Hi all, in <format type = "color"> can I also insert the row attribute? I need to color a table cell in the dashboard if the value of a row exceeds the target value. I tried with: <colorPalette type = "expression"> if (value & gt; 77, "# FA8072", "") </colorPalette> but color all the rows. My table: WO         September    October     November    December ..... A                     80                  77                       84                   46 B                    88                   23                      88                     26 C                    55                   34                      32                     93 I have the targets of A, B, C respectively : 60,70,80 they must color the row A: September, October, November B: September, november C: December Is it possible otherwise to insert a condition that affects the lines in the expression? Tks Greetings Antonio

Was working on Splunk Enterprise SDK for Javascript and used the splunkjs.UI.Charting.Chart class to create a chart and embed it in the web page. But it throwed an error "cannot  access property of undefined; accessing Chart". Is there any way to solve it. Thanks in advance for the help. I have attached the error screenshots and the code block.  

Hi all, I am trying to feed results of a query into another of a different time and index and I'm facing issues with this. Context: I want to look for any user activity across my servers on d+1 for list of user accounts which shows up as disabled on the active directory (windows event code=4725). From the search query below, I want to parse the list of usernames where count=1 and look for any user activity on d+1 onwards after earliest(_time) is recorded.  index=useractivitylogs [search index=wineventlog EventCode=4725 | eval timestamp=strftime(_time, "%Y-%m-%dT%H:%M"%S") | stats count as count, earliest(timestamp) by username | where count=1] Example: Eventcode 4725 is recorded for these 2 users based on my inner search: Timestamp | User: 5 September 2022 | Anna 10 September 2022 | Betty  Then, I want to feed these results to identify any user activity found on any servers on d+1 after the recorded Timestamp.   Thank you.   

Hi everyone, I am new to splunk. I am looking at windows event logs for the EventCode=4725 for all usernames within a week's timeframe. What I want is to remove username results if there are more than 1 count for this eventcode including that username, and then list in a table to show the timestamp and username when the eventcode occurred. Example: Usernames with EventCode=4725 recorded within 1 week:   Day 1 10pm : anna Day 1 11pm : betty Day 3 10pm : anna Day 3 1pm :  charlie Day 7 2pm : zach   Final result I want is: Day 1 11pm : betty Day 3 1pm :  charlie Day 7 2pm : zach From the above we have 'anna' removed completely from as her event showed up more than once.    This is my original query: index=wineventlog EventCode=4725 | fields * | eval timestamp=strftime(_time, "%Y-%m-%dT%H:%M"%S") | stats count by username | where username = 1 I then realised the problem with using stats count by,  because I wouldnt be able to show the timestamp for the results result this is in statistics.  I have thought of using dedup to remove duplicate values, but I have not found a way to remove duplicate values including that value itself. Please help. Thank you

I have an question/Issue with the use of rising option in DB Connect. I'm using Splunk Ent v 9.0x and DB connect 3.9.0 Im trying to understand how DB connect works with the rising option.  My issue is that when i run it, the DB server is increasing the memory and swapping on the disk in order to return the results. The database im trying to read has more than100Million entries. What i did with the configuration of the connection was: 1. When i read the data from the DB to get the results  the server responds quickly. 2. When i add the           select * from DB where ID > ? ORDER By ID ASC         the server times out, so i increased the timeout value and i eventually got the option to add the ID number i wanted to track from and proceed to the next window. 3.  In the "MAX Rows to Retrieve" field i  added 50000 and left the Fetch Size default "300". Execution policy was every 10minutes. i was monitoring the server database and noticed that each request splunk db connect makes,  produces   issues on the server.   Looks like the "order by ID ASC"  makes the DB server to sort all the table, which increases the memory consumption and disk swapping. Returns ALL (i guess) the results and splunk ingests only 50.000 events as specified in the "max rows to retrieve" i checked also the queries splunk run on the DB side, and the query string didn't show any limit , for example  "SELECT * FROM  DB WHERE ID > ? order by ID ASC  Limit 50000; ID field is indexed. Is Splunk DB connect always asking the Database server to sort ALL the records ? How can i import the data, without making performance issue on the DB server?  Can i add the limit option in the config file for example ? EDIT: IDK if DB connect would work if i put at the end of the query in the db_inputs.conf <SELECT * FROM  DB WHERE ID > ? order by ID ASC  Limit 50000>. Any thoughts? Or i could create  batch jobs to slowly import data till today and then use the "default" rising string? The question here is if the ORDER  bY asc would still make performance issues to the DB server?      

Good afternoon! Please tell me, on the following request, unfortunately I'm not so familiar with spl to issue a working version now (( This request is required for notification. Let me describe the workflow first: We have a post thread, 12 posts. Each message has a unique routepointID field, the values ​​of this field begin with numbers and with each message in the chain, the value grows: 1.pointID, 2.pointID (this is an example). The notification should be processed if one of the messages came out out of order, for example: Received 1.pointID, 2.pointID waiting for 3.pointID, and comes: 4.pointID need to run an alert. An example of our query to find message threads from a message flow: index="main" sourcetype="testsystem-script4" | eval srcMsgId_Исх_Сообщения=if(len('Correlation_srcMsgId')==0 OR isnull('Correlation_srcMsgId'),'srcMsgId','Correlation_srcMsgId') | eval timeValue='eventTime' | eval time=strptime(timeValue,"%Y-%m-%dT%H:%M:%S.%3N%Z") | sort -eventTime | streamstats values(time) current=f  window=1 as STERAM_RESULT  global=false by srcMsgId_Исх_Сообщения | eval diff=STERAM_RESULT-time | stats list(diff)  as TIME_DIF list(eventTime) as eventTime list(srcMsgId) as srcMsgId_Бизнес_Сообщения list(routepointID) as routepointID count as  Кол_Сообщений by srcMsgId_Исх_Сообщения

Hi I tried following steps from below github to get Kubernetes metrics https://github.com/signalfx/splunk-otel-collector-chart   Here is the code I used and I am getting logs in main index k8main , but no data in metrics index k8metrics. helm install my-splunk-otel-collector --set="splunkPlatform.endpoint=XXXXX, splunkPlatform.token=YYYYY, splunkPlatform.index=k8main, splunkPlatform.metricsEnabled=true, splunkPlatform.metricsIndex=k8metrics, splunkPlatform.insecureSkipVerify=true, clusterName=splunk-cluster" splunk-otel-collector-chart/splunk-otel-collector   Here is the error i am getting error exporterhelper/queued_retry.go:395 Exporting failed. The error is not retryable. Dropping data. {"kind": "exporter", "data_type": "metrics", "name": "splunk_hec/platform_metrics", "error": "Permanent error: \"HTTP/1.1 400 Bad Request\\r\\nContent-Length: 60\\r\\nConnection: Keep-Alive\\r\\nContent-Type: application/json; charset=UTF-8\\r\\nDate: Fri, 30 Sep 2022 14:44:09 GMT\\r\\nServer: Splunkd\\r\\nVary: Authorization\\r\\nX-Content-Type-Options: nosniff\\r\\nX-Frame-Options: SAMEORIGIN\\r\\n\\r\\n{\\\"text\\\":\\\"Incorrect index\\\",\\\"code\\\":7,\\\"invalid-event-number\\\":1}\"", "dropped_items": 27} Can someone please advice on how to get metrics in the above scenario. Thank You.

So today i installed the forwarder on a DC that is hosted on a VM but i cant seem to get any logs from this machine  i've already enabled Splunk to listen on  9997  for receiving  I'm also using the Splunk for windows addon and enabled all the logs from the config file (after copying it to the local directory) and the Splunk instance is hosted on the host machine and I've already setup the networking between the host and the VM i basically followed this  Guide   but i still can't get to forward the events , am i missing any steps here? , i also confirmed that the indexer was set correctly from the outputs file i was able to input data from the local host without an issue before if that helps

Hi Team, I have below queries in my dashboard Panel1: index="abc" sourcetype="abc" $reg$ |lookup local=t Org_Alias.csv OrgFolderName OUTPUT OrgName| search OrgName=$OrgName$ | rename OrgName as "Salesforce Org Name" | chart latest(NumberOfActiveUsersNotLoggedInForMoreThan15Days) as "# Active Users NOT logged in &gt; 15 days" latest(NumberOfActiveUsersNotLoggedInForMoreThan30Days) as "# Active Users NOT logged in &gt; 30 days" latest(NumberOfActiveUsersNotLoggedInForMoreThan60Days) as "# Active Users NOT logged in &gt; 60 days" latest(NumberOfActiveUsersNotLoggedInForMoreThan90Days) as "# Active Users NOT logged in &gt; 90 days" by "Salesforce Org Name"   Panel2: index="abc" sourcetype="abc" $reg$ |lookup local=t Org_Alias.csv OrgFolderName OUTPUT OrgName| search OrgName=$OrgName$ | chart latest(NumberOfActiveUsers) as "Number Of ActiveUsers" latest(SalesforceOrgId) as "Salesforce Org Id" latest(NumberOfActiveUsersNotLoggedInForMoreThan15Days) as "Number Of ActiveUsers Not Logged In For MoreThan 15Days" latest(NumberOfActiveUsersNotLoggedInForMoreThan30Days) as "Number Of ActiveUsers Not Logged In For MoreThan 30Days" latest(NumberOfActiveUsersNotLoggedInForMoreThan60Days) as "Number Of ActiveUsers Not Logged In For MoreThan 60Days" latest(NumberOfActiveUsersNotLoggedInForMoreThan90Days) as "Number Of ActiveUsers Not Logged In For MoreThan 90Days" by OrgName panel3: index="abc" sourcetype="abc" InactiveForMoreThan90Days !="No" $reg$ $type$ |lookup local=t Org_Alias.csv OrgFolderName OUTPUT OrgName| search OrgName=$OrgName$ | dedup _raw |stats count(InactiveForMoreThan90Days) as "Total Inactive Users" by OrgName panel4 index="abc" sourcetype="abc" InactiveForMoreThan90Days !="No" $reg$ $type$ |lookup local=t Org_Alias.csv OrgFolderName OUTPUT OrgName|search OrgName=$selected_value4$ | dedup _raw | stats values(OrgName) as "Org" by Name Email UserId UserName LicenseName LastLoginDateTime I have made my base search as this: index="abc" sourcetype="abc" $reg$ |lookup local=t Org_Alias.csv OrgFolderName OUTPUT OrgName| search OrgName=$OrgName$|rename OrgName as "Salesforce Org Name" But its not working can someone guide me here.  

Hi  Hope you are doing good.. I'm having a small query I want to check my license warning on my splunk with date I.e. On 26th of September we received 1 license warning. I'm using the below query to get the total license warming I have on my splunk till now  | rest splunk_server=local /services/licenser/slaves | mvexpand active_pool_ids | where warning_count>0 | eval pool=active_pool_ids | join type=outer pool [rest splunk_server=local /services/licenser/pools | eval pool=title | fields pool stack_id] | eval in_violation=if(warning_count>4 OR (warning_count>2 AND stack_id=="free"),"yes","no") | fields label, title, pool, warning_count, in_violation | fields - _timediff | rename label as "Slave" title as "GUID" pool as "Pool" warning_count as "Hard Warnings" in_violation AS "In Violation?" Kindly guide me how can I get the license warning with date.   Thanks