In my experience XML dashboards wont let you do scrolling for a single viz.  I just played around with Dashboard Studio and I can force a space between the lines but it just squeezes the lines.  There is no scrolling on the viz no matter the size of the panel.  I don't believe the behavior you want is possible. ... View more

\"webaclId\":\s\"[^:]+:[^:]+:[^:]+:[^:]+:[^:]+:regional\/webacl\/([^\/]+)\/ Your example data has a space "webaclId": " Verified from regex101   ... View more

Ok that's way too much logic for me to follow on a Monday morning before I have even had coffee.  I would split the fields into mv unique options.  Then start evaluating a new field based upon your logic flow.  Anything with a TRUE outcome can be your final results. ... View more

Can you provide an anonymized sample of what this search displays and an example record of what you want the final output to be? ... View more

Contact Methods for US/CAN https://www.splunk.com/en_us/about-splunk/contact-us.html?locale=en_us Non US/CAN locations https://www.splunk.com/en_us/about-splunk/contact-us.html?locale=en_us#customer-support   ... View more

I believe so but I've never tested and I don't have a dev environment to verify.  You can try inside your regex to create an unnamed capture group.  Inside the FORMAT tag replace <new-value> with "$1". ... View more

transforms.conf [index_reset] SOURCE_KEY = _raw DEST_KEY = _MetaData:index REGEX = . FORMAT = index::<new-value> This searches the _raw data feed for the regex match (change my example), then applies the FORMAT to the DEST_KEY. Test in development environment first to fine tune this process, it can be tricky to get the regex and format just right. ... View more

Creating the regex would be easy enough but it looks like your data is already coming in JSON or XML format.  Is there a chance that the fields are already extracted as "city" and "state"?  If not then I would recommend revisiting the ingestion props as a best practice.  Rather than creating a lot of regex at search time if you had that field extraction during indexing then any changes to data would auto extract new fields.   .*\"city\"\:\"(?<city>[^\"]+)\"\,\"state\"\:"(?<test>[^\"]+)   ... View more

A cluster requires 3 or more (odd counts only).  Quorum is obtained by having 50%+1 in sync.  Having only 2 nodes means there will never be quorum. ... View more

https://docs.splunk.com/Documentation/Splunk/9.3.2/Alert/Emailnotification#Define_an_email_notification_action_for_an_alert_or_scheduled_report Right now the domain setting is still listed at 'Optional' for the documentation which obviously hasn't caught up with the default install health checks.  So you wont find the supporting information you are requesting just yet.  But I have been in the security side of corporate life for some time.  Giving users the default ability to email alerts or reports to any destination is a massive Data Loss Protection issue. ... View more

Port 9997 is a reserved port for splunk - if this is an external stream from syslog or any other source please select a different port. Example port=2514 I selected that as 514 is syslog reserved and 1514 I have seen for TCP encrypted syslog so best to just get up and away from that.  But by keeping the *514 format it will be easier for others who may inherit your setup to know instinctively that it's a syslog source. ... View more

Can you share the inputs stanza you have for listening to the TCP stream? Inside the default application props is: [bluecoat] rename=bluecoat:proxysg:access:syslog This occurs at search time only per the instructions at: https://docs.splunk.com/Documentation/Splunk/9.3.0/Admin/Propsconf#Sourcetype_configuration rename = <string> * Renames [<sourcetype>] as <string> at search time * With renaming, you can search for the [<sourcetype>] with sourcetype=<string> * To search for the original source type without renaming it, use the field _sourcetype. * Data from a renamed sourcetype only uses the search-time configuration for the target sourcetype. Field extractions (REPORTS/EXTRACT) for this stanza sourcetype are ignored. * Default: empty string This leaves any _time extraction issues with the source type identified in the inputs.conf stanza. ... View more

| rest splunk_server=local /services/authorization/roles | rename title as role | table role capabilities imported_capabilities imported_roles Sorry to belabor this point but I'm not certain you have answered my question.  Does the role import another role which has the setting?  The above REST call on the Search Head the user is assigned will tell you the exact information. If you have already checked and no stray imports are occurring then my apologies for keeping after this point.  I've reviewed the documentation on capabilities and just can't find anything that would explain the user behavior. ... View more

@Jamietriplet wrote: index=Index name sourcetype=sourcetype name (field names)earliest=$TimeRange$ latest=now() index=Index name sourcetype=sourcetype name (field names)earliest=$TimeRange.earliest$ latest=$TimeRange.latest$ ... View more

There is a search panel you are trying to pass the variables to.  The panel that gives an error when trying to use the token values. ... View more

I have always preferred the roll over summary generated once daily. index=_internal source=*license_usage.log* type=RolloverSummary https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/WhatSplunklogsaboutitself https://docs.splunk.com/Documentation/Splunk/latest/Admin/Shareperformancedata   ... View more

Check what roles are inherited like "user" which would carry up the ability to create a dashboard.  Please check which version you have, I believe in version 9.3.x you should look for this. [capability::edit_view_html] * Lets a user create, edit, or otherwise modify HTML-based views. https://docs.splunk.com/Documentation/Splunk/9.3.0/Admin/authorizeconf   ... View more

The UF agent has a certificate based secure communications back to the HF or Indexing tier.  The default certificates at install are the same across all installs so are not secure until you place your own certificates.  Beyond that I do not know of any transmission checks so you need to rely on the assumption that with proper encryption that no one is touching the data in transit. ... View more

Share the panel that is referencing the TimeRange with the error. ... View more

You need to see if the source exposes any sort of API to provide the information you need.  Or you can script a curl statement to see if the initial HTTP response code is in the 400's but that's far more prone to complications if you take into account any of the numerous things the domain owners can do with their service. ... View more

Please share the source code for the Time Selection dropdown and for the search panel you are referencing the token. ... View more

| eval "Last Logon"=strftime(strptime(LastLogon, "%Y-%m-%dT%H:%M:%S.%QZ"),"%Y%m%d %H:%M:%S") | eval lastLogon=strptime(LastLogon, "%Y-%m-%dT%H:%M:%S.%QZ") Sorry about not having a better explanation.  "Last Logon" and "lastLogon" are being generated from a field "LastLogon" which I hope or assume is in the original data set. "Last Logon" is a nested strptime inside a strftime.  The strptime takes and human readable format and converts to epoch, while the strftime will take epoch and convert to human readable.  The nested function here essentially converts the format from one human readable to another human readable.  There are easier methods but if it was working maybe don't change it until your skill level jumps. "lastLogon" just takes the human readable format and converts to epoch(Unix) time - which makes duration calculations much easier. Check that "LastLogon" field is still there and that the format still matches the "xxxx-xx-xxTxx:xx:xx.xxxZ" that the strptime command is configured to expect.  Also check to see if the time shift you are experience can be explain by the delta in your local time zone (either personal setting, or that of the Search Head).  It expects the raw data from the field to be in Zulu time.   ... View more

I had assumed you were doing Classic XML to start, Dashboard Studio is slightly different I can try testing later. ... View more

Ok so we know row and results works in other environments.  Something should be there based upon what we have seen from your SPL and table results.  I would recommend saving the updated drill down, then log out of splunk, close browser and clear cache/cookies, log into splunk, and reload dashboards. ... View more