Is there a way to check the details of the Splunk license other than the Manager - License Menu. I was recently requested to remove and install a new license on a Splunk instance. I did so using the GUI in Splunk manager. But afterward, the manager appears to have two licenses installed. I removed them both and re-entered the new license provided, however I still see two license entries. Is there another method, perhaps at the command line, to verify the current license installed? Should I see two licenses in the GUI Manager if only 1 is installed? Thanks. ... View more

I've made the following modifications to the welcome.html file in splunk. Basically, I copied a chunk of code from the Sideview application that I'd like modify and use in the welcome.html file. The code I have below is commented fairly well, however it does not work, is it possible to do this? Thanks in advance. <style> .welcomediv { float: left; padding-right: 15px; padding-left: 15px; border-right-style: dotted; border-right-width: 1px; width: 30%; } .intro { font-size: 12px; } </style> <div> <p class="intro"> ${_('The Splunk app comes built with some useful out of the inputs, dashboards, custom views, and saved searches. <br/>This app has the following built in functions.')} </p> <p> <strong>${_('Important - all data in the app is by default in its own index named "myapp".')}</strong> ${_('To search for data be sure to include "index=myapp" in your search. ')}<a href="/en-US/app/nc/flashtimeline?q=search%20index%3Dmyapp&earliest=-30d%40d&latest=now"><%doc>TRANS: Link to an example</%doc>${_('example...')}</a> </p> <p> ${_('<a href="%s">> Configure Splunk</a>') % make_url('/manager/core')} </div> <!-- SIDEVIEW MOD STARTS HERE --> <div style="float:left; padding-right: 15px; margin-right: 15px; border-right-style: dotted; border-right-width: 1px; width: 30%;"> <h3>${_('This application includes the following comprehensive view templates:')}</h3> <ul> <li>${_('<a href="%s">Customer 5 Minute Summary</a>') % make_url('/app/myapp/realtime_cusomer_activity')}</li> <li>${_('<a href="%s">Customer 1 Hour Summary</a>') % make_url('/app/myapp/customer_activity')}</li> </ul> </div> <div style="float: left;"> <module name="HTML" layoutPanel="panel_row1_col1" group="example: static pulldown "> <param name="html"><![CDATA[ Here we start with a single static pulldown element, configure it to output "report" for downstream modules, and then we insert it directly into a $report$ token in a Search module. ]]></param> </module> <module name="Pulldown" layoutPanel="panel_row2_col1" autoRun="True"> <param name="name">selectedReport</param> <param name="label">Show </param> <param name="staticFieldsToDisplay"> <list> <param name="label">Average eps</param> <param name="value">avg(eps)</param> </list> <list> <param name="label">min, max and average</param> <param name="value">min(eps) avg(eps) max(eps)</param> </list> </param> <module name="Search"> <param name="search">index=myapp source="*metrics.log" group="per_sourcetype_thruput" | stats $selectedReport$ by series</param> <param name="earliest">-1h</param> <param name="latest">now</param> <module name="Pager"> <param name="entityName">results</param> <module name="SimpleResultsTable"> <param name="displayRowNumbers">False</param> <param name="entityName">results</param> </module> </module> <module name="HTML"> <param name="html"><![CDATA[ the report is: <b>$selectedReport$</b><br> the report label is: <b>$selectedReport.label$</b><br> the entire search is: <b>$search$</b> ]]></param> </module> </module> </module> <!---- SIDE VIEW MOD STOPS HERE --> </div> ... View more

I have the following code that creates a pie chart in a form. <row> <chart> <title>Customer Activity</title> <option name="charting.chart">pie</option> <option name="drilldown">all</option> </chart> <chart> <title>Customer Activity</title> <option name="drilldown">all</option> </chart> The pie chart is displaying dates values in the pie chart versus customer names. Is there a way to change the contents of the pie chart to display customer information (names) and not dates? Thanks. ... View more

I've got the following code in a view. It works fine with one strange exception. I see the text "Loading..." in the upper right hand side of the view when I include the HTML portion (in bold below). If I remove the HTML, the "Loading..." text disappears. Now the view contents and the HTML work so I don't see what could be "Loading". Any clue as to what is causing this? Thanks. <?xml version="1.0"?> <view template="dashboard.html"> **<module name="HTML" layoutPanel="viewHeader"> <param name="html"><![CDATA[ <h1 align="center">Customer Activity</h1> <h2> bla bla</h2> <h3> more bla bla</h3> <a align="right" href="/en-US/app/MyApp/about_dashboard">Customer Home</a> <br> odalsfaslj saljdfasjf ]]></param> </module>** <label>Customer Activity</label> <module name="GenericHeader" layoutPanel="panel_row1_col1"> <param name="label">Customer Activity (Most ACTIVE)</param> <param name="invervalInSeconds">300</param> <module name="HiddenSearch" autoRun="True" layoutPanel="panel_row1_col1_grp1"> <param name="search"> index="MyApp" sourcetype="client" | timechart count by client </param> <param name="earliest">-1h</param> <module name="HiddenChartFormatter"> <param name="chart">line</param> <param name="chart.nullValueMode">connect</param> <param name="secondaryAxis.scale">log</param> <param name="primaryAxisTitle.text">Time</param> <param name="secondaryAxisTitle.text">Volume</param> <module name="FlashChart"/> </module> </module> </module> </view> ... View more

I've got the following code in a view. Everything appears to work fine, except when I click on the HREF to connect to another web site, The link it does not work. The address is correct. I can place the address in a browser and it will work. Why not in a view? Thanks in advance. <module name="HTML" layoutPanel="viewHeader"> <param name="html"><![CDATA[ <h1 align="center">Customer Activity</h1> <h2> bla bla</h2> <h3> more bla bla</h3> <a align="right" href="http://10.14.53.50:8000/en-US/app/prod/about_dashboard">Client Home</a> <br> odalsfaslj saljdfasjf ]]></param> ... View more

I'm not getting the expected results from the following view code. The sample is directly from the "Sideview" app from Splunk. The problem is I've added my own code to the view. My code works as a standalone view. I want to integrate it into the following to get some additional HTML functionally. Why does my code not show up as part of the view? <!-- Copyright (C) 2010-2011 Sideview LLC. All Rights Reserved. --> <view autoCancelInterval="90" isVisible="true" onunloadCancelJobs="true" template="dashboard.html" isSticky="False"> <label>embedding static HTML</label> <module name="AccountBar" layoutPanel="appHeader" /> <module name="AppBar" layoutPanel="appHeader" /> <module name="SideviewUtils" layoutPanel="appHeader" /> <module name="Message" layoutPanel="messaging"> <param name="filter">*</param> <param name="maxSize">2</param> <param name="clearOnJobDispatch">False</param> </module> <module name="HTML" layoutPanel="viewHeader"> <param name="html"><![CDATA[ <h1>Embedding static HTML</h1> ]]></param> </module> <module name="HTML" layoutPanel="panel_row1_col1"> <param name="html"><![CDATA[ <p> HTML can replace StaticContentSample, SingleValue, SimpleResultsHeader and much more... </p> <p> First though lets start with simple static HTML because we'll get to the other stuff in the next two examples. For putting various static HTML into your views, Splunk ships with a couple modules called ServerSideInclude and StaticContentSample . </p> <p> ServerSideInclude requires you to create and maintain an HTML file in your app's appserver/static directory and although this is good for some cases it's usually clunkier than what you need. And StaticContentSample does an OK job but the name is just too silly for primetime. </p> ]]></param> </module> <!-- ******************************************************************* --> <module name="HTML" layoutPanel="panel_row2_col1" group="Very simple static HTML example"> <param name="html"><![CDATA[ <p> If you've been following along in the XML source as you read, then you're already very familiar with this module, because every piece of embedded copy in this app has used an HTML module already. </p> <p> But yes, as long as you wrap the HTML in CDATA you can just jam any old HTML in here. Be careful to close all your div tags. Unless of course you want to do strange and subversive things to the page. </p> <table class="splTable"> <tr> <th>Goodness</th> <th>Gracious</th> </tr> <tr> <td>plain old HTML ftw</td> <td>42</td> </tr> </table> ]]></param> </module> <module name="HTML" layoutPanel="panel_row2_col2"> <param name="html"><![CDATA[ <h3>Notes</h3> <ol class="notesList"> <li> The next two pages are a LOT more exciting. If you're reading this then you have already tarried too long. </li> <li> read the specification for the Sideview module <a href="/modules#Splunk.Module.HTML" target="_blank">HTML and its params</a> </li> </ol> ]]></param> </module> <!-- CODE FOLLOWS --> <module name="GenericHeader" layoutPanel="panel_row1_col1"> <param name="label">Customer Activity (Most ACTIVE)</param> <param name="invervalInSeconds">300</param> <module name="HiddenSearch" autoRun="True" layoutPanel="panel_row1_col1_grp1"> <param name="search"> index="MyIndex" | timechart count by Customer </param> <param name="earliest">-1h</param> <module name="HiddenChartFormatter"> <param name="chart">line</param> <param name="chart.nullValueMode">connect</param> <param name="secondaryAxis.scale">log</param> <param name="primaryAxisTitle.text">Time</param> <param name="secondaryAxisTitle.text">Volume</param> <module name="FlashChart"/> </module> </module> </module> <!-- CODE COMPLETE --> </view> ... View more

How do I add random HTML code to the following Splunk view? (Or any view in general?) I just need to dress up the view with administrative overhead. Thanks. <?xml version="1.0"?> <view template="dashboard.html"> <label>1Hr(5min Refresh) - Customer Activity</label> <module name="GenericHeader" layoutPanel="panel_row1_col1"> <param name="label">Customer Activity (Most ACTIVE)</param> <module name="AutoRefresh"> <param name="invervalInSeconds">300</param> <module name="HiddenSearch" autoRun="True" layoutPanel="panel_row1_col1_grp1"> <param name="search"> index="MyIndex" sourcetype="customer" | timechart count by customer </param> <param name="earliest">-1h</param> <module name="HiddenChartFormatter"> <param name="chart">line</param> <param name="chart.nullValueMode">connect</param> <param name="secondaryAxis.scale">log</param> <param name="primaryAxisTitle.text">Time</param> <param name="secondaryAxisTitle.text">Volume</param> <module name="FlashChart"/> </module> </module> </module> </module> </view> ... View more

Cab someone please explain what the following parts of the query do (just the bolded portion, not the entire query). Thanks. The duration field that is being calculated looks like myapp_duration=0d 0h 0m 0s in the native format. The whole search: index=myapp NOT EIT_Net NOT businessUnit=EIT | eval myapp_duration=replace(replace(replace(myapp_duration,"d\s","+"),"h|m|s",""),"\s",":") | convert dur2sec(myapp_duration) | stats avg(myapp_duration) as avg_myapp_duration by severity | eval avg_myapp_duration=tostring(round(avg_myapp_duration,0),"duration") | eval severity=case(severity==0,"Cleared", severity==1,"Intermediate", severity==2,"Warning", severity==3,"Maintenance", severity==4,"Major", severity==5,"Critical") | rename severity as Severity | rename avg_myapp_duration as "Average Duration" Portion of interest: eval myapp_duration=replace(replace(replace(myapp_duration,"d\s","+"),"h|m|s",""),"\s",":") | convert dur2sec(myapp_duration) | stats avg(myapp_duration) as avg_myapp_duration by severity | eval avg_myapp_duration=tostring(round(avg_myapp_duration,0),"duration") ... View more

I have three different searches below. The first one counts and graphs ticket numbers between 10 AM and 10 PM (shift one), and the ticket numbers between shift 10 PM and 10 (AM shift 2). The second search only counts and graphs the evening ticket numbers (10 PM to 10AM). The third search only counts and graphs the daily ticket numbers (10 AM to 10 PM). My problem is the daily ticket numbers don't match between the first query and the third. The evening numbers match up. The daily numbers do not. Any idea why? Thanks in advance. Query1 - index=myapp lastOccurrence firstOccurrence earliest=-30d@d-14h | where lastOccurrence=firstOccurrence | eval Shift=if(10<=date_hour and date_hour<22,"Evening Stats","Daily Stats") | timechart span=1d count by Shift Query2 - index=myapp earliest=-30d@d-2h | where(date_hour<10 or date_hour>=22) | where lastOccurrence=firstOccurrence | eval _time=if(date_hour<10, _time-86400, _time) | bucket _time span=1d | stats count by _time | sort - _time Query3 - index=myapp earliest=-30d@d-14h | where (date_hour>=10 AND date_hour<22) | where lastOccurrence=firstOccurrence | bucket _time span=1d | stats count by _time | sort - _time ... View more

I've created an application that has many charts, including bar charts and pie charts. When I copy the splunk/etc/apps/myapp folder to a search head, all my pie charts turn into bar charts. Why is that and how can that be fixed? I know how to modify the objects and turn them back into PIE charts. However, my question is how to prevent that from happening in the first place. I can't roll out the application and then fix it afterwards. That is not an option. Thanks, ... View more

I've setup a search head with an application I've wrote that references a remote indexer. The application seems to work. However, I have the following error on the search head that does not appear on the indexer when I run the same app. [splunk] The lookup table 'wksh_action_lookup' does not exist. It is referenced by configuration 'syslog'. How do I resolve this error? Thanks. ... View more

Can the speed of a form that utilizes a drop down menu be increased? I'm generating a menu based on a query and my users are complaining the application is too slow. I'd prefer not to input a static list into the dropdown. If it helps any, here is the code: <form class="formsearch"> <label>Top Products</label> <searchTemplate>index=myapp supportGroup=$supportGroup$ | top 10 productName </searchTemplate> <fieldset> <input type="dropdown" token="supportGroup" searchWhenChanged="true"> <label>Select Support Group</label> <populatingSearch fieldForValue="supportGroup" fieldForLabel="supportGroup"> <![CDATA[index=myapp supportGroup | top supportGroup]]></populatingSearch> <choice value="*">Any</choice> </input> <input type="time"> <default>Last 7 days</default> </input> </fieldset> <row> <chart> <title>Top Product Names</title> <option name="charting.chart">pie</option> <option name="drilldown">all</option> </chart> <chart> <title>Top Product Names</title> <option name="drilldown">all</option> </chart> </row> <row> <table> <title>Top Product Names</title> <option name="drilldown">all</option> </table> </row> </form> ... View more

Let's say I have the following query: index=myapp supportgroup=$supportgroup$ | top productName where some value will be substituted for $supportgroup$, for example helpdesk, or HR, etc... I need help populating the searchTemplate and populatingSearch tags for a dropdown I'm working on. I only need help with those two lines. The rest of the dropdown works fine. Here's what I have. <searchTemplate>index=myapp supportGroup=$supportGroup$ | top productName </searchTemplate> <populatingSearch fieldForValue="supportGroup" fieldForLabel="supportGroup"><![CDATA[index=myapp supportGroup | top productName ]]></populatingSearch> Those lines are not producing the desired output based on my search above. Please help. Thanks in advance. ... View more

I;ve setup a search head with a custom app I've created. The search head appears to work. That is, it answers the queries and produces the charts and graphs remotely. However I get the following error on every execution within the application. [splunk] The lookup table 'wksh_action_lookup' does not exist. It is referenced by configuration 'syslog'. What does that mean? How to fix it? Thanks. ... View more

I'm trying to setup a Splunk search head. Here is what I've done thus far. Installed splunk app. I've installed a copy of an application I've wrote under /opt/splunk/etc/apps on the search head. I've run the following command on the indexer: ./splunk enable dist-search -auth admin:changeme and restarted the app. I've run the following command on the search head splunk add search-server -host 10.10.10.123:8089 -auth admin:Mypassword -remoteUsername admin -remotePassword Mypassword The search head initiates and the GUI for the app I've written appears. However, when I run commands from the search head to indexer, I get "No results found". The same application works great on the indexer. What step(s) am I missing? Thanks in advance. ... View more

I want to populate a dropdown search with the following results: index=myapp | top tgtHostname | fields tgtHostname So the dropdown will only have the top 10 fields designatd as tgtHostname here is my code. <populatingSearch fieldForValue="tgtHostname" fieldForLabel="tgtHostname">| metadata type=tgtHostname index=myapp</populatingSearch> Why does that not work? The drop down is visually there but it does not contain the list generated by the query. Thanks. ... View more

I'm trying to create a dropdown based on the following query: index=MyApp tgtHostname=$tgtHostname$ The form is there and the default value of "any" seems to work. However the dropdown is not populated. Any idea why? Thanks. <form> <label>My form search</label> <searchTemplate>index=MyApp tgtHostname=$tgtHostname$</searchTemplate> <fieldset> <input type="dropdown" token="tgtHostname"> <label>Select the hostname</label> <populatingSearch fieldForValue="tgtHostname" fieldForLabel="tgtHostname"><![CDATA[index=MyApp tgtHostname=$tgtHostname$]]></populatingSearch> <default>somehost.somedomain.com</default> <choice value="*">Any</choice> </input> </fieldset> <row> <table> <title>Host Names</title> <option name="showPager">true</option> </table> </row> </form> ... View more