I don't think this question has anything to do with eventtypes? The create input screen in the office 365 app, has an indexes pulldown. For the OP the only values he sees are history, main and summary but he doesn't know why since he does have other indexes and he sees them listed elsewhere in other apps. Possibly you know some detail leading you to believe there is some involvement with eventtypes? ... View more

I looked at the TA and the rest endpoint it hits to get the index list looks right to me. to troubleshoot, go to the Search app as that same user and run this search: | rest /services/data/indexes | fields title * Do you see only the same 3? history, main and summary? ... View more

What version of Splunk are you running? I actually hit a maddening problem that sounds like this, quite a few versions back and I resorted to weird things like setting crcSalt to random strings like "reindex this 17" when crcSalt=<SOURCE> mysteriously stopped working. At the time I had the option to clean that index and I think I did. And then the problem never returned but I had since upgraded Splunk. ... View more

I think it's because these are 32-bit PNG files. I downloaded them and looked at them and they do seem to have a bit depth of 32. Try saving them as 24-bit or better yet 8-bit png's. There won't be any loss since the images are pretty simple. I think it's quite possible that the code that is checking the file formats was just written before 32 bit pngs were a thing! I hope that helps. ... View more

A minor comment for you - this works great but inputlookup actually has its own append=t argument that you can use. And in this case it's better to use it, than to rely on the append command because append hits failsafe at 50,000 rows where it would truncate. So long story short you can just do: | inputlookup ABC | inputlookup XYZ append=t | stats count ... View more

Can you update the question with what your desired end goal is? It sounds like maybe you want a single number representing all answered calls from any of those 4 extensions? There are some other pieces that you want to introduce but before I start answering I want to make sure I understand the question. Ideally if you could give a brief description of the goal and then specify what you want the table columns to be, or what you want the chart to show? ... View more

To clarify, do you want the graph itself to allow multiple selection, ie allowing the user to click two or more things, and keeping them both highlighted? And then passing essentially ( field="$value$1" OR field-="$value2$" ) into another search? The mention of the "two other panels" is I think a red herring - but on the other hand perhaps you mean the primary field value in the graph is something like 'bob,sales', and you want one panel to use the 'bob' and the other panel to use the 'sales' part. The former is hard because I don't think the chart componentry allows it. The second is relatively easy in Sideview Utils. ... View more

haha. Hey it's high praise! ok fine I gave up an upvote. 😃 despite the little flaws i had to fix in it. 😛 ... View more

I like this approach too, IF it can be shown safe to assume that the call concurrency of all these numbers is never >1. If I may offer a slight improvement. We can rely on the fact that the timechart command always outputs a hidden field called _span that represents the number of seconds in the bucket. It allows you to do the exact same business hours definition (likely saved as a macro), to have 30min granularity, also it wont have a 1 hour error during DST changes, and it tolerates the search timerange start or end falling in the middle of a day. ... | eval utilization=round(100*minutes/ [| makeresults | addinfo | transpose | rename "row 1" as value | eval _time=if(column="info_min_time" OR column="info_max_time",value,null()) | where _time>0 | timechart count span=30min | eval day_of_week=strftime(_time,"%a") | eval hour_of_day=strftime(_time,"%H") | eval is_business_hours=case((day_of_week=="Sat" OR day_of_week=="Sun"),0,(hour_of_day>7 AND hour_of_day<17),1,true(),0) | search is_business_hours=1 | stats sum(_span) as business_seconds | eval business_minutes=business_seconds/60], 2). "%" ... ... View more

Well there are a few moving parts in your search that you don't actually use. While this is fine, for the purpose of clarity let's strip those out, just so we can focus on the stuff your report is using. Also there's some mvappend() + null() syntax that is problematic so let's fix that. `cdr_events` ( globalCallId_ClusterID=ABC-Corp ) (callingPartySubgroup="Global_Rm" OR originalCalledPartySubgroup="Global_Rm" OR finalCalledPartySubgroup="Global_Rm") dest_device_type="hardphone" OR orig_device_type="hardphone" duration>0 | eval number=mvappend(if(callingPartySubgroup="Global_Rm",callingPartyNumber,""), if(originalCalledPartySubgroup="Global_Rm", originalCalledPartyNumber,""), if (finalCalledPartySubgroup="Global_Rm", finalCalledPartyNumber, "")) | mvexpand number | search number=* | eval day_of_week=strftime(_time,"%a") | eval hour_of_day=strftime(_time,"%H") | eval is_business_hours=case((day_of_week=="Sat" OR day_of_week=="Sun"),0,(hour_of_day>7 AND hour_of_day<17),1,true(),0) |search is_business_hours=1 | fields - day_of_week hour_of_day is_business_hours | stats dc(callId) as calls sum(duration) as seconds by number | eval minutes=round(seconds/60,2) | eval utilization=round(100*minutes/540,2). "%" | lookup groups number OUTPUT name number group subgroup | fields name number subgroup calls minutes utilization So OK. Next up, at least in our eyes, is that this is calculating total call duration. Which, if the numbers can only ever be associated with one call leg at any one moment, is probably fine to use as the basis for a utilization report. On the other extreme if this number can be associated with more than one concurrent leg, this SPL is going to be a bad measure of utilization, possibly a REALLY super bad one. For example using this approach to calculate gateway utilization wouldn't work at all. what you need instead is seconds where concurrent calls is >0, over total seconds. It's easy enough to tell! Let's calculate the actual max concurrency of these numbers for all seconds in the timerange, split by our "number" field. Here we're borrowing some very complex macros that ship in the Cisco CDR app. `cdr_events` ( globalCallId_ClusterID=ABC-Corp ) (callingPartySubgroup="Global_Rm" OR originalCalledPartySubgroup="Global_Rm" OR finalCalledPartySubgroup="Global_Rm") dest_device_type="hardphone" OR orig_device_type="hardphone" duration>0 | eval number=mvappend(if(callingPartySubgroup="Global_Rm",callingPartyNumber,""), if(originalCalledPartySubgroup="Global_Rm", originalCalledPartyNumber,""), if (finalCalledPartySubgroup="Global_Rm", finalCalledPartyNumber, "")) | mvexpand number | search number=* | `get_call_concurrency(number)` | `timechart_for_concurrency(number,400)` Run that, and it'll give you a chart of the max concurrencies over time, for all the numbers. -- IF there are only 10 or fewer values of "number" here, then just look at that chart and it'll tell you whether any of them ever are on more than one call leg concurrently. -- However if there are lots of values of "number", uh. the linechart visualization isn't gonna really do it. It's too long a story to write out "what then" here, but email us to open a ticket. (For one thing you can remove the last timechart and replace with | sort 0 - concurrency but the rows are a little odd at that point because there's one row for each call start and one row for each call end) But let's review. "active" is all the time buckets where max(concurrency) is 1 or higher, and "inactive" is the time buckets where max(concurrency) is exactly zero. So.... we don't even care whether or not the numbers can be on more than one call. Right here we're pretty close to calculating utilization. Granted.. there are only 400 time buckets so its not very precise... ...WHAT IF WE ADD MORE BUCKETS. Say instead of 400 timebuckets we do 50,000 of them. This doesn't make Splunk very happy but it will do it. And then after that, we can just narrow to business hours, for each number count active buckets and inactive buckets, and we're done. This will work great for timeranges of days and I think a week or two. Past a certain point unfortunately 50,000 isn't really enough granularity though. But heres the search: `cdr_events` ( globalCallId_ClusterID=ABC-Corp ) (callingPartySubgroup="Global_Rm" OR originalCalledPartySubgroup="Global_Rm" OR finalCalledPartySubgroup="Global_Rm") dest_device_type="hardphone" OR orig_device_type="hardphone" duration>0 | eval number=mvappend(if(callingPartySubgroup="Global_Rm",callingPartyNumber,""), if(originalCalledPartySubgroup="Global_Rm", originalCalledPartyNumber,""), if (finalCalledPartySubgroup="Global_Rm", finalCalledPartyNumber, "")) | mvexpand number | search number=* | `get_call_concurrency(number)` | `timechart_for_concurrency(number,50000)` | eval day_of_week =strftime(_time,"%a") | eval hour_of_day=strftime(_time,"%H") | eval is_business_hours=case((day_of_week=="Sat" OR day_of_week=="Sun"),0,(hour_of_day>7 AND hour_of_day<17),1,true(),0) | search is_business_hours=1 | fields - day_of_week hour_of_day is_business_hours | untable _time number active | eval minutes=round(seconds/60,2) | eval active=if(active>1,1,active) | stats count(eval(active=1)) as active count(eval(active=0)) as inactive by number | eval utilization=100*active/(active+inactive) ... View more

Oh sorry I was waiting for you to open a ticket with us. My thought was that then we'll be familiar with your ticket history and environment and version of the app etc. Can you just quickly send this to support@sideviewapps.com ? I can and certainly will post the better way to calculate utilization back here, either in parallel with your case or after. ... View more

Definitely yes. It might best to send this in to us as a Support ticket -- support@sideviewapps.com but either in parallel with that case, or after, I'll post an answer here. It's GREAT that you posted this here though. It's something we're getting asked about more and more. taking a step back we've done a number of fairly complex utilization reports with our customers, and are working on shipping this kind of functionality either as a standalone page or with utilization stats as a part of the Browse Devices page. ... View more

As an update - although the TA_cisco_cdr used to ship dormant within the main cisco_cdr app, earlier this year it was moved out of there, and instead it now just lives on Splunkbase - https://splunkbase.splunk.com/app/4434/ So you can now download it from Splunkbase as a TA_cisco_cdr.tar.gz file and then deploy it (via your method of choice) to any Splunk UF's or HF's that will be forwarding Callmanager CDR data. NOTE: The TA itself is dual-licensed - If you just want to use the TA to onboard the CSV data correctly, that's fine by us and the license agreement on Splunkbase is our Sideview Free Internal Use License Agreement. On the other hand if you're a customer of ours deploying it along with the main "Cisco CDR Reporting and Analytics" app, in that case the relevant license and support terms are elsewhere. And in the middle, if this is all news to you - definitely take a look Cisco CDR Reporting and Analytics ( https://splunkbase.splunk.com/app/669/ ). You can download and setup a free 90 day trial of it in only about 30 minutes. Full install docs are here: https://sideviewapps.com/apps/cisco-cdr-reporting-and-analytics/documentation/installation-and-setup/ and of course contact us with any questions at all. There's a #cisco_cdr channel on the Splunk slack and you can reach out to us at info [at] sideviewapps.com ... View more

Both mvdedup and mvsort were added as evaluation functions (ie you can use them in eval and where) in 6.2. | eval mvfield=mvsort(mvfield) and | eval mvfield=mvdedup(mvfield) ... View more

It's totally fair that a bunch of UI nuance was missing from this simple answer from years back. Things humans expect like interaction feedback. 😉 There is a much better answer I posted today with a considerably better end user experience. https://answers.splunk.com/answers/384932/sideview-button-action-to-refresh-page.html ... View more

Note - this answer is only relevant for the simple XML and is not relevant at all to the Advanced XML or the Sideview XML. And this question is explicitly about how to do this in the Sideview XML. ... View more

You can technically embed any collection of modules using the Table-Embedding feature. So yes you can technically embed modules that themselves include another table that uses teh Table-embedding feature. The glaring drawback is that you can't do any kind of colspan on it -- the modules can only be embedded into individual cells. And as a practical matter.... you very well might be better off just doing some clever CSS with padding and layout on divs in an HTML module, vs table-embedding a table module that uses table-embedding. Note - this is also a distant cousin of "Using a Multiplexer module to multiplex a Multiplexer module that multiplexes some other modules". 😃 ... View more

stats count by Logged_on, Type will give you what's sometimes called "stats style" output rows. This isn't what you want, and it can't really be "stacked". What you want is chart count over Logged_on by Type , and this is called "chart style" output rows. And last but not least, "chart style" rows can be stacked. Further reading - sometimes in really advanced cases you need to kinda flip things around from one style of rows to another, and this is what xyseries and untable are for, if you've ever wondered. xyseries is an advanced command whose main purpose in life is to turn "stats style" output rows into "chart style" output rows, and untable does the opposite. ... View more

Just a note to any Splunk app developers who might see this error and land here. In general this message means that a POST failed to specify the "name" of the stanza in the payload. And in turn one way this can be easy to hit, is if you're using en.Entity() to create a new stanza but forgetting to list the stanza name as an explicit "name" arg in the payload. ... View more

With more recent versions of splunk I would use a search like this to see how much of a problem this is with your data, and where in time the problem might be occurring. | tstats prestats=t count WHERE index=cisco_cdr by _time source host span=1s | stats count by _time source host | sort - count It'll tell you in what time and source you're getting lots of events in single seconds. Any values of 10,000 or 10,001 are where you're hitting the limit and bad/notGreat things are happening. It's a little weird to use prestats plus stats plus another stats. Why I'm doing that is a) you can get some wonky time-bucketing behavior out of tstats, and b) prestats=t plus an explicit stats command has often (for me at least) seems to make some other tstats wonkiness go away in edge cases. Since 10K events in a single second is implicitly an edge case, a+b= this search is just being careful. ... View more

It's certainly a little strange. In general if you have searchterms | <some transforming command> the order of the events going into the transforming command are not actually guaranteed to be in time order. (Yes it used to be true long long ago, but with distsearch and search-in-separate-process and various parallel bucket things they did, it's no longer always true) HOWEVER why am I talking about transforming commands? You're seeing this happen in a simple events search. Yes, I am surprised. I suspect that it's something you don't normally see unless the timestamps on the events are a little different from the actual wall-clock-time when they come into the system? Is there anything else notable about those events whose timestamps are off from the others? ... View more