New to Splunk.  The addons for VMware and other virtual products seem to be components which were once collective packages.  There are 30+ options which perform seperate functions.  Which are necessary to have a general overview of my environment and which ones are still receiving support? I'm just overwhelmed by the amount of options and I'm not sure which ones are applicable.

Hi,  If I want to show the percentage, then I use  <option name="charting.chart.showPercent">true</option> but if I want to display the absolute value in the pie chart, I tried the following, it does not work. <option name="charting.chart.showValue">true</option> Thanks for help.

I updated an alert description using the REST API (port 8089).  When I use the API to list the description it shows the updated description.  When I look at the alert using the web page (port 8000) it still has the old version.  There are multiple instances of Splunk and a load balancer, but I do not know the specifics.  I always use the same IP address to access Splunk.     For the API access I use a token under my username.  Is my token the problem?  My user has enough rights to create and change alerts.  Although when I list all alerts using |rest/servicesNS/-/-/saved/searches I get a warning Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability Thanks.  

Hello. I'm fairly new to Splunk and SPL so bear with me here. I have the following scenario: I have an existing lookup file that was created by a search and is then updated daily by a similar saved search. So to sum it up, run a search, append contents of the lookup file, remove old events, and finally output the data to the lookup file again overwriting the old contents of the lookup file. If the search with the appended lookup file data and after clean-up results in zero events I still want the lookup file to remain. Now, when reading the Splunk docs I get a bit confused regarding create_empty and override_if_empty optional arguments. For create_empty, Splunk docs state "If set to true and there are no results, a zero-length file is created." So since outputlookup normally overwrites the file if it already exists is this the case even when writing no results? Same question for override_if_empty, which seems to be doing something similar. If override_if_empty is set to false, does outputlookup overwrite the lookup file with a zero length list when the search has no results? My saved search to update the lookup file looks approximately like this: | "get external data" | fields blah blah blah | fields - _* | rename blah blah blah | eval time=now() | inputlookup "my existing lookup file" append=true | sort 0 - time | where time > relative_time(now(), "-7d@d") OR isnull(time) | outputlookup "my existing lookup file" So do I need to add create_empty=true and override_if_empty=false? Or do I just need one of them, and if so which one? Grateful for any clarification on this matter. Thanks in advance.

I am looking integration for Appdynamics with BMC event manager.  My appdynamics controller is hosted on SaaS. How i can post event data to BMC event manager tool. Please share if anyone has done the same integration on Saas environvent.

could someone please let me know where I'm going wrong in my query ? | spath service_roles{} output=service_role | stats count by cluster_name date service_role | spath input=service_role service output=service_name | spath input=service_role role_status{} output=status | rex max_match=0 field=_raw "hostname: <(?<hostname>.*)> type: <(?<type>.*)>" | eval status=mvzip(hostname,type) | mvexpand status | rex field=status "(?<hostname>[^~]+)~(?<type>[^~]+)" | dedup cluster_name, service_name | table cluster_name, service_name, hostname, type

Hi Team, I am looking for the help for the Event logs report if threshold match. I tried both way with creating a report and alert. but it either send me logs using |table _time, _raw  method or sending count using |stats count | where count >0 I need to schedule last 24hrs data  report like, only if there is a event  at 00:00 AM. Please guide me  Thank you

Hello everyone and thanks in advance. I'm trying to make a search for file deletion but it isn't working. Do you have any example of a use case? I tested using sysmon but when I delete a file I can't see event 23.

Hi, I need to create an index called "assets" from a JSON data file that I have. However, wen I try and create such an index and navigate to the given data file, I receive the following error: The index in question does not currently exist on my Splunk instance and I am trying to create a new index and populate this index with this data. Can you please help?   Thanks.

OK I think I know what it is Splunk Search Runtime, but I have not ever thought what values or insights can this feature give. Today I decided to check my Splunk Cloud health and search usage statistics (just for curious) and noticed that of some searches "search runtime" is kinda very long like for 15 minutes and more, but if I run those searches it usually takes me several seconds. So why it is showing in statistics that it was running for 15 min and more? Can someone explain? Thanks.

Hi all, We are creating episodes and incidents are getting created in SNOW , the incident number is available in Activity tab of the episode review but not in the Impact tab. could you please help us how to resolve this issue? Thanks, Nivetha S