Hi @a1bg503461  Please can you confirm which version of Splunk you are seeing the issue with? Are you simply uploading the SVG into an image in Dashboard Studio?  When I use the SVG you posted as a file in a dashboard it displays correctly for me (on 9.4.1) Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will   ... View more

Hi @MU2DOD  It looks like you're experiencing an issue which first started in ES8. Check out https://splunk.my.site.com/customer/s/article/Mission-control-8-0-fails-to-assign for more detailed info, however I believe the following should fix the issue for you: ensure that FQDN instead of ServerName is set in server.conf in the whole environment do that step if splunkd logs, reference hostnames (names without domain names, meaning non-FQDN) over HTTPS set sslVerifyServerCert and sslVerifyServerName to true in all instances then restart the whole Splunk Environment where changes have been made push the bundle from the deployer to the SHC members Once that is done, then in Mission Control, manually add Investigation Types (which previously wasn't working) then set the newly added type as the default then editing notable events, adding custom fields, and other should work Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Hi @mchoudhary  Judging by the app which the search is running in it is likely that this is an accelerated datamodel generation search which is using a lot of memory.  The easiest way to see what the search is would be to run something like this, updating the search_id value with the search ID of the search you wish to investigate. Note: The single quotes are required when I run this search due to how the search_id is parsed, so worth keeping those in. index=_audit search_id='1741783414.663348' info=granted search=* This will give info on the search, the user, the app, the provenance (Which is usually the dashboard name if its run from within a dashboard) and a bunch of other info such as start/end times: Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Hi @pacifiquen  If there has been a period of time where the license wasnt valid and was not a non-enforcement license then it may be blocked. Does it give any warning about being over the licensed limit 5 times? What is the exact error? Either way, it sounds likely that you will need a reset license code, this can be supplied by Splunk Support and/or your Splunk account manager/team and will need to be applied to your account in order to remove the limitation. Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

HI @imam29  In this case, I would expect the timeout to be after 30 minutes of no activity in the UI. The other timeout option is in server.conf/[general]/sessionTimeout -  See https://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf?_gl=1*homgau*_ga*NzI2Njg4NjMzLjE2NTUzOTI4OTQ.*_gid*MTIyOTUyNTY3Mi4xNjU1MzkyODk0&_ga=2.206629523.1229525672.1655392894-726688633.1655392894#:~:text=string.%0A*%20Default%3A%20shortname-,sessionTimeout,-%3D%20%3Cnonnegative%20integer%3E%5Bs   The ui_inactivity_timeout is the amount of minutes when there is no user interface clicking, mouseover, scrolling, or resizing. * Notifies client side pollers to stop, resulting in sessions expiring at the 'tools.sessions.timeout' value, so any mouseover, scrolling etc on the browser will reset this timer. Just to check, have you restarted since making these changes?  Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will   ... View more

Hi @imam29  It sounds like you'll need to update the ui_inactivity_timeout setting under web.conf/[settings] which is the timeout for when the user does not interact with the browser, but there is also another setting "tools.sessions.timeout" which is the actual session timeout value.  However, I think it would be worth reading this doc about setting session timeout so that you can satisfy yourself that you are updating the correct setting and not being overly permissive with timeouts. https://docs.splunk.com/Documentation/Splunk/9.4.0/Admin/Configureusertimeouts#:~:text=In%20addition%20to%20setting%20the,The%20default%20is%2060%20minutes. In addition to managing in the config files, you can also update this in the UI if preferred: Click Settings in the upper right-hand corner of Splunk Web. Under System, click Server settings. Click General settings. In the Session timeout field, enter a timeout value. Click Save. Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will     ... View more

Hi @MrLR_02  As @gcusello  said - you'd normally put daily data like this in an index, however if you really want to write to KV store then please see below 🙂 Are you currently using the smi.eventWriter to send data to you index with a streamEvents method? If you have the session_key within your writer function then you should be able to use the inbuilt Splunk Python SDK to communicate with the KV Store. You'll need to initiate a new client using the session_key if you havent already got one within your method. I havent got an example to hand but I will see if i can find one however this pseudo code may help you towards a working code import splunklib.client as client import splunklib.modularinput as smi # Define your modular input class class MyModularInput(smi.Script): def get_scheme(self): scheme = smi.Scheme("My Modular Input") scheme.description = "Streams data to a Splunk KV Store" scheme.use_external_validation = False scheme.streaming_mode = smi.Scheme.streaming_mode_simple return scheme def stream_events(self, inputs, ew): # Iterate over each input stanza for input_name, input_item in inputs.inputs.items(): # Retrieve the session key session_key = inputs.metadata["session_key"] # Connect to Splunk using the session key service = client.connect(token=session_key) # Define the KV Store collection name collection_name = "your_kv_collection" # Data to be written to the KV Store data = { "key1": "value1", "key2": "value2" } # Access the KV Store collection collection = service.kvstore[collection_name] # Insert data into the KV Store try: collection.data.insert(data) ew.log("INFO", "Data successfully written to the KV Store.") except Exception as e: ew.log("ERROR", f"Failed to write data to the KV Store: {e}") # Run the modular input script if __name__ == "__main__": sys.exit(MyModularInput().run(sys.argv)) Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

You can also use an mstats query to query to _metrics index:   | mstats latest(_value) as val WHERE index=_metrics AND metric_name=spl.intr.disk_objects.Partitions.data.* by data.mount_point, metric_name | rename data.mount_point as mount_point | eval metric_name=replace(metric_name,"spl.intr.disk_objects.Partitions.data.","") | eval {metric_name}=val | stats latest(*) as * by mount_point | eval free = if(isnotnull(available), available, free) | eval usage = round((capacity - free) / 1024, 2) | eval capacity = round(capacity / 1024, 2) | eval compare_usage = usage." / ".capacity | eval pct_usage = round(usage / capacity * 100, 2) | stats first(compare_usage) AS compare_usage first(pct_usage) as pct_usage by mount_point | rename mount_point as "Mount Point", compare_usage as "Disk Usage (GB)", pct_usage as "Disk Usage (%)"   Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

You can also use an mstats query to query to _metrics index: | mstats latest(_value) as val WHERE index=_metrics AND metric_name=spl.intr.disk_objects.Partitions.data.* by data.mount_point, metric_name | rename data.mount_point as mount_point | eval metric_name=replace(metric_name,"spl.intr.disk_objects.Partitions.data.","") | eval {metric_name}=val | stats latest(*) as * by mount_point | eval free = if(isnotnull(available), available, free) | eval usage = round((capacity - free) / 1024, 2) | eval capacity = round(capacity / 1024, 2) | eval compare_usage = usage." / ".capacity | eval pct_usage = round(usage / capacity * 100, 2) | stats first(compare_usage) AS compare_usage first(pct_usage) as pct_usage by mount_point | rename mount_point as "Mount Point", compare_usage as "Disk Usage (GB)", pct_usage as "Disk Usage (%)" Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Hi @SN1  Yes, the data is also in the _introspection index, so you can run the following search instead of using REST endpoints if you prefer - this also means you can track it easily over time if needed too. index=_introspection host=macdev sourcetype=splunk_disk_objects | rename data.* as * | eval free = if(isnotnull(available), available, free) | eval usage = round((capacity - free) / 1024, 2) | eval capacity = round(capacity / 1024, 2) | eval compare_usage = usage." / ".capacity | eval pct_usage = round(usage / capacity * 100, 2) | stats first(fs_type) as fs_type first(compare_usage) AS compare_usage first(pct_usage) as pct_usage by mount_point | rename mount_point as "Mount Point", fs_type as "File System Type", compare_usage as "Disk Usage (GB)", pct_usage as "Disk Usage (%)" Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Ah @bowesmana , I may have misunderstood the ask here, as you say. I used streamstats by test_name after sorting by (an assumed sequential) test_id. Although I'm not sure why there being the same test_id for multiple test_name would affect the output here, as I'm not using the test_id in the streamstats? I may have missed something though (and not had coffee yet!) @dolj Please let us know how you are getting on, and if you clarify the requirement I'd be happy to help further and update the previously posted search if required 🙂 Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Hi @SN1  This is because the values from the endpoint are in MB but are being divided by 1024 twice in this search hence they become in TB.  try switching 1024/1024 for just 1024 in each occurrence and see if that resolves for you 🙂 Will ... View more

Hey @Osama_Abbas1  Thanks for letting us know how you resolved it 🙂 Good luck with your future AppD work! Will ... View more

If you do decide to go down the route of using the Linux TA then just enable what you need (ie the disk monitoring) as it can become very busy very quickly as there are lots of different inputs! Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Hi @Praz_123  You could try running   | rest /services/server/info | table serverName, server_roles, status   This query uses the rest command to access the Splunk REST API endpoint that provides information about the servers in your Splunk deployment. The server_roles field will help you identify which servers are indexers, and the status field will show their current status. If you want to specifically check the health of your indexers, you can use the following query: | rest /services/server/status/health/overview | search title="Indexer" | table title, health, messag    Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Hi @SN1  I think this might have been mentioned on the previous thread about disk space that you raised, but I think you should probably look to implement the Splunk Add-on for Unix and Linux which has Disk monitoring. https://splunkbase.splunk.com/app/833 Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will   ... View more

Hi @lar06  Please can you confirm that you are using 9.3.2 on both the source and destination Splunk instance and that it is not being sent via any non-supported Splunk versions or external systems? Have you made any recent changes to the architecture? Are either the client/source or destination server running hot (ie high CPU?) Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Hi @JoshuaJJ  Make sure that the file has execute chmod settings so that it can be executed without prepending with "bash" (for example) chmod +x <yourSHFile) Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Hi @rksharma2808  Check out http://github.com/splunk/splunk-ansible which is a whole set of Ansible playbooks for Splunk.  Are there particular tasks you are wanting to carry out, or particular technologies already in place? Also, what type of servers (and roles of these servers) are you interested in running this against? Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Hi @pm771  The searchmatch command is applying the parameter you pass it as if was in the original search, so "TWO THREE" is like "index=test TWO THREE" which is the same as "index=test THREE TWO" in SPL terms. (Like you said, its doing an AND). If you want to search literally for "TWO THREE" then you need to do this: | eval match=IF(searchmatch("\"TWO THREE\""),1,0) which is to add a set of escaped quotes around the text, this would be like running the below, if you follow what I mean? index=test "TWO THREE" Here are some comparisons that might help:: | makeresults | eval _raw="ONE TWO THREE FOUR" | eval match1=IF(searchmatch("TWO THREE"),1,0) | eval match2=IF(searchmatch("THREE TWO"),1,0) | eval match3=IF(searchmatch("SIX"),1,0) | eval match4=IF(searchmatch("\"TWO THREE\""),1,0) | eval match5=IF(searchmatch("\"THREE TWO\""),1,0) Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more

Hi @lcguilfoil  Change your "splunk.events" to "splunk.table"  So its like this example: "viz_URfuD3f4": { "containerOptions": {}, "context": {}, "dataSources": { "primary": "ds_0zCzRLMd" }, "options": {}, "showLastUpdated": false, "showProgressBar": false, "type": "splunk.table" }   Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will ... View more