Hello, Is there a way to convert this query to run with tstats? It is _slow_ when running it for two weeks of data... index=index_name host=IP_name | eval lag_sec = (_indextime - _time) | eval lag_min = lag_sec/60 | timechart span=1h avg(lag_min)   ... View more

We have the outliers SPL and visualizations  work, but I don't know how to create the alerts themselves?  How do we go about it?  We can use sendemail, but it won't be captured within _audit, which is a shame. ... View more

A dashboard which uses tabs.js and tabs.css worked all along and suddenly we get the error message -    A custom JavaScript error caused an issue loading your dashboard, likely due to the dashboard version update. See the developer console for more details.     What can it be?   ... View more

As we work on the migration to the cloud, we have the following case - We are sending the syslog data to a heavy forwarder on the cloud (and to the on-prem indexers), to its 9997 port. When reaching this HF, we would like to fork just the firewall data to a subset of the indexers. Is it possible to make such a routing? We would like to have something like -    [<transforms_stanza_name>] SOURCE=index REGEX=^firewall DEST_KEY=_TCP_ROUTING FORMAT=<subset of cloud indexers>     ... View more

We have the following -    # /data/xxxx/<hostname>_syslog.log [datanow-syslog-host] SOURCE_KEY = source REGEX = \/data\/xxxx\/(.+)_syslog\.log DEST_KEY = MetaData:Host FORMAT = host::$1   Trying to extract the host name from the source without much luck. Any ideas?  ... View more

We have many Cisco Meraki devices sending data via syslog to Splunk. Is there an add-on for the Cisco Meraki devices, to extract the fields from the events. One more thing. do the Meraki devices support json?  ... View more

We would like to detect and display fluctuations of data. So, let's say the count of network events for a certain sourcetype in this month is double than the previous month, we would like to show it in a panel and potentially create an alert for it. How can we do it?  ... View more

When the syslog daemon writes to the syslog file, what is the time stamp it writes? is it the host date/time or the event date/time? We quite often use the following in the syslog config -  template("${DATE} ${MSGHDR}${MSG}\n");       ... View more

We have a case where -   index = network_index host=xx.xx.xx.xx | eval lag_sec = (_indextime - _time) | stats count by lag_sec   _time is current but _indextime is 37 minute earlier.  What can it be?  ... View more

We would like to send our wineventlog data to the on-perm cluster as well as to the cloud. How can we do that? we can fork at the UF level but we are not happy about this approach.   ... View more

We have the following command that works well -    | transaction job_name startswith=STARTING keeporphans=true   Is it possible to convert it to the stats command? ... View more

The Monitoring Console is very slow, the Overview page takes five to load to report about 150 indexers. Any other page takes a couple of minutes to load. What can it be? ... View more

We have the following -    <input type="dropdown" token="Status" searchWhenChanged="false"> <label>Job Status</label> <choice value="*">ALL</choice> <choice value="SUCCESS">SUCCESS</choice> <choice value="FAILURE">FAILURE</choice> <choice value="RUNNING">RUNNING</choice> <default>*</default> <initialValue>*</initialValue> </input>     In the code the following works just fine -   | where STATUS = "$Status$"     Except for the ALL token as the code would be -   | where STATUS = "*"   Instead of -   | where STATUS = *     What can be done? ... View more