Hi @super_saiyan,   You can update limits.conf to change the Show Source settings.  The docs mention that results are "pruned" so while you increase the limit, you may still not get an increase in events displayed. https://docs.splunk.com/Documentation/Splunk/latest/Admin/limitsconf#.5Bshow_source.5D [show_source] distributed = <boolean> * Whether or not a distributed search is performed to get events from all servers and indexes. * Turning this off results in better performance for show source, but events will only come from the initial server and index. * Default: true distributed_search_limit = <unsigned integer> * The maximum number of events that are requested when performing a search for distributed show source. * As this is used for a larger search than the initial non-distributed show source, it is larger than max_count * Splunk software rarely returns anywhere near this number of results, as excess results are pruned. * The point is to ensure the distributed search captures the target event in an environment with many events. * Default: 30000 max_count = <integer> * Maximum number of events accessible by show_source. * The show source command will fail when more than this many events are in the same second as the requested event. * Default: 10000 max_timeafter = <timespan> * Maximum time after requested event to show. * Default: '1day' (86400 seconds) max_timebefore = <timespan> * Maximum time before requested event to show. * Default: '1day' (86400 seconds)   Cheers, Daniel ... View more

Hi @bamflpn, The peer-apps/xxx/local directory has higher precedence than etc/system/local on indexers. (see docs: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles#Precedence_within_global_context.2C_indexer_cluster_peers_only) To confirm the location of the setting that's overwriting your coldToFrozenPath, you can run btool on your indexers: ./splunk btool indexes list --debug | grep coldToFrozenPath   That should print out each line of all indexes.conf on the host that contribute to the final indexes config for the coldToFrozen option. Find the line that has the wrong value and that's the file that you should update.    If you want to delete the system/local/indexes.conf file you should first check what it's doing. To see what other config is being used from system/local/indexes.conf you can run: ./splunk btool indexes list --debug | grep system/local Any config that is listed will be applied to that indexer from the system/local/indexes.conf file. Either move the config to a peer-apps app, or just remove it if you don't need it.   Cheers, Daniel ... View more

Hi @POR160893,   I mocked up a similar dashboard and it looked fine in my browser when the window was maximised, but got the same bunched up look when the window was smaller. I played around with the CSS and got it looking ok no matter how small the window went. Here's what I ended up with: <row depends="$CSS$"><html><sytle> .singlevalue{width:10%!important;} .splunk-single, .svg-container{width: 100%!important;min-width:auto!important;;} .dashboard-row .dashboard-panel .panel-element-row div.single { min-width:auto;} rect{width: 100%!important;} </style> </html> </row> Note I set the single value width to 10% because there are 10 panels (100% / 10 = 10%) Give it a go and see how you get on.   Cheers, Daniel ... View more

Hi @sizemorejm, On Simple XML dashboards (aka Classic Dashboards) you can do that by using tokens. When you set a token, you can make panels or rows show, or make searches run. To make it show when the token exists use this: <row depends="$token$">  There's more info on docs here: https://docs.splunk.com/Documentation/SplunkCloud/9.0.2303/Viz/tokens#Access_tokens_to_show_or_hide_user_interface_components   Here's a sample dashboard with 4 tabs that show based on which button you click: <form version="1.1"> <label>Tabbed Dashboard</label> <description>https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Dashboard/m-p/646374#M52808</description> <fieldset submitButton="false"> <input type="link" token="page" searchWhenChanged="true" id="tab_menu"> <label></label> <choice value="Tab 1">Tab 1</choice> <choice value="Tab 2">Tab 2</choice> <choice value="Tab 3">Tab 3</choice> <choice value="Tab 4">Tab 4</choice> <change> <condition value="Tab 1"><set token="show_tab_1">true</set><unset token="show_tab_2"></unset><unset token="show_tab_3"></unset><unset token="show_tab_4"></unset></condition> <condition value="Tab 2"><set token="show_tab_2">true</set><unset token="show_tab_1"></unset><unset token="show_tab_3"></unset><unset token="show_tab_4"></unset></condition> <condition value="Tab 3"><set token="show_tab_3">true</set><unset token="show_tab_1"></unset><unset token="show_tab_2"></unset><unset token="show_tab_4"></unset></condition> <condition value="Tab 4"><set token="show_tab_4">true</set><unset token="show_tab_1"></unset><unset token="show_tab_2"></unset><unset token="show_tab_3"></unset></condition> </change> </input> </fieldset> <row depends="$show_tab_1$"> <panel> <title>Tab 1</title> <table> <search> <query>| makeresults | eval title="Page 1"</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> <row depends="$show_tab_2$"> <panel> <title>Tab 2</title> <table> <search> <query>| makeresults | eval title="Tab 2"</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> <row depends="$show_tab_3$"> <panel> <title>Tab 3</title> <table> <search> <query>| makeresults | eval title="Tab 3"</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> <row depends="$show_tab_4$"> <panel> <title>Tab 4</title> <table> <search> <query>| makeresults | eval title="Tab 4"</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> <row depends="$CSS_ONLY$"><html><style> #tab_menu { width: fit-content!important; } div#tab_menu button{ height: 38px!important; border: 1px solid #cccccc; min-width: 100px; /* background-color:#ffffff; */ width: auto; padding: 10px; margin-right: 8px; color: #333333; height: 55px; border-radius:7px; font-size: 16px; } div#tab_menu button[aria-checked="true"]{background-color:#006eaa!important;color:white!important;} </style></html></row> </form> Cheers, Daniel ... View more

Hi @DS904458,   Depending on how you want to use the list of numbers, you may be able to use a macro. E.g. this search: index=_internal sourcetype=splunkd | eval list= `generate_list(50,10,7)` | makemv list delim=" " | table _time, sourcetype, list Returns a list of 7 numbers from 10 to 50 : The macro definition is: [generate_list(3)] args = max,min,length definition = [|makeresults count=$length$\ | streamstats count as id\ |eval value=if(id=1,$min$, round($min$ + (id-1) * (($max$ - $min$) / ($length$ - 1)),1))\ | stats list(value) as value\ | nomv value\ | eval value="\"" . value . "\""\ | return $value] errormsg = Please only enter numbers for: Max, Min, Length. iseval = 0 validation = tonumber(max) >0 AND tonumber(min) >-1 AND tonumber(length) >0   It could also be used as the search for a dropdown on a dashboard, e.g.: | makeresults | eval list=`generate_list(50,10,7)` | makemv list delim=" " | mvexpand list | table list Does that help? Cheers, Daniel   ... View more

Hi @McMac84, Running searches are all logged to the _audit index - you can get details on cancelled searches there:   index=_audit action=search info IN("cancel","cancelled") | timechart span=15m count by user limit=15   I believe "cancel" is system-cancelled, and "cancelled" is user-cancelled, but that's just my guess based on this docs page. Cheers, Daniel   ... View more

Hi @Hadas  I've published a new version of the app since your post - try upgrading to the latest version to see if your issue is resolved. https://splunkbase.splunk.com/app/4438   Cheers, Daniel   ... View more

Hi @gabriel_vasseur  You can achieve this in JavaScript - the following will test to see if the theme is dark mode or not, and use that to determine which CSS to dynamically load. Here's the Javascript&colon; require(['jquery', 'api/SplunkVisualizationUtils'], function($, vizUtils) { // Splunk Answers: https://community.splunk.com/t5/Building-for-the-Splunk-Platform/Different-custom-CSS-depending-on-dark-VS-light-mode/m-p/631551#M10940 var isSplunkDarkMode = false; function addCss(fileName) { var link = $("<link />",{rel: "stylesheet", type: "text/css", href: fileName}) $('head').append(link); } if (typeof vizUtils.getCurrentTheme === "function") { // safe to use the function isSplunkDarkMode = (vizUtils.getCurrentTheme()=="dark"); }else{ //version 6.x, 7.0 isSplunkDarkMode = false; } //Update to point to your app / stylesheets here: var stylesheet = (isSplunkDarkMode) ? "/static/app/search/dark.css" : "/static/app/search/light.css" addCss(stylesheet); }); You need to update the links to point to your stylesheets as this one assumes they are in the search app. Create the files in $SPLUNK_HOME/etc/apps/<appname>/appserver/static/ Then update the app name above changing "search" to the actual app name. Cheers, Daniel ... View more

Hi @eholz1, You can try the small/medium/large trellis sizing to see if they give you enough white space between the blocks. If not, you can try tweaking the CSS: <row depends="$CSS_ONLY$"> <html><style> div.viz-facet-size-medium{border:1px solid blue;margin-right: 65px;margin-bottom:65px;} </style></html> </row>   The above makes my medium panels look like this: The blue outline is just to help visualize how big the gaps are. Tweaking the margin to 5px gives: The different CSS classes to tweak are: div.viz-facet-size-small{margin: 0px 15px 15px 0px;} div.viz-facet-size-medium{margin: 0px 15px 15px 0px;} div.viz-facet-size-large{margin: 0px 15px 15px 0px;} Cheers, Daniel ... View more

Hi @sai_krishna, Try this: <fieldset submitButton="false"> <input type="dropdown" token="reportingDayA"> <label>Reporting Day Misra apu</label> <fieldForLabel>readableDateA</fieldForLabel> <fieldForValue>epochA</fieldForValue> <search> <query>| tstats count where index=_internal by _time span=1d | eval readableDateA=strftime(_time,"%F") | eval epochA=strftime(_time,"%s") | dedup readableDateA | sort - _time ``` get latest and call it "latest" ``` | eventstats max(epochA) as latest | eval readableDateA=if(epochA=latest,"Latest",readableDateA) </query> <earliest>-7d@d</earliest> <latest>now</latest> </search> <selectFirstChoice>true</selectFirstChoice> </input> </fieldset>   The search will get all the dates, and label the most recent one "Latest".  Due to the way the list is sorted, this entry is the first one in the list. We can use that to our advantage by using the selectFirstChoice option for the dropdown - that makes the first entry in the list selected. Here it is in a dashboard: <form version="1.1" theme="light"> <label>Answers</label> <fieldset submitButton="false"> <input type="dropdown" token="reportingDayA"> <label>Reporting Day Misra apu</label> <fieldForLabel>readableDateA</fieldForLabel> <fieldForValue>epochA</fieldForValue> <search> <query>| tstats count where index=_internal by _time span=1d | eval readableDateA=strftime(_time,"%F") | eval epochA=strftime(_time,"%s") | dedup readableDateA | sort - _time | eventstats max(epochA) as latest | eval readableDateA=if(epochA=latest,"Latest",readableDateA) </query> <earliest>-7d@d</earliest> <latest>now</latest> </search> <selectFirstChoice>true</selectFirstChoice> </input> </fieldset> <row> <html> <h1>You selected: $reportingDayA$</h1> </html> </row> </form> Cheers, Daniel ... View more

Hi @mayurr98, I tried out a new props that looks like it's getting the fields to ingest correctly -  transforms.conf [cs_srctype] CLEAN_KEYS = 0 DELIMS = , FIELDS = action,category,dest,file_name,file_path,severity,severity_id,signature,signature_id,vendor_product props.conf [cs_srctype] KV_MODE = none REPORT-cs_srctype = cs_srctype SEDCMD=s/^((?:[^,]+,){4}[^,]+)(?<=\\),/\1\\,/ I've only added one additional line in the props - a sedcmd to add an escape to any trailing slash in the file_path segment. With that config set up, the data is ingested with the correct vendor_product field: Cheers, Daniel   ... View more

Hi @justanothersplu, I think Bin has just the feature you're looking for: aligntime You can pass aligntime the following: earliest - snap to the earliest time (down to the second), and let everything bin off that latest - similarly, snap to the latest time <time-specifier> This is what you'll need: set it to @m to snap to the current time to the minute See docs: Bin Try running this: index=_internal | bin _time span=60m aligntime=@m All the bins will snap to the current minute, and go back in 60m increments. Note - this won't work if you set your search time range to end some time in the past, but will work if you only want to snap to the current clock time. To be able to get buckets to snap to the minute based on your search time and not the clock time, you could try something monstrous like: index=_internal | bin _time span=60m [ | makeresults | addinfo | eval aligntime=strptime(strftime(info_max_time,"%Y-%m-%d %H:%M:00"),"%Y-%m-%d %H:%M:%S") | table aligntime | return aligntime ] I don't recommend it, but this search will calculate the latest search time to the minute, and use it to add to the bin command.  I think the first option will suit your needs best. cheers, Daniel ... View more

Hi @Tincho , It can be a bit of a pain creating regexes inside quotes, because you have to escape characters for the string, and escape characters for regex - meaning you double up on escaping characters. Here's a search that takes domain\\\\user and converts it to domain\user in a couple of different ways: | makeresults| eval user_name="DOMAIN\\\\\\\\USER" ``` Using replace - escaping multiple times ``` | eval user_name_replace=replace(user_name, "\\\\\\\\\\\\\\\\","\\") ``` Using sed ``` | eval user_name_sed = user_name | rex field=user_name_sed mode=sed "s/\\\\{4}/\\\\/" ``` Using rex to create a domain field, and user field, then combining them ``` | rex field=user_name "^(?<domain>[^\\\\]+)\\\\+(?<user>.+)$" | eval user_name_regex = domain . "\\" . user ``` output the results ``` | table user_name, user_name_replace,user_name_sed, user_name_regex That results in : Cheers, Daniel ... View more

Hi @DaDave , Here's a way to get the labels and values tokens in a multiselect. We will encode the key/values into the value field, and use conditional tags to extract the keys for the keys token and the values for the values token. Here's the dashboard code: <form version="1.1"> <label>Test</label> <fieldset submitButton="false" autoRun="true"> <input type="multiselect" token="input" searchWhenChanged="true"> <choice value="A|1">1</choice> <choice value="B|2">2</choice> <choice value="C|3">3</choice> <change> <condition match="isnull($input$)"> <unset token="selectedLabel"></unset> <unset token="selectedValue"></unset> </condition> <condition> <eval token="selectedLabel">replace($input$,"[a-zA-Z][|]","")</eval> <eval token="selectedValue">replace($input$,"[|][0-9]","")</eval> </condition> </change> </input> <input type="radio" searchWhenChanged="true"> <label>$selectedLabel$</label> </input> <input type="radio" searchWhenChanged="true"> <label>$selectedValue$</label> </input> </fieldset> <row><html> <table border="1"><tr><th>Value</th><th>Label</th></tr> <tr><td>$selectedValue$</td><td>$selectedLabel$</td></tr></table> </html><   I've updated the values in the multiselect to be in the format: value|key Then when the multiselect changes we extract everything before the | for the value, and everything after the | for the key. The replace regex will be a bit more complicated when you use actual data - but the general solution should work.   Cheers Spav ... View more

Hi @av_, Here's a solution that doesn't use javascript - just tokens in simplexml. Each text box is set up like this: <input type="text" token="text1" searchWhenChanged="true"> <label>TEXTBOX1</label> <default></default> <change> <condition match="value=&quot;&quot; AND $text2$=&quot;&quot;"> <unset token="search_can_proceed"></unset> </condition> <condition match="value=&quot;&quot; AND NOT $text2$=&quot;&quot;"> <set token="search_can_proceed">true</set> </condition> <condition match="NOT value=&quot;&quot; AND NOT $text2$=&quot;&quot;"> <set token="search_can_proceed">true</set> </condition> </change> </input>   The tokens are set when the text changes: If both are empty, we unset the search_can_proceed token If one has text but the other is empty then we set the search_can_proceed token Next, we make the search dependent on that token - and display a helpful panel that tells the user to enter text before the search will run: <row> <panel> <table depends="$search_can_proceed$"> <title>QUERY</title> <search depends="$search_can_proceed$"> <query>|makeresults | eval TEXTBOX1=$text1|s$, TEXTBOX2=$text2|s$ </query> </search> </table> <html rejects="$search_can_proceed$"> <h1> Please enter a term for TEXTBOX1 And/Or TEXTBOX2.</h1> </html> </panel> </row>   The depends and rejects attributes let us show a panel based on the token existing or not. Here's the dashboard all together: <form> <label>Dueling Text Boxes</label> <init> <unset token="search_can_proceed"></unset> </init> <row> <panel> <title>Please enter a term for TEXTBOX1 And/Or TEXTBOX2</title> <input type="text" token="text1" searchWhenChanged="true"> <label>TEXTBOX1</label> <default></default> <change> <condition match="value=&quot;&quot; AND $text2$=&quot;&quot;"> <unset token="search_can_proceed"></unset> </condition> <condition match="value=&quot;&quot; AND NOT $text2$=&quot;&quot;"> <set token="search_can_proceed">true</set> </condition> <condition match="NOT value=&quot;&quot; AND NOT $text2$=&quot;&quot;"> <set token="search_can_proceed">true</set> </condition> </change> </input> <input type="text" token="text2" searchWhenChanged="true"> <label>TEXTBOX2</label> <default></default> <change> <condition match="value=&quot;&quot; AND $text1$=&quot;&quot;"> <unset token="search_can_proceed"></unset> </condition> <condition match="value=&quot;&quot; AND NOT $text1$=&quot;&quot;"> <set token="search_can_proceed">true</set> </condition> <condition match="NOT value=&quot;&quot; AND NOT $text1$=&quot;&quot;"> <set token="search_can_proceed">true</set> </condition> </change> </input> <input type="time" token="lifeTime"> <label>Select Time</label> <default> <earliest>@d</earliest> <latest>now</latest> </default> </input> </panel> </row> <row> <panel> <table depends="$search_can_proceed$"> <title>QUERY</title> <search depends="$search_can_proceed$"> <query>|makeresults | eval TEXTBOX1=$text1|s$, TEXTBOX2=$text2|s$ </query> </search> </table> <html rejects="$search_can_proceed$"> <h1> Please enter a term for TEXTBOX1 And/Or TEXTBOX2.</h1> </html> </panel> </row> </form>   The only drawback to this is that if the tokens are set in the URL - e.g. by a drilldown, then the user will need to make the text box content change before the search is run.   ... View more

Hi @TalNiv , The easiest way is how @gcusello said - update the original dashboard to create two tokens for earliest / latest. You can add this to the section where you create the $time$ token in the original dashboard: <eval token="earliest">tonumber($time$) - 10000</eval> If you don't have access to that dashboard there aren't many options. AFAIK you cannot use URL sourced tokens in the <init> section of your dashboard to do the same eval tag. One very roundabout way is to create a dummy search, and create tokens off that. E.g. put this at the top of your dashboard under the label section: <search> <query>|makeresults | eval earliest=tonumber($time$) - 100000, latest=$time$</query> <done> <set token="earliest">$result.earliest$</set> <set token="latest">$result.latest$</set> </done> </search> Now you can use $earliest$ and $latest$ in your searches. ... View more

Hi @sweety1309  I think the issue is with the where clause.  Say the duration is 108. The where clause will not match on:  (duration > 45 and duration <= 75) But will match on:  (duration > 105 and duration <= 120) However, the where clause uses AND between these terms, so the duration must be both less than 75 AND greater than 105. Try replacing your ANDs with ORs: | where (duration > 45 AND duration <= 75) OR (duration > 105 AND duration <= 120) OR (duration > 120 AND duration <= 180) OR (duration > 180) Seeing as you don't use the duration field, you could simplify it further: | where (duration > 45 AND duration <= 75) OR (duration > 105)   ... View more

Hi @ershishirkumar,   There's a great app available on Splunkbase that tracks all available apps on Splunkbase: Analysis of Splunkbase Apps for Splunk https://splunkbase.splunk.com/app/2919/   It pulls down details about every app on Splunkbase and presents you with a couple of dashboards to explore. There's a section on the main dashboard that compares your installed apps with the latest version on Splunkbase ("local audit"). If you install this app, you could convert the search that performs the local audit to an email alert.         ... View more