alert_actions.conf, My conf file reads Integrated PDF rendering adds a Splunk logo to the corner of the rendered page Disable by setting this to 0 (false) reportIncludeSplunkLogo = 0 ... View more

Please check this answer http://answers.splunk.com/answers/45600/convert-time-format.html ... View more

Never used typeof / didn't get there yet. May be this can help http://answers.splunk.com/answers/177400/how-to-use-json-extracted-fields-with-eval-functio.html ... View more

Interesting, Just did a UF install. Created some Monitor stanzas in inputs.conf and mentioned server in the outputs.conf. I see the server address after forwards: x.x.x.x. Is the splunkd running on the splunk server 🙂 (Please don't yell at me for asking this). Reason why i ask, i get forward : none after i intentionally stopped splunkd on Splunk server. ... View more

App might not, but the examples will give you an idea on how to reference. ... View more

Did you enable Receiving on the Splunk Server, which is supposed to get the logs forwarded by UF? ... View more

Oh i guess you've to restart splunk for every change to css ... View more

I did, , it doesn't load or maybe i am interrupting it. I get a msg in firefox saying "script is running longer than expected" "Kill""Continue""debug". ... View more

Sideview Utils! Has ton of examples to achieve what you're looking for ... View more

Here's the explanation: "Sometimes you end up with a dashboard running lots of different searches but they all seem annoyingly similar. One advanced technique is to run a single search, then use 'postProcess' to take the data in N different directions for N different charts. Note: Read carefully. If set up improperly your results can be misleading. It's tempting to have your base search just be the 'events' part of the search, and then have your postProcess module's each have different reports. like "timechart sum(kb) by series", or "chart avg(eps) over series". However that can get you into trouble because splunk doesnt do unnecessary work, and if the search contains no indication that anyone wants statistics for a given field, it wont collect them. Or what's almost worse, it might collect incomplete statistics. In the end you might find that your postProcess always seems to return 0 results, or it seems to return results that on closer inspection are not correct. (for the advanced reader, the naive approach also breaks map-reduce a bit.) The solution is to use the stats command in your base search. Stats will do all the work and get what Sorkin (aka the Sorkinator) calls the 'sufficient statistics'. Then later your postProcess searches will have all the raw materials they need. Specifically, the search has these clauses on the end: | bin _time span=5min | stats count by series, eps, kb, kbps, _time The stats count with the various group-by clauses is the important part. The bin command is further optimizing our base search so that we dont have one row per timestamp, but one aggregate row per 5 minute bucket. Check out all the stuff on this page that we're able to do from just one search. read through the XML source for this view in Manager to see how it works for yourself." ... View more

Are you using _time bins in the searchTemplate? ui_example app has very good reasoning for this situation. ... View more

Can be achieved using post processing searches. Make the selections mentioned in the search template, please refer ui examples app. Once you have the parent search, insert a separate chart panel to do some thing like table someResult. someResult would be (token1*token2*constant). There might be other ways to do it. ... View more

Do you mind posting the search? ... View more

Right, instead of |inputlookup, it would be your base search and System1 would be _raw. I just posted a pic as editor doesn't let me type the exact rex.Hope this help Pardon me if i am going tangents. ... View more

I am not well versed with json format or what fields to extract. I loaded the sample event you posted to a lookup and broke it almost in to key values. Couldn't proceed due to my lack of knowledge with json. Hope this helps. |inputlookup json.csv|rex field=System1 mode=sed "s/[-|.|\"|\/]//g"|makemv delim="," System1|mvexpand System1 Thanks, Raghav ... View more

Undrrstood ... View more

I could be wrong but 8000 is the port used by splunkweb. 8089 should be your management port and 9997 tcp ... View more

Did you do a backup of all your *.confs before the upgrade? Saved seaches should be under savedsearches.conf file Under /local or app/local etc. Hope you find em all ... View more

May be this... base search| makemv delim="|" System1|makemv delim="|" System2|eval fields = mvzip(System1,System2)|mvexpand fields|rex field=fields "(?\w+|\d+),(?\w+|\d+)"|eval New_Field = alpha + "=" + beta|table alpha,beta,New_Field ... View more