Hi Djow, Collecting logon/logoff from Windows is difficult because every access generates 10-12 events and there are many automatic accesses of services, so it's difficult to display the real accesses to systems. I filtered taking Login EventCode=4624 OR EventCode=524 Logfail EventCode=4625 OR EventCode=529 Logout EventCode=4647 OR EventCode=551 and Logon_Type=2 OR Logon_Type=10) and making dedup for _time User host Instead to have the active sessions I used a simple script for systems greater than 2008 seven: @echo off REM -------------------------------------- REM Controllo delle sessioni utente attive REM -------------------------------------- REM Get event date and time set date_time=%date% %time% REM Print the event date and time, this will be the event timestamp echo Current time: %date_time% REM print the current user session query user Bye. Giuseppe ... View more

If the condition in in the same search of the panel, as you can see in the related answer, you have to insert a condition in the progress section and the depends option in the panel tag: <panel depends="$panel_show$"> <chart> <title>My title</title> <search> <query>your_search | table _time field1 fields2 ...</query> <earliest>-60s@s</earliest> <latest>now</latest> <progress> <condition match="'job.resultCount' > 1"> <set token="panel_show">true</set> </condition> <condition> <unset token="panel_show"/> </condition> </progress> </search> ... If instead the condition in in an outside search you have to build something like this <panel> <search id="search_logic"> <query>your_external_search"</query> <!-- Progress event has access to job properties only --> <progress> <condition match="'job.resultCount' > 1"> <set token="show_panel">foob</set> </condition> <condition> <unset token="show_panel"></unset> </condition> </progress> </search> <chart rejects="$show_panel$"> <title>your_title</title> <search> <query>your_search | table _time field1 fields2 </query> ... Ciao. Giuseppe ... View more

Hi stwong, tscollect is a stupid command: it doesn't check if the events was already ingested, so you have to configure you time periods without overlap otherwise you'll have duplicate events. If you cannot do this, you have to insert in your tscollect search also a condition on indextime, discarding the ones with indextime < the time of last schedule (e.g. if scheduling is every hour, -h@h). I asked to splunk to insert this check in the future developments and I hope! In addition it isn't possible to delete some events from a tsidx index, you can only delete the entire index. You can delete the tsidx index phisically deleting files that you can find by default in $SPLUNK_HOME/var/lib/splunk/tsidxstats/ Bye. Giuseppe ... View more

Hi responsys_cm, It isn't possible to enable a role to access an index from a predefined App, you can only define access to one or more indexers and one or more Apps. To do what you want, you should modify all your apps accessed by these users disabling all accesses to raw events (drilldown or search). I think that the easiest way to proceed is to extract your data, mask and reindex them and at the end delete the old ones. I can imagine that you have many events, but probably this is the easieste way! Bye. Giuseppe ... View more

hi andreafebbo, in this question there is your answer https://answers.splunk.com/answers/218623/how-to-hide-panels-with-no-results-from-a-dashboar.html Bye. Giuseppe ... View more

did you tried to configure your props.con with SHOULD_LINEMERGE=true ? After this you could extract your field using (?ms) option in your REGEX. Bye. Giuseppe ... View more

Hi kplatte, if you want to add to your table a column with the total count of events you could run something like this: index=_internal | eventstats count AS cnt | stats values(cnt) AS cnt count by host if instead you want to have the number of events outside the panel (e.g. in the Panel's Title), you have to insert in your search something like this: <progress> <eval token="scancount">$job.scanCount$</eval> <eval token="resultcount">$job.resultCount$</eval> </progress> and use the token. Bye. Giuseppe ... View more

Hi joydeep741, can you identify the LINE BREAKER REGEX? the one you showed isn't so clear and the only one. can you share an example of your logs? Bye. Giuseppe ... View more

Hi vikas_gopal, which operative system are you using? there are limitations to use some port ranges. Bye. Giuseppe ... View more

Yes, tscollect schedule is related to your needs about near real time monitoring: so you can schedule one time a day using -d@d - @d time period or less time. Bye. Giuseppe ... View more

config_file is a sourcetype that you can find in your license usage report? because in Splunk_TA_nix there isn't this sourcetype so I don't know where you call it. Bye. Giuseppe ... View more

Hi naty, if you can, you should try a new visualization of Splunk 6.5.x "horizon_chart_app.horizon_chart", to do this you have to install the "Horizon Chart - Custom Visualization" App (https://splunkbase.splunk.com/app/3117/). Bye. Giuseppe ... View more

Hi lycollicott, you should use the license usage report [Settings -- License -- License Usage -- Last 30 days] divided by sourcetype to verify what you indexed in your sourcetypes. Bye. Giuseppe ... View more

No you have to insert tscollect in a scheduled search and use tstats in your panels. Tscollect creates a parallel index with less fields, all indexed and more quicker. ... View more

if your need is only to change name to a dashboard, you can clone it in a new one (with you name you like) and delete the original. Bye. Giuseppe ... View more

Hi hcpr, setnull must be always the first, but did you try to change the order between setparsing and setfilter? Bye. Giuseppe ... View more

Hi stwong, you can change the name of your dashboard cloning it, you can change the title of your dashboard using the Name change function if the dashboard menu. Bye. Giuseppe ... View more

go to Settings -- Access Control -- Roles -- your role Bye. Giuseppe ... View more

have you tried stats count by host, sourcetype, index OR tstats count by host, sourcetype, index ? Bye. Giuseppe ... View more

hi Hemnaath, You can find it at $SPLUNK_HOME/etc/system/local/ as you can see in http://docs.splunk.com/Documentation/Splunk/6.5.1/admin/Distsearchconf Every way ./splunk cmd btool distsearch list --debug runs. Bye. Giuseppe ... View more

modify regex | rex max_match=0 "(:|for)\s(?<Message>.*)" see https://regex101.com/r/nGhrLA/1 Bye. Giuseppe ... View more