint Name, filter, quota, Window RLFilters: Attribute, filter I want to loop through all the endpoints. all endpoints have a specific window, quota and filter and i am searching it based on filter attribute I want output fields Endpoint Name, filter, Quota This is the query i came up with | inputlookup ID-RL-Quotas | lookup ID-RL-Filters Filter | fields Endpoint, "Endpoint Name", Attribute, Window, Quota, Filter | rename "Endpoint Name" as EndpointName | map [| eval Window = tonumber($Window$) | search sourcetype="some" http_url = "$Endpoint$" minutesago=Window | eval ip = mvindex(split(http_remoteip,","),0) | eval EndpointName = "$EndpointName$" | eval WindowI ="$Window$" | eval QuotaI="$Quota$" | eval FilterI="$Filter$" | search $Attribute$ = "*" | stats values(EndpointName) as "Endpoint Name", values(FilterI) as Filter, values(WindowI) as Window, values(QuotaI) as Quota, count by $Attribute$ | where count >= 0.8 * $Quota$ | sort -count] maxsearches=10000 This only gives me one filter output not all

Hi all, Last year, Crowdstrike  announced they will be deprecating the following, and we are now in the last 30 days before this happens. The "GET /devices/entities/devices/v1" will be deprecated on February 9th 2023. The following applications will definitely be impacted (there may be others): CrowdStrike OAuth API  CrowdStrike Falcon Devices Technical Add-On    Is there a plan in place to roll out updated Crowdstrike apps with the new endpoints?   Thanks!

Hello Splunkers, I have an issue with a bar chart - I have a dashboard set to dark theme. I am using splunk 8.2.4, and SimpleXML. I create the chart from a search, convert to a horizontal bar chart - and the bars are an OK color, blue, etc. But when I move the visualization into an existing dashboard set to the dark theme, the chart comes in as a nice orange color - then immediately switches to a gray color. The existing dashboard is from the Cisco Networks app. Any ideas on this?? Thanks so much, eholz1  

Hello, I have a problem after upgrading splunk from 8.1.7.1 to 9.0.2. the Splunk service starts the first time (after I run splunk start), and after a few seconds splunk stops. Before, there was no such problem. the Spkunk logs I can't find a message that indicates the source of the problem. here are the errors i found: is there anyone having the same problem as me? Thanks in advance  

Splunk version 9.0.0 on Windows servers Please allow me to preface this by saying yes I GOOGLED this error and yes I did find some hits on this very Community site though 6 years old, and yes I did follow the many links to other links, which in turn lead me to more orphaned threads, ha ha, hence deciding to make this fresh more current post in which I hope we can present a solution File Integrity checks found 40 files that did not match the system-provided manifest. Review the list of problems reported by the InstalledFileHashChecker in splunkd.log File Integrity Check View ; potentially restore files from installation media, change practices to avoid changing files, or work with support to identify the problem. So if you click that link you get something like this:   List of installed files presenting integrity check failures The table below shows files that were installed by the Splunk Enterprise package and have been improperly modified or are missing. Learn more.   Search is completed   File path Check result   List of installed files presenting integrity check failures The table below shows files that were installed by the Splunk Enterprise package and have been improperly modified or are missing. Learn more. Search is completed File path Check result C:\Program Files\Splunk\etc/apps/SplunkForwarder/default/app.conf missing C:\Program Files\Splunk\etc/apps/SplunkForwarder/default/default-mode.conf missing C:\Program Files\Splunk\etc/apps/SplunkForwarder/default/health.conf missing C:\Program Files\Splunk\etc/apps/SplunkForwarder/default/outputs.conf missing C:\Program Files\Splunk\etc/apps/SplunkForwarder/default/server.conf missing C:\Program Files\Splunk\etc/apps/SplunkForwarder/metadata/default.meta missing C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/appserver/static/pages/jquery_scan.js differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/appserver/static/pages/python_scan.js differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/appserver/static/pages/setting.js differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/appserver/static/pages/setting_scan.js differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/appserver/static/pages/splunk9x_scan.js differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/eura_app_list.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/eura_check_mongodb_tls_dns_validation.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/eura_check_search_peer_ssl_config.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/eura_email_notification_switch_scripted_input.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/eura_remote_latest_report.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/eura_remote_scan_scripted_input.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/eura_scan_apps.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/eura_scan_deployment.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/eura_scan_process.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/eura_send_email.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/eura_telemetry.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/jura_scan_process.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/jura_telemetry.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/libs_py2/pura_libs_utils/pura_consts.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/libs_py2/pura_libs_utils/pura_logger_manager.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/libs_py2/pura_libs_utils/pura_skynet_log_manager.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/libs_py2/pura_libs_utils/pura_utils.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/libs_py2/pura_libs_utils/splunkbaseapps.csv differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/libs_py3/pura_libs_utils/pura_consts.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/libs_py3/pura_libs_utils/pura_logger_manager.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/libs_py3/pura_libs_utils/pura_skynet_log_manager.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/libs_py3/pura_libs_utils/pura_utils.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/libs_py3/pura_libs_utils/splunkbaseapps.csv differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/pura_remote_latest_report.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/pura_telemetry.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/bin/scan_process.py differs C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/default/data/ui/nav/default.env_cloud.xml missing C:\Program Files\Splunk\etc/apps/python_upgrade_readiness_app/default/data/ui/nav/default.xml differs C:\Program Files\Splunk\etc/system/local/README missing

I'm trying to create a dashboard that displays the data for splunk restart  the current search I'm using is index="_audit"   but this shows the no. of times I've logged in instead of the no. of times I've restarted