Hello experts, I have 2 dropdowns in my dashboard. 1st - Last 7 days (including TODAY) 2nd - If I select TODAY in 1st, I need to write a search query on an index to populate values in this dropdown. If I select any other day, I need to search inputlookup csv file which gets generated everyday at 00:02 (having all the values of last 6 days). How can I put this if-else condition to populate 2nd dropdown? Thanks, Naresh ... View more

Hello Experts, I am setting up new clustered environment with below setup. Need advice on recommended configurations. Indexer cluster - 2 sites - 1 server each site Search head cluster - 2 sites - 1 server on 1st site ,2 servers on second site. cluster master/deployer - 1 server on 1st site My current configurations based on my readings through splunk docs below. On indexer cluster master [clustering] site_replication_factor = origin:1,site1:1,site2:1,total:2 site_search_factor = origin:1,total:2 replication_factor = 2 On search head members: [shclustering] replication_factor = 2 When one of the indexer is stopped, my indexer cluster says "Search Factor is not Met" and "Replication Factor is not Met". Will there be any consequences with this? Any recommended changes to make it a stable set-up? Also, How can I tell any forwarder (which is sending data to indexer1) to send data to indexer2 if indexer1 goes down? Thanks, Naresh ... View more

Hello Experts, I am indexing data from a shared file. I have below config in my props.conf. Some of the lines from my inout log file doesn't have timestamp. So, All those events are getting timestamp from previous events read by Splunk. Using this config, I am getting irregular timestamps captured. Any advice to fix this is much appreciated. [Custom_W22] DATETIME_CONFIG = NO_BINARY_CHECK = true SHOULD_LINEMERGE = false TIME_FORMAT = %Y-%m-%d_%H:%M:%S.%3N TIME_PREFIX = ^ TRANSFORMS-set = discardAll,queue2resp,index2resp category = Custom disabled = false pulldown_type = 1 Example from log: 2019-02-20_03:30:02.333 - Line-1 2019-02-20_03:30:02.349 - Line-2 2019-02-20_03:30:02.364 - Line-3 2019-02-20_03:30:02.380 - Line-4 - Line-5 2019-02-20_03:30:02.427 - Line-6 Expected Output: Line-5 should have the timestamp of either Line-6 or Line-4. But it is going out of these bounds and showing different timestamps for few lines. Any help please? ... View more

Hello experts, I am trying to dynamically change my dashboard view based on 3 dropdown inputs. All the time, my show_tab1 results are hidden even if the condition matches. Any help to tweak the code is appreciated. <row> <panel> <table depends="$hide_table$"> <search> <query> | from datamodel:"0DP_T_common" | search C_Category=$selected_cat$ C_endpoint="$selected_endpoint$" C_Response=$selected_response$ | table C_Day C_StartTime C_Category C_endpoint C_Response duration</query> <earliest>0</earliest> <sampleRatio>1</sampleRatio> <done> <condition match="$result.selected_cat$=Categ_1 AND $result.selected_endpoint$=prime AND $result.selected_response$=00"> <unset token="hide_table"></unset> <set token="show_tab1">true</set> </condition> <condition> <set token="hide_table">true</set> <unset token="show_tab1"></unset> </condition> </done> </search> </table> <table depends="$show_tab1$"> <search> <query> | from datamodel:"0DP_T_selected" | search C_Category=$selected_cat$ C_endpoint="$selected_endpoint$" C_Response=$selected_response$ | table C_Day C_StartTime C_Category C_endpoint C_Response duration</query> <earliest>0</earliest> <sampleRatio>1</sampleRatio> </search> </table> </panel> ... View more

Hello experts, Need help. My requirement is to extract 1st set of lines into 1st index and 2nd set into 2nd index. And ignore all other lines from a log file. Below is my configuration which is obviously failing. I have seen other blogs' solution - successfully able to separate events into two indexes without using [discardAll] from transforms.conf and unspecified index in inputs.conf. But it will redirect all my ignored lines into main idx which I don't want. inputs.conf [monitor://D:\splunk_test\target.log] disabled = false sourcetype = Custom_S index = target_index_one interval = 10 crcSalt = props.conf [Custom_S] TRANSFORMS-set = discardAll,index2one,index2two transforms.conf [discardAll] REGEX=. DEST_KEY=queue FORMAT=nullQueue [index2one] REGEX=(First_Filter) DEST_KEY=_MetaData:Index FORMAT=target_index_one [index2two] REGEX=(Second_Variant) DEST_KEY=_MetaData:Index FORMAT=target_index_two ... View more