Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- About niketn
niketn
Legend
Member since:
03-09-2015
Community Statistics
| Posts | 6912 |
| Solutions | 1166 |
| Karma Given | 832 |
| Karma Received | 2452 |
| Member Since | 03-09-2015 |
Activity Feed
- Got Karma for Re: Column width. 02-13-2026 10:41 AM
- Got Karma for Re: Use Token in Dashboard Title. 02-10-2026 01:29 AM
- Got Karma for Re: How can I embed a Splunk dashboard on an external website?. 01-26-2026 06:36 PM
- Got Karma for Re: Dashboard to display varied graph types on a single timeline with tool tip pointer. 12-18-2025 11:27 AM
- Got Karma for Re: Stop Processing Long Query When No Results Found. 12-17-2025 05:23 AM
- Got Karma for Re: How to archive specific Splunk data?. 10-14-2025 07:47 AM
- Got Karma for Re: Timeline - Custom Visualization: How to hide the legend?. 07-25-2025 03:19 AM
- Got Karma for Re: How can I create a visual progress bar/ tracker in Splunk? Use case: to show various phases of onboarding process.. 05-09-2025 07:43 AM
- Got Karma for Re: How to find the missing number sequence from a table?. 04-23-2025 01:54 PM
- Got Karma for Re: Resetting Dashboard Tokens using XML. 03-26-2025 08:06 AM
- Got Karma for Re: How to enlarge the size of a caption underneath a singe-value visualization. 03-06-2025 03:43 AM
- Got Karma for Re: is there a cleaner way to zeropad numeric values, ie add leading zeros?. 02-24-2025 10:24 AM
- Got Karma for Re: Using all values from a drop down list in a search query when the field is filtered based on another field. 02-05-2025 07:47 AM
- Got Karma for Re: How to add feature expand or collapse panel in dashboard using css in simple xml?. 02-04-2025 12:14 PM
- Got Karma for Re: How can we create Tabs using Link List in Splunk with only CSS Override NO SplunkXML JS Extension?. 01-30-2025 08:17 AM
- Got Karma for Re: Change Refresh Progress bar to spinning wheel in Splunk dashboard. 01-22-2025 12:40 PM
- Got Karma for Re: Using fillnull for multiple fields?. 12-30-2024 12:23 PM
- Got Karma for Re: How do you parse two time formats in Splunk?. 12-16-2024 06:56 AM
- Got Karma for Re: How to assign colors to values in a chart?. 11-10-2024 07:18 PM
- Got Karma for Re: show/where the result from count when result is odd or even number. 11-07-2024 06:20 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 1 | |||
| 6 | |||
| 1 | |||
| 1 | |||
| 1 | |||
| 3 | |||
| 3 | |||
| 1 | |||
| 1 |
09-06-2020
12:51 AM
@knanaiah001 this should be available out of the box Documented feature of Simple XML dashboard. Remove submit button by submitButton="false" And for the text box add searchWhenChanged="true" Following is the required change in the previous code. <fieldset submitButton="false" autoRun="false">
<input type="text" token="logLevel" searchWhenChanged="true">
<label>Log Level</label>
<change>
<condition value="">
<unset token="form.logLevel"></unset>
</condition>
</change>
</input>
</fieldset>
... View more
09-06-2020
12:46 AM
1 Karma
@D2SI Try the following approach which will work for Table without Pagination. If you have multiple page table 1) You can either introduce infinite scroll without pagination or 2) Change the same idea and extend through table custom cell render instead of Table Row id of DOM element. <form script="table_highlight_row_on_cell_click.js">
<label>Table Clicked Row Highlight</label>
<fieldset submitButton="false"></fieldset>
<row>
<panel>
<input id="input_reload" type="link" token="reload" searchWhenChanged="true">
<label></label>
<choice value="reload">Reload</choice>
<change>
<!-- Once clicked. Make link clickable again by resetting form token for the same. -->
<condition value="reload">
<set token="tableRefresh">true</set>
<unset token="form.reload"></unset>
</condition>
<condition>
<unset token="tableRefresh"></unset>
</condition>
</change>
</input>
<html>
<style>
<!-- CSS For Table Highlight -->
#highlight table tr[data-row-index="$highlighted_row_id$"].highlighted{
border-style: solid !important;
border-color: skyblue !important;
background: orange !important;
}
#highlight table tr[data-row-index="$highlighted_row_id$"].highlighted td{
background: orange !important;
border: none !important;
-webkit-box-shadow: none !important;
box-shadow: none !important;
}
<!-- CSS For Link Input as Reload Button -->
#input_reload[data-view="views/dashboard/form/Input"]{
width: 100px !important;
}
#input_reload[data-view="views/dashboard/form/Input"] button{
background: #5CC05C !important;
color: white !important;
}
</style>
</html>
<table id="highlight">
<!-- Added token $tableRefresh$ for dummy dependency -->
<search id="tableSearch">
<query>index=_internal sourcetype=splunkd
| top 3 log_level
| fields - $tableRefresh$</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
<done>
<set token="searchCompleted">true</set>
</done>
<progress>
<unset token="searchComepleted"></unset>
</progress>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form> Following is the required JS require([
'underscore',
'jquery',
'splunkjs/mvc',
'splunkjs/mvc/simplexml/ready!'
], function (_, $, mvc) {
// Access tokens via Default Token Model
var defaultTokenModel = mvc.Components.get("default");
// Search id in Simple XML is tableSearch. Get SearchManager object using the same
var tableSearch = mvc.Components.get("tableSearch");
// On click of Table cell with id=highlight, set the highlighted class for CSS Override
// Fetch the highlighted row id from DOM.
// For pagination will require:
// (i) Either Row ID as a table column to be fetched OR
// (ii) Use TableView to handle Custom Cell Renderer
$(document).on("click", "#highlight table td", function () {
// Apply class of the cells to the parent row in order to color the whole row
$("#highlight table").find("td.highlighted").each(function () {
$("#highlight table tr").removeClass("highlighted");
$(this).parents("tr").addClass(this.className);
// Set Table Row id to highlighted_row_id (This approach would need change for pagination)
defaultTokenModel.set("highlighted_row_id", $(this).parents("tr").attr("data-row-index"));
});
});
// When the Table Cell Completes, highlight previously selected Table Row.
tableSearch.on("search:done", function (properties) {
var highlighted_row_id = defaultTokenModel.get("highlighted_row_id");
// setTimeout May not be required with Custom Cell Render.
// But for Table Row Highlighting post 6.6 even with Custom Table Cell Renderer this is required.
setTimeout(function () {
$("#highlight table tr[data-row-index='" + highlighted_row_id + "']").addClass("highlighted");
}, 100);
});
});
... View more
09-05-2020
08:35 PM
@matimat Try the updated answer without Sort if it fits your needs! 🙂
... View more
09-05-2020
12:09 PM
@sbollam please try the following run anywhere example. See if it fits your needs <form>
<label>Dynamically Send the Token</label>
<init>
<unset token="runSearch"></unset>
<unset token="showInput2"></unset>
<unset token="showInput3"></unset>
</init>
<fieldset submitButton="false">
<input type="dropdown" token="input1" searchWhenChanged="true">
<label>input1</label>
<choice value="1">1</choice>
<choice value="2">2</choice>
<change>
<condition value="1">
<set token="showInput2">true</set>
<unset token="showInput3"></unset>
<unset token="runSearch"></unset>
<unset token="form.input3"></unset>
</condition>
<condition value="2">
<set token="showInput3">true</set>
<unset token="showInput2"></unset>
<unset token="runSearch"></unset>
<unset token="form.input2"></unset>
</condition>
</change>
</input>
<input depends="$showInput2$" type="dropdown" token="input2" searchWhenChanged="true">
<label>input2</label>
<fieldForLabel>label</fieldForLabel>
<fieldForValue>value</fieldForValue>
<search depends="$showInput2$">
<query>| makeresults count=12
| fields - _time
| streamstats count as sno
| eval prev=sno-1
| eval label=strftime(relative_time(now(),"@y+".prev."mon"),"%b")
| eval value="earliest=\"@y+".prev."mon\" latest=\"@y+".prev."mon+1d-1s\""</query>
<earliest>-1s</earliest>
<latest>now</latest>
</search>
<change>
<condition match="isnotnull($value$)">
<set token="runSearch">$value$</set>
</condition>
<condition>
<unset token="runSearch"></unset>
</condition>
</change>
</input>
<input depends="$showInput3$" type="dropdown" token="input3">
<label>input3</label>
<fieldForLabel>label</fieldForLabel>
<fieldForValue>value</fieldForValue>
<search depends="$showInput3$">
<query>| makeresults
| fields - _time
| eval label="yesterday",value="earliest=-1d@d latest=-0d@d-1s"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<change>
<condition match="isnotnull($value$)">
<set token="runSearch">$value$</set>
</condition>
<condition>
<unset token="runSearch"></unset>
</condition>
</change>
</input>
</fieldset>
<row>
<panel>
<table>
<search depends="$runSearch$">
<query>| makeresults
| eval inputValue=$runSearch|s$</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
</search>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
... View more
09-05-2020
11:15 AM
@thambisetty this will end up padding all rows endlessly. If you have 100 rows... 100th row will have 100 spaces padded. My Solution pads space only if there is a duplicate. If the same title repeats 3 times it pads three spaces. But if there are 100 rows with 99 rows and 1 duplicate your solution will pad each column with an incremental space. I replaced space " " with hyphen "-", and you can see for yourself what your query is doing vs. mine 😉 | makeresults count=100
| eval Title="T"
| streamstats count as sno
| eval Title=Title.sno
| eval Duration=substr(tostring(random()),1,2)
| table Title,Duration
| streamstats count as padSpace
| eval Title=replace(mvjoin(mvrange(1,padSpace+1,1),"-"),"\d","")."".Title
| fields - padSpace
| transpose 0 header_field=Title column_name=Title
... View more
09-05-2020
11:14 AM
1 Karma
@thambisetty this will end up padding all rows endlessly. If you have 100 rows... 100th row will have 100 spaces padded. My Solution pads space only if there is a duplicate. If the same title repeats 3 times it pads three spaces. But if there are 100 rows with 99 rows and 1 duplicate your solution will pad each column with an incremental space. I replaced space " " with hyphen "-", and you can see for yourself what your query is doing vs. mine 😉 | makeresults count=100
| eval Title="T"
| streamstats count as sno
| eval Title=Title.sno
| eval Duration=substr(tostring(random()),1,2)
| table Title,Duration
| streamstats count as padSpace
| eval Title=replace(mvjoin(mvrange(1,padSpace+1,1),"-"),"\d","")."".Title
| fields - padSpace
| transpose 0 header_field=Title column_name=Title Here is what my query will do for same scenario: | makeresults count=100
| eval Title="T"
| streamstats count as sno
| eval Title=Title.sno
| eval Duration=substr(tostring(random()),1,2)
| table Title Duration
| sort Title
| streamstats count as padSpace by Title reset_on_change=true
| eval Title=replace(mvjoin(mvrange(1,padSpace+1,1),"-"),"\d","")."".Title
| fields - padSpace
| transpose 0 header_field=Title column_name=Title
... View more
09-05-2020
11:06 AM
@thambisetty streamstats works in streaming manner, it requires sorting to be in place for reset_on_change to work.
... View more
09-05-2020
11:00 AM
@armanih Community can assist you better only if you provide more details on what you have tried and what you think is not working as expected. Based on the details, seems like if you have table with three results and columnA is you want particular dashboard to be opened. If columnB is clicked if you want a search to open. If columnC is clicked you do not want to perform any drilldown. You can try something like the following. <drilldown>
<condition field="fieldA">
<link target="_blank">/app/yourAppName/yourChartName</link>
</condition>
<condition field="fieldB">
<link target="_blank">search?q=yourSearchQueryURLEscaped</link>
</condition>
<condition>
<!-- DO NOTHING IF COLUMN OTHER THAN component OR count is clicked
i.e. fieldC-->
</condition>
</drilldown> Please try out and confirm!
... View more
09-05-2020
10:47 AM
@aditsss please try one of my older answers which uses check boxes to show hide Check Boxes using independent search which processes the selection from check box input and sets/unsets required tokens accordingly. You can extend the same to convert to Multi-Select and Panels instead of Check Boxes and Inputs. The same concept should work for both. You should also be able to handle all scenario using SPL. https://community.splunk.com/t5/Dashboards-Visualizations/Can-I-hide-unhide-specific-text-boxes-using-a-single-checkbox/td-p/413895?childToView=682360#answer-682360
... View more
09-05-2020
10:32 AM
1 Karma
@D2SI Following requirement is confusing... "But instead of highlighting a row based on a value, I would like to highlight the clicked row" If you want clicked Row to be highlighted try the following Run anywhere example on similar lines as yours. Following is the Simple XML Dashboard: <dashboard script="table_highlight_row_on_cell_click.js">
<label>Table Clicked Row Highlight</label>
<row>
<panel>
<html>
<style>
#highlight table tr.highlighted{
border-style: solid !important;
border-color: skyblue !important;
background: orange !important;
}
#highlight table tr.highlighted td{
background: orange !important;
border: none !important;
-webkit-box-shadow: none !important;
box-shadow: none !important;
}
</style>
</html>
<table id="highlight">
<search>
<query>index=_internal sourcetype=splunkd
| stats count by log_level</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="tokValue2">$click.value2$</set>
</drilldown>
</table>
</panel>
</row>
</dashboard> Following is the required JavaScript table_highlight_row_on_cell_click.js require([
'underscore',
'jquery',
'splunkjs/mvc',
'splunkjs/mvc/tableview',
'splunkjs/mvc/simplexml/ready!'
], function(_, $, mvc, TableView) {
// Color Clicked Row of table with id #highlight
$(document).on("click","#highlight",function(){
// Apply class of the cells to the parent row in order to color the whole row
$("#highlight table").find('td.highlighted').each(function() {
$("#highlight table tr").removeClass("highlighted");
$(this).parents('tr').addClass(this.className);
});
});
});
... View more
09-05-2020
09:32 AM
1 Karma
[UPDATED ANSWER] @matimat Since you do not need to change the order of sorting of results. You may have use different streamstats. Try the following which will not require sorting (I have included by clause in streamstats to detect a change in Title): index=blabla
| tableTitle,Duration
| streamstats count as padSpace by Title
| eval Title=replace(mvjoin(mvrange(1,padSpace+1,1)," "),"\d","")."".Title
| fields Title Duration
| transpose 0 header_field=title include_empty=true Without Sorting | makeresults
| fields - _time
| eval data="T1,2;T2,5;T3,1;T2,6;T4,12"
| makemv data delim=";"
| mvexpand data
| makemv data delim=","
| eval Title=mvindex(data,0),Duration=mvindex(data,1)
| fields - _data
| table Title Duration
| streamstats count as padSpace by Title
| eval Title=replace(mvjoin(mvrange(1,padSpace+1,1)," "),"\d","")."".Title
| fields Title Duration
| transpose 0 header_field=Title column_name=Title ____________________________________________________________ With Sorting The above search sorts title and count of repetition of the same title using streamstats. The eval prefixes space character for each repetition of Title so that although Table Title look the same they are actually prefixed with one of more spaces depending on repetition. Please try out and confirm. Following is a run anywhere example as per the data/field in your question: | makeresults
| fields - _time
| eval data="T1,2;T2,5;T3,1;T2,6;T4,12"
| makemv data delim=";"
| mvexpand data
| makemv data delim=","
| eval Title=mvindex(data,0),Duration=mvindex(data,1)
| fields - _data
| table Title Duration
| sort Title
| streamstats count as padSpace by Title reset_on_change=true
| eval Title=replace(mvjoin(mvrange(1,padSpace+1,1)," "),"\d","")."".Title
| fields - padSpace
| transpose 0 header_field=Title column_name=Title
... View more
09-04-2020
10:38 AM
1 Karma
@VatsalJagani how about the following | inputlookup test.csv where a="$tkn_A$" OR b="*"
| fields a b c
... View more
09-03-2020
12:45 AM
1 Karma
@sangs8788 your ask seems very similar to one of my previous answers, however, you need to derive your dashboard tokens based on week of the year. https://community.splunk.com/t5/Getting-Data-In/time-range-to-display-count-of-weekly/td-p/312588 If you add the following independent search to your dashboard, assuming the token for Week of the Year is called $tokWeek$, it will set $EarliestTime$ and $LatestTime$ as two tokens. You may not need fieldformat as that is for run anywhere example for illustration later. <search>
<query>| makeresults
| fields - _time
| eval WeekOfTheYear=$tokWeek$-1,EarliestTimeModifier="+".WeekOfTheYear."w@w0",LatestTimeModifier="+$tokWeek$w@w6",FirstDayOfYear=replace(relative_time(now(),"@y"),"\.\d+","")
| eval EarliestTime=relative_time(FirstDayOfYear,EarliestTimeModifier),
LatestTime=relative_time(FirstDayOfYear,LatestTimeModifier)
| fields WeekOfTheYear FirstDayOfYear EarliestTimeModifier LatestTimeModifier EarliestTime LatestTime
| fieldformat FirstDayOfYear=strftime(FirstDayOfYear,"%Y/%m/%d")
| fieldformat EarliestTime=strftime(EarliestTime,"%Y/%m/%d")
| fieldformat LatestTime=strftime(LatestTime,"%Y/%m/%d")</query>
<earliest>-1s</earliest>
<latest>0</latest>
<done>
<set token="EarliestTime">$result.EarliestTime$</set>
<set token="LatestTime">$result.LatestTime$</set>
</done>
</search> Following is the Simple XML code for sample example dashboard above to test: <form>
<label>Week of The Year to time tokens</label>
<!-- Independent Search to Set Current Week in Text Box -->
<search>
<done>
<set token="CurrentWeekOfTheYear">$result.CurrentWeekOfTheYear$</set>
</done>
<query>| makeresults
| fields - _time
| eval CurrentWeekOfTheYear=strftime(now(),"%V")</query>
<earliest>-1s</earliest>
<latest>now</latest>
</search>
<fieldset submitButton="false">
<input type="text" token="tokWeek" searchWhenChanged="true">
<label>Enter Week Number (Current Week # by default)</label>
<default>$CurrentWeekOfTheYear$</default>
</input>
</fieldset>
<row>
<panel>
<title>Reference: https://www.tutorialspoint.com/python/time_strptime.htm</title>
<html>
<div>
<pre>
%V - The ISO 8601 week number of the current year (01 to 53), where week 1 is the first week that has at least 4 days in the current year, and with Monday as the first day of the week
</pre>
<div>CurrentWeekOfTheYear: <b>$CurrentWeekOfTheYear$</b> | EarliestTime: <b>$EarliestTime$</b> | LatestTime: <b>$LatestTime$</b> |</div>
</div>
</html>
</panel>
</row>
<row>
<panel>
<table>
<search>
<query>| makeresults
| fields - _time
| eval WeekOfTheYear=$tokWeek$-1,EarliestTimeModifier="+".WeekOfTheYear."w@w0",LatestTimeModifier="+$tokWeek$w@w6",FirstDayOfYear=replace(relative_time(now(),"@y"),"\.\d+","")
| eval EarliestTime=relative_time(FirstDayOfYear,EarliestTimeModifier),
LatestTime=relative_time(FirstDayOfYear,LatestTimeModifier)
| fields WeekOfTheYear FirstDayOfYear EarliestTimeModifier LatestTimeModifier EarliestTime LatestTime
| fieldformat FirstDayOfYear=strftime(FirstDayOfYear,"%Y/%m/%d")
| fieldformat EarliestTime=strftime(EarliestTime,"%Y/%m/%d")
| fieldformat LatestTime=strftime(LatestTime,"%Y/%m/%d")</query>
<earliest>-1s</earliest>
<latest>0</latest>
<done>
<set token="EarliestTime">$result.EarliestTime$</set>
<set token="LatestTime">$result.LatestTime$</set>
</done>
</search>
<!-- Run Anywhere Search, to set earliest and latest epoch time tokens for a week depending of selected week of the year. For Demo Placed Under a table.-->
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
... View more
09-02-2020
07:10 PM
@CarbonCriterium yes if you follow naming convention you can definitely code single event. You will have to create similar type of panel id and tokens to show hide. For example if you have created panel id tooltip_panel1 the corresponding token to show hide tooltip will be $tooltip_panel1_show$ and for $tooltip_panel2$ it will be $tooltip_panel2_show$ and so on... $('div[id^="tooltip_panel"').on("mouseover",function(){
var tokens = mvc.Components.get("submitted");
// For tooltip_panel1 set token tooltip_panel1_show
// For tooltip_panel2 set token tooltip_panel2_show
tokTooltipShow=$(this).attr("id")+"_show";
tokens.set(tokTooltipShow, "true");
}); PS: I have not tested above, but it should work on this idea. So do let me know if it does not work.
... View more
09-01-2020
12:20 AM
Thanks for correction, I had duplicate cluster command due to copy/paste. I have corrected the same. For the couple of examples you had shared 0.6 worked but that is sensitivity based on the data of your use case. I feel first name and last name, it would be better to keep same length and padded spaces for better results. But if you got it working that's a great news.
... View more
08-31-2020
11:17 PM
@ShagVT Please finish this ask to first to confirm....when the counts are not matching check job inspector whether you have any error/warning message or not. Based on description 1 day works, 1 week does not, 1 month does not. It implies it has to do with events dropping. You think it is not subsearch limit so what limit have you configured? And event details for when it works vs when it does not.
... View more
08-31-2020
01:09 PM
Did you find the root problem yet? Did you get the subsearch limit error in the job inspector when you see different results. If you have subsearch limit impacting your result and you can write purely streaming search for two searches of a multisearch it will not be impacted by subsearch limitation for which you can read the documentation. However like said before, maybe stats is your better option. Please let us know your SPL and some mock data would be useful as well. Kindly anonymize any sesitive info before posting.
... View more
08-31-2020
01:04 PM
@OlaideO Using the terminal window navigate to the folder where you have installed Splunk. By default /Applications/Splunk Then open bin folder and try to start Splunk with sudo. sudo ./splunk/start [Will ask you system login PWD] If your Splunk instance comes up fine you should get localhost:8000 as the url to access Splunk from front-end. If not you will have to let us know what error you see. Also if splunkd log has any error logged.
... View more
08-31-2020
12:39 PM
1 Karma
@UnivLyon2 if you want to handle typos and find out similar names you may have to try some clustering algorithm. You can definitely try the built in cluster command. Following is one run anywhere example SPL based on the sample data and use case provided. However, this may take care of only miss spelled names. For complex scenarios like name with missing letters, special characters, spaces etc you may have to further change the logic of pre-processing the data before feeding to cluster command. | makeresults
| fields - _time
| eval client_ip="10.10.10.10", number="3", login_list="Myself,Yourself,Myselv", continent="Somewhere", country="Here"
| eval login_list=split(login_list,",")
| fields - data
| mvexpand login_list
| eval splitLetters=mvjoin(split(login_list,"")," ")
| eval key=client_ip."-".continent."-".country."-".login_list."-".number."- ".splitLetters
| fields key
| cluster field=key t=0.6 showcount=true
| rex field=key "(?<client_ip>[^\-]+)\-(?<continent>[^\-]+)\-(?<country>[^\-]+)\-(?<login_list>[^\-]+)"
| stats list(login_list) as login_list count as number by client_ip continent country Following is a run anywhere dashboard which explains every step of above search as to how it arrives from Myself, Yourself, Myselv as 3 login list to only 2 i.e. Myself and Yourself. You can play around with cluster command sensitivity threshold and other names in the text box as comma separated list to see what level actually fits the need. PS: Since this is clustering algorithm based correlation, there may be situations where actually two or more different valid names which are similar as per configured threshold, may get clustered as 1. Following is the Simple XML dashboard run anywhere example from the screenshot above. <form theme="dark">
<label>Cluster to find similar names</label>
<!-- Independent search to dynamically set count of names in the login_list -->
<search>
<query>| makeresults
| eval number=mvcount(split("$login_list$",","))
</query>
<earliest>-1s</earliest>
<latest>now</latest>
<done>
<condition match="$job.resultCount$==0">
<set token="number">0</set>
</condition>
<condition>
<set token="number">$result.number$</set>
</condition>
</done>
</search>
<fieldset submitButton="false"></fieldset>
<row>
<panel id="panel_title">
<title>Find Similar Names for Grouping using Cluster Command</title>
<html>
<style depends="$alwaysHideCSSPanel$">
div#panel_title h2.panel-title{
text-align:center;color:#7ED2FF;font-weight:bold;
}
div.html-container{
display:flex;
}
div.html-container .html-header h3{
text-align:center;color:#7ED2FF;padding-right:10px;
}
div.html-container div.html-description{
padding-top: 10px;
}
div#panel_step2_input div.dashboard-panel,
div#panel_step5_output div.dashboard-panel{
border-style: solid;
border-color: green;
}
</style>
</html>
</panel>
</row>
<row>
<panel>
<html>
<div class="html-container">
<div class="html-header">
<h3>Step 1 - Add data:</h3>
</div>
<div class="html-description">
<code>
*login_list has comma separated names. **Threshold value is for Cluster command where 0.1 is highest sensitivity and 0.9 is lowest.
</code>
</div>
</div>
</html>
</panel>
</row>
<row>
<panel>
<input type="text" token="client_ip" searchWhenChanged="true">
<label>Client IP</label>
<default>10.10.10.10</default>
</input>
<input type="text" token="continent" searchWhenChanged="true">
<label>Continent</label>
<default>Somewhere</default>
</input>
<input type="text" token="country" searchWhenChanged="true">
<label>country</label>
<default>Here</default>
</input>
<input type="text" token="login_list" searchWhenChanged="true">
<label>login_list</label>
<default>foo,bar,baz</default>
</input>
<input type="dropdown" token="threshold" searchWhenChanged="true">
<label>Cluster sensitivity (0.1 - 0.9)</label>
<choice value="0.1">0.1</choice>
<choice value="0.2">0.2</choice>
<choice value="0.3">0.3</choice>
<choice value="0.4">0.4</choice>
<choice value="0.5">0.5</choice>
<choice value="0.6">0.6</choice>
<choice value="0.7">0.7</choice>
<choice value="0.8">0.8</choice>
<choice value="0.9">0.9</choice>
<default>0.6</default>
</input>
</panel>
</row>
<row>
<panel id="panel_step2_input">
<html>
<div class="html-container">
<div class="html-header">
<h3>Step 2 - Genrate data set:</h3>
</div>
<div class="html-description">
<code>
Generate data with login_list having comma separated names.
</code>
</div>
</div>
</html>
<table>
<search id="sSampleData">
<query>| makeresults
| fields - _time
| eval client_ip="$client_ip$", number="$number$", login_list="$login_list$", continent="$continent$", country="$country$"
| eval login_list=split(login_list,",")
| fields - data</query>
<earliest>-1s</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<html>
<div class="html-container">
<div class="html-header">
<h3>Step 3 - Prepare Data:</h3>
</div>
<div class="html-description">
<code>
Split names in login_list as letters. Full names with spaces, special characters, too many mistakes etc. may need extra logic.
</code>
</div>
</div>
</html>
<table>
<search id="sGenKey" base="sSampleData">
<query>| mvexpand login_list
| eval splitLetters=mvjoin(split(login_list,"")," ")
| eval key=client_ip."-".continent."-".country."-".login_list."-".number."- ".splitLetters
| fields key</query>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<html>
<div class="html-container">
<div class="html-header">
<h3>Step 4 - Clustered Events based on similarity of login_list names:</h3>
</div>
<div class="html-description">
<code>
Threshold and login_list name play role here.
</code>
</div>
</div>
</html>
<table>
<search id="sCluster" base="sGenKey">
<query>| cluster field=key t=$threshold$ showcount=true</query>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel id="panel_step5_output">
<html>
<div class="html-container">
<div class="html-header">
<h3>Step 5 - Final Result:</h3>
</div>
<div class="html-description">
<code>
Extract required fields client_ip, continent, country and show final count login_list
</code>
</div>
</div>
</html>
<table>
<search base="sCluster">
<query>| cluster field=key t=0.6 showcount=true
| rex field=key "(?<client_ip>[^\-]+)\-(?<continent>[^\-]+)\-(?<country>[^\-]+)\-(?<login_list>[^\-]+)"
| stats list(login_list) as login_list count as number by client_ip continent country</query>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
... View more
08-31-2020
12:28 PM
@OlaideO what kind of instance is this, personal use, dev, prod? Which OS is Splunk installed on? If you try to start splunk service yourself what kind of errors you see. Have you tried with sudo if this is *nix OS?
... View more
08-31-2020
12:22 PM
@ShagVT Seems with the append command like you are hitting the Subsearch limit configured in your instance . Because of which your inner search are dropping events. If you run the same searches (outer and inner) for -1d@d to @d, I would hope that it will work as there would be events less than configured maxout. You can definitely open Job Inspector to check and confirm this. For example: info : [subsearch]: Subsearch produced ###### results, truncating to maxout 50000. PS: I have picked 50k as maxout because that is the default limit. You can have something else. You can configure maxout in the limits.conf. Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches#Subsearch_performance_considerations However, you should rethink whether you really need to use a subsearch. If you are querying same data twice, for the same timeframe, you are possibly doing something wrong. Can you perform a stats or a multisearch in worst case? If you need further assistance you may have to provide us with further details about your SPL and use case so that community can assist you better.
... View more
08-31-2020
09:22 AM
@danielbb If it was for specific apps within each environment (assuming users should have access to their specific app), you could have used navigation xml file. However, seems like you need the following app for Browser Icon Changer by Chris Younger.
... View more
08-30-2020
11:51 PM
@welderbuilder I think you figured this out already. I do have two documented ways of doing this in your other thread, So either accept to mark this answer as closed or close it as duplicate. https://community.splunk.com/t5/Dashboards-Visualizations/How-to-arrange-fieldset-and-viz-side-by-side-inside-one-panel/m-p/516730#M34587
... View more
08-30-2020
02:30 PM
1 Karma
@varad_joshi you can refer to one of my older answers to use logged in user role in Splunk Dashboard and enable/disable required inputs for non-admins:https://community.splunk.com/t5/Security/Can-i-restrict-permissions-for-the-text-box-drilldown-inputs/td-p/338529. In your case you would need to hide the Open in Search link. <init>
<set token="searchShowHideCSS">visibility: hidden !important;</set>
</init>
<search>
<progress>
<!-- No Results Found - Hence admin role is attached with logged in user enable Open in Search Link-->
<condition match="$job.resultCount$==0">
<set token="searchShowHideCSS"></set>
</condition>
<!-- Hence admin role is not attached with logged in user -->
<condition>
<set token="searchShowHideCSS">visibility: hidden !important;</set>
</condition>
</progress>
<query>| rest splunk_server=local /services/authentication/current-context
| fields username roles
| eval roles=mvjoin(roles,",")
| search roles!="admin"</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
</search>
<row depends="$alwaysHideCSSPanel$">
<panel>
<html>
<style>
a[data-original-title="Open in Search"]{
$searchShowHideCSS$
}
</style>
</html>
</panel>
</row> For the second question you may have to provide more details. If you can provide users with results from a predefined Report or Scheduled search you can use the loadjob command, hence abstracting the underlying search. Users can have access to the report but not to search.
... View more
08-30-2020
01:50 PM
@NeTLeaDeR For the community to assist you better, please elaborate what you are trying to do and what is not working for you as expected. Is union being used because you are pulling data through two different lookups? Which custom visualization is this, which JS charting library are you using? Have you created custom visualization using Splunk's Custom Visualization API? Is your visualization working when you use only source="test1.csv"? Can you add the SPL you are trying to use?
... View more
