The following is my ideal final query to be used in a dashboard.     index=cdn_app httpMessage.host=taxes* | eval _env=$env_host$ | eval _hostName=case(_env=="http:abc-h123-apps-prod","taxes.sf.com", _env=="http:abc-h123-apps-qa", "taxes-qa.sf.com") | search httpMessage.host=_hostName | spath output=status path=httpMessage.status | eval status=case(like(status, "2%"),"2xx",like(status, "4%"),"4xx",like(status, "5%"),"5xx") | stats count by status   It seems `_hostName` is not resolving even when I hardcode and values like so.     index=cdn_app httpMessage.host=taxes* | eval _env="taxes.sf.com" | eval _hostName=case(_env=="http:abc-h123-apps-prod","taxes.sf.com", _env=="http:abc-h123-apps-qa", "taxes-qa.sf.com") | search httpMessage.host=_hostName | stats count by httpMessage.host   I'm sure its with my eval case because this works just fine.     index=cdn_app httpMessage.host=taxes* | search httpMessage.host="taxes.sf.com" | stats count by httpMessage.host   Open to any suggestions. Thanks!    

I'm looking for a search I can run that will return the ingest rate (KB/s) across the entire cluster.  I know there's a "Deployment-Wide Total Indexing Rate" panel in the DMC dashboard "Indexing Performance: Deployment" that contains this data but I need to recreate this on the cluster itself to push to a summary index for retention and quick export.  Also, if there's a similar search that will return events/s, I'm looking for that as well.

Hi,   I have dashboard with multiple panels. Some of them I succeeded to only show them when there is a result. Now I would like this also for some single value vis.  The single value displays '0' when no result. But still is showing in the dashboard. How can I fix this?     </panel>     <panel depends="$panel_show4$">       <title>Test_Panel_4</title>       <single>         <search>           <progress>             <condition match="'job.resultCount' &gt; 0">               <set token="panel_show4">true</set>             </condition>             <condition>               <unset token="panel_show4"></unset>             </condition>           </progress>

Anyone have any ideas on who created this application.  The app files seem to point to Splunk, however support is unable to investigate as it is listed on splunkbase as "Community" (though it says Splunk SOAR MobileIron Copyright Splunk Inc.) which is leaving me confused and unsure where else to get answers.   https://github.com/splunk-soar-connectors/mobileiron/blob/next/NOTICE Splunk SOAR MobileIron Copyright (c) 2016-2022 Splunk Inc.   Third-party Software Attributions:   Library: beautifulsoup4 Version: 4.9.1 License: MIT Copyright 2004-2017 Leonard Richardson Copyright 2004-2019 Leonard Richardson Copyright 2018 Isaac Muse   Library: requests Version: 2.25.0 License: Apache 2.0 Kenneth Reitz

My colleagues and I have been biting our tongues trying to get the partitioning right with the slim-packaging-toolkit. We manage to package the technical add-on from the source code into the tar.gz file and then execute the command to get the packages for the specified workloads, but they don't differ. We have been trying several things regarding the "tasks" and "inputGroups" specification in the app.manifest file, but we can't manage to split the app so that all the python stuff is only in the forwarder partition and none of it is in the searchhead partition to install it via self-service in splunkcloud. Any kind of help and all materials and resources, apart from the standard documentation, which unfortunately doesn't help much, is very welcome and appreciated.

   Good morning This was on one of my search heads. Can anyone help or point me in the right direction for this. Some answers were not very clear to me. If someone can expand that would be fantastic    Thanks

Hi at all, I configured for my Heavy Forwarder the following values of queues:   [queue=typingQueue] maxSize = 100MB [queue=indexQueue] maxSize = 100MB [queue=aggQueue] maxSize = 100MB [queue=parsingQueue] maxSize = 100MB   but when I check the queues I find:   2 - Aggregation Queue 102400 3 - Typing Queue 102400 1 - Parsing Queue 512 4 - Indexing Queue 102400   What could it be the problem? Why parsingQueue hasn't the correct value? could it be another location where this value is setted? Ciao. Giuseppe

Hi, I got a table data with 3 fields (Time, Method, Return) Time Method Return 28/10/2022 Method 1 KO 28/10/2022 Method 2 KO 28/10/2022 Method 1 OK 28/10/2022 Method 1 OK 28/10/2022 Method 1 OK 28/10/2022 Method 1 OK ... ... ... 29/10/2022 Method 2 OK 29/10/2022 Method 2 OK 29/10/2022 Method 2 OK 29/10/2022 Method 2 OK 29/10/2022 Method 2 OK 29/10/2022 Method 2 OK 29/10/2022 Method 2 OK   I'd like to make a timechart with double agregation (one per Method, then one per Return) to get this kind of chart The only thing I can do for the moment is this chart with this request     | timechart count(eval(Return="KO")) as KO count(eval(Return="OK")) as OK by Method     Do you know how I can get the first timechart ?   Thanks  

I am trying to use the rex command to extract an id number, which is a mixture of letters and numbers separated by a dash. For example, one of the ids looks like this: 34gv564-3333-5tg4-gt53-4rgt5eg5g35gb The field itself is as follows: MFA challenge succeeded for account aaaaaaaaa with email example@example.co.uk. Session id is 34gv564-3333-5tg4-gt53-4rgt5eg5g35gb The rex command I'm using is as follows:   | rex "(?i) is (?<id_number>[^\"]+)"   The only problem is that sometimes it extracts the email address bit too Any help would be greatly appreciated