Hi there, I'm currently building a dashboard and need to display two dates, one being today's date and the other being the previous working day. I use the query below for today's date  <query> index=main | head 1 | eval Date = strftime(_time,"%d/%m/%Y") | fields Date</query> Could you help me with the query to display the previous working day. Many thanks! Janine

Hello, I am facing issue while using singleview with js. In splunk I use js to create few singleviews, few of them are working which has only one trelli but the one which has multi trellis in a panel are not at all displaying the panels, it either on queue or just waiting for data. Could anyone please help...

Hi, I was looking for datasets mentioned in DSDL, but I dont find them with container, do we have any place to download the sample data related to notbooks and can run the dsdl examples.   They have mentioned those are avaliable in data path in jupyter notebook, but i don't find any data realted to sample data.   If any one have the data please let us know.   thanks  

Hi, I have a question regarding the 0mb Lic; As stateted here in another thread it is mendatory in segmentated networks when DS cannot reach LM. This is the case for my customer in a critical infrastructure environment. Now this customer has several zones, running multiple DS / HF (filtering) inside different zones. The customer does not want to connect all of the DS/HF to LM, but Data is Forwarded to a central Indexercluster.   Lately we saw that Splunk is not allowing to install the same 0mb lic on multiple Servers. Does this mean I have to request a separate 0 mb lic for each of the DS/HFs? The error reads: Peer xxx has the same license installed as peer yyy. Peer xxx is using license master self, and peer yyy is using license master self. Please fix this issue in 72 hours, otherwise peer will be disabled. What is your opinion on this, how we can fix the issue? BR Markus

Hello Splunkers, I would like to have a page show when an user clicks an app icon, instead of going to a default dashboard, it shows a list of dashboards available (with links to open) and information about the app and or dashboards. I have searched around and have not found anything. I would like something similar to an "index.html" page, etc. Thanks for a great source of info on splunk.   eholz1

I keep getting Client is not authenticated Error. I wondered if there was an error occurring internally, so I confirmed that the following authentication error occurred while searching. startup:116 - Unable to read in product version information; isSessionKeyDefined=False error=[HTTP 401] Client is not authenticated Host: It seems to be occurring in both IDX and SH, and it is confirmed that the error occurred on 11/12. Is there any way to check which app is causing it?  

Hello, we tried to enable TLS validation with Splunk 9.0.2 as described in the Splunk documentation. Unfortunately, this caused our distributed Splunk system consisting of index cluster and searchhead cluster to stop working. Specifically, searches could no longer be performed. We discovered the following messages in the search head log: 11-06-2022 23:59:59.839 +0100 ERROR DistributedPeerManagerHeartbeat [95344 DistributedPeerMonitorThread] - Send failure while pushing public key to search peer = https://10.10.10. 10:8089 , error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name. This makes us wonder, because actually the connection for the TLS connection should be established over fqdn and not over an ip address. When establishing a connection over the IP, it is also logical that the TLS name check against the host name fails, since only the FQDN and no IP address is stored in the TLS certificate. We therefore wondered why the search head addresses our index peer 10.10.10.10 via the IP and not the fqdn. The Splunk documentation states that the search head gets the list of index peers from the cluster manager. However, in the cluster manager, our index peers also report by name, at least that is what the output of the cluster master suggests: >> splunk/bin/splunk show cluster-status WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Replication factor met Search factor met All data is searchable Indexing Ready YES HA Mode: Disabled indexpeer01.bla.fasel 132BC25B-7774-40D9-AAED-22F9795C8E3F site2 Searchable YES Status Up Bucket Count=2412 indexpeer02.bla.fasel 9B5E23F6-3D53-4AAF-805F-DEDF3ACF9D87 site2 Searchable YES Status Up Bucket Count=2467 indexpeer03.bla.fasel CCBC4D24-025E-45FB-A68D-9C1A14219D3F site1 Searchable YES Status Up Bucket Count=2384 indexpeer04.bla.fasel D649A1C7-9E86-4E48-9B47-144C70029C15 site1 Searchable YES Status Up Bucket Count=2475 On our search heads, our search peers are listed by IP-Adress in the attribute PeerURI instead of the fqdn. How can we change it to the fqdn? Do other users have the problem as well? Or does TLS validation work even though IP addresses are listed there? Thanks!

Hi Folks; Has anyone had any luck with the new built in "Token Refresh Check" alert that comes with the CrowdStrike Falcon Event Streams TA (version 2.0.9+). This is now part of the TA to restart inputs if they become blocked / unstable (less than 2 events in an hour). We can prove the alert is triggering as we are getting emailed alerts but it doesn't seem to be restarting the inputs if no events are seen in the timeframe, so were having to still manually disable / enable the inputs. As far as we can tell everything is configured correctly. Anyone have any luck with the alert? Cheers

i am trying to create a custom field like host and source by making changes in atteched  photos of entrypoint.sh and input.conf. when I deployed with this changes it does not create field for me with name task . Please check i am on right path. If did i do anything wrong let me know 

Hi Splunkers, I have two lookups where having a common field "values" For example: lookup 1     lookup 2 values           values a                       a b                       e c                       f d                       g I need to compare these two lookups and get the values that are not in the lookup2 (b,c,d). I'm using below query but it's not working. Please help. TIA |inputlookup lookup1.csv |stats count by "values" |search NOT [|inputlookup lookup2.csv |fields "values" | fields - count ]

Hello! I currently have this eval in a search of mine:   | eval exists=if(like(_raw, "%xa recovery%"), 0, 1)   Is there any way to set the variable exists to 0 until a specific event comes up? What I'm trying to accomplish is like this... If event contains(xa recovery) exists=0 until event contains(System READY) then exists=1. Thank you!