Long shot, but it might be worth checking who owns the alerts. "settings" (in the top right corner) > "Searches, reports, and alerts" > search for your alerts and check the owner If for whatever reason the owner isn't a user that exists, the scheduler will not try to schedule it. ... View more

Today is June 24th of 2021, and I am sad to report that this issue is still there. I just added a dropdown listbox so that the user can change the number of rows displayed. And found out that if the user gets 18 results with the default pagination set to 20 rows, and then changes it to 10, navigate to the second page, and select the 20 rows pagination, the view is stuck on showing the 8 last records. Not only that but the page selection disappears unless you re-select the 10 rows I am amazed that in so many years this has not been fixed. ... View more

Some new features come along in a later release that could help. But they're not available yet in 6.0:   You can put the duplicates in different entity zones: https://docs.splunk.com/Documentation/ES/6.3.0/Admin/Globalsettings#Enable_entity_zones_for_Assets_o... You can change the key to a different field for the merge: https://docs.splunk.com/Documentation/ES/6.3.0/Admin/Assetsettings#Add_or_edit_an_asset_field  ... View more

Hİ @gabriel_vasseur, entitymerge command is supposed to add only new identities to prevent duplicates. That is why it is normal. ... View more

I did try that before and it doesn't help. I had another go today and it only works with these extra steps: run "| outputlookup identity_lookup_expanded" to obliterate the old content. open in search the identity merge search preview, and run it with "| outputlookup identity_lookup_expanded" added at the end. I don't understand why these extra steps are needed. And then of course, I had to change the way we ingest identities and the lookup macro casing is consistent for usernames and email addresses. On top of that, I have a lot of problem with identity merging search. entity_merge doesn't seem to work correctly and consistently and sometimes returns much fewer results than it should. I have no confidence in this framework now. ... View more

this code didn't work for me. when I am selecting the month from the drop down i dont see any changes happening in my dashboard.  ... View more

We've just witnessed the exact same issue for us. Looks like tstats will return results if the first 16 characters are the same, ignoring any change beyond that. Unbelievable. ... View more

Over 4 years later and this post still helped me solve my problem! Thank you! ... View more

I faced a similar issue and resolved it by creating an "inverse" timestamp and using that to bucket events on instead of _time. For example: ... | eval repoch=relative_time(now(),"+0d@d-1d") Pick a latest time (I was interested in values upto and including yesterday) | eval retime=repoch-_time Calculate time prior to your new epoch | bin retime span=7d Set bin based on new time (this gets 7 days prior going backwards) | stats dc(_time) as days, sum(count) as count by Column, retime I was interest in counts over 7 days.  | where days = 7 | ... I then only took complete weeks going forward Obviously the date can be recovered by subtracting from repoch again if you need it. ... View more

Thanks, that works! ... View more

The subsearch one was reported as SPL-176990 is fixed in 7.3.3 for where tstats where, reported as SPL-179746, fix planned for 7.3.4 at the moment ... View more

The same basic principles apply for all things Splunk that I've yet seen (apps, add-ons, Core, etc) - other than maybe UBA: files get overwritten, but rarely get removed ... View more

Interesting, but like you said unlikely to be the case here. We have PS on site this week so if there is time I'll ask them to take a look and will update this question if anything transpires.! ... View more

First I’m going to state nothing I have here is scientific and I can’t give exact details publically on any exact use case. However I can say we have looked into this extensively. I’ll give short answers for those looking at this as the answer should last until Splunk completely reworks the way searching and indexing is handled. How much RAM is too much? -The amount of RAM Splunk the service needs to run can be up to 128GB+ if searches have enough in memory operations or you have adjusted Indexing pipeline queues to be larger to smooth out indexing bursts. Realistically though it just seems to soft cap around 45-80GB (it grows with server uptime 50+ days. You should patch and reboot more frequently than this) + search traffic active ram is at most around 100-300MB/search so if you have 100 searches for concurrency it can be 30+Gb of ram (make sure you have the core counts to back this up). I assume this also scales by ingestion volume and if you make use of more than one indexer pipeline. Now the more important one is OS caching of paged files. This is RAM that isn’t active but paged by the OS. (think windows pre fetch super fetch and just file mapping in RAMmap) There is no limit to this if IO is a concern. The larger this space is the more the OS will hold onto. The less Disk IO for writes will be interrupted by the search reads. 2.As for official publically available documentation I cannot provide this but I can provide how 1.a is valid to those who read this in the future. Using reference https://docs.splunk.com/Documentation/Splunk/7.3.1/Capacity/HowsearchtypesaffectSplunkEnterpriseperformance you can note that “Super-sparse” & “Rare” searches are throttled by I/O. Next evaluate your searches: Key things you are looking for is the _Time ranges for 80-90% of your searches that are sparse. This matters on an index by index basis. What is the avg look back distance for these sparse searches? Is it 1 hour 1 day or 1 week or 1 month? For this example we will use 1 week as the majority of look back times for searches/alerts. We will assume all index This means all bucket data with “_time” values within 1 week of now should at least be sitting in your “Hot”/“Warm” storage minimally if your cold storage tier is slower. If all storage tiers are the same speed IO then Hot/warm/cold doesn’t matter. Only OS ram caching. Using a query for internal index since everyone has this index: | dbinspect index=_internal timeformat=%s | eval lookback=relative_time(now(), "-1w@w") | where startEpoch < lookback | stats count as totalBuckets min(startEpoch) as oldestEvent sum(rawSize) as rawSize,sum(sizeOnDiskMB) as diskSizeGB by index , state | convert ctime(startEpoch) | convert ctime(oldestEvent) The values you are looking for in this is the time range of about 30 days. This will then tell you "diskSizeGB" in Hot Warm and Cold. This number here + about 20% is what you are looking for when across all indexes to be available for the OS to cache. Beyond this number is a waste of ram as you are not running a Seek/read operation. This is only helpful is you have sparse searches. If your alerting is all dense searches your CPU will be 100% long before the IO subsystem is being the bottleneck. This complex calculation is why they don't publish exact sizing guides. One alteration to a search pattern and a user will drastically alter the Ram usage profile for cache OS storage. You can test this on a single indexer that is windows using RAMmap and clearing the standby list after is has your search window for sparse data. then run the search. monitor the host IO profile. Run the same search 1-5 times. Check under the mapped files to ensure they are cached then run the search again and watch as there should be 5-15% of the original IO profile. In an IO bound system bound by searches that are sparse additional ram can cut search times by 40+%. But the level of tuning required to get these search times is fleeting since your not in control of the OS caching. Nix* use "Htop + free" to watch similar usage patterns. ... View more

Thanks Sundaresh, I do appreciate your spending your time on my issue. I have added the following to your example: <row> <panel depends="$tokChk$"> <html> <h1>Hello World!</h1> </html> </panel> </row> And it worked as intended: the panel is only displayed if the checkbox is ticked. However, one thing doesn't work as needed, and that's if the checkbox is not ticked, the search doesn't run at all. It just says "Search is waiting for input...". The fix for that is to specify either <default></default> or <initialValue></initialValue> in the checkbox definition. If I do that, the search works well whether the box is ticked or not, but now the problem is that the panel that depends on $tokChk$ is now displayed all the time. That's why in my original post I was trying to solve that problem by using another token... ... View more

\o/ hurrah! ... View more

@yozhbk, please accept the answer to close it out ... View more

Bluecoat logs are a pain in the *** to extract but I think this regex should do the trick: (?<timestamp>[0-9-:\s]{19})\s+(?<time_taken>[^\s]+)\s+(?<c_ip>[^\s]+)\s+(?<cs_username>[^\s]+)\s+(?<cs_auth_group>[^\s]+)\s+(?<x_exception_id>[^\s]+)\s+(?<sc_filter_result>[^\s]+)(?:\s+\"|\s+)(?<cs_categories>[^\"]+)(?:\"\s+|\s+)(?<cs_referrer>[^\s]+)\s+(?<sc_status>[^\s]+)\s+(?<s_action>[^\s]+)\s+(?<cs_method>[^\s]+)\s+(?<rs_content_type>[^\s]+)\s+(?<cs_uri_scheme>[^\s]+)\s+(?<cs_host>[^\s]+)\s+(?<cs_uri_port>[^\s]+)\s+(?<cs_uri_path>[^\s]+)\s+(?<cs_uri_query>[^\s]+)\s+(?<cs_uri_extension>[^\s]+)(?:\s+\"|\s+)(?<cs_user_agent>[^\"]+)(?:\"\s+|\s+)(?<s_ip>[^\s]+)\s+(?<sc_bytes>[^\s]+)\s+(?<cs_bytes>[^\s]+)(?:\s+\"|\s+)(?<x_virus_id>[^\"\s]+)(?:\"\s+\"|\"\s+|\s+\"|\s+)(?<x_bluecoat_applicatoin_name>[^\s\"]+)(?:\"\s+\"|\"\s+|\s+\"|\s+)(?<x_bleucoat_application_operation>[^\"\s]+)(?:\"\s+|\s+)(?<cs_auth_type>[^\s]+) ... View more

Sorry for the confusion. Our files contain what are called triple A errors. For this question there are two AAA errors that are showing up in a file. They are AAA*Y*41 and AAA*Y80. The asterix you see are delimiters in the files. That is exactly how the AAA error looks. I'm not using the asterix as wide cards. I know I have to regex around them, I'm having trouble adding two AAA errors into one search. I'm looking for AAA*Y41 OR AAA*Y*80. I want to find them both. Thanks. ... View more

Interesting read, thanks! ... View more

Many thanks! I'm not sure why it doesn't work either but at least it works on my dashboard now. Mission accomplished! ... View more

Has anyone tried this with multiselect input? ... View more