Hi diavolo, my guess would be that in some events there is actually a field called instanceid . Try to use a completely new/different field name to test your field extraction, something like this should work for you: \[instance:\s+(?<ThisIsMyTestFieldName>[^\]]+) cheers, MuS ... View more

Here we go http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usedefaultfields ... View more

@jagadeeshm you can run a tstats search | tstats count where index=* by sourcetype, index, _time | timechart sum(count) AS count by index ... View more

Hi rajgowd1, while @hunters_splunk answer is totally valid, you can take a different approach with Splunk 😉 Use your profilers output as source for Splunk; index the output files in human readable format and use the indexed events in Splunk to create some heat maps (examples here http://blogs.splunk.com/2017/01/10/dashboard-digest-series-episode-5-maps/ ) or maybe even use the D3 flame extension (https://github.com/spiermar/d3-flame-graph) .... lots of possibilities Hope this helps ... cheers, MuS ... View more

maybe it's worth checking the setting for the servers in outputs.conf as well, because if they are wrong this can end in duplicated events as well. ... View more

Hi venkatesh296, since you are not mentioning any replication in your question, I would suggest to check indexes.conf on both servers if they are the same check the outputs.conf used by any sending forwarder if they are using both indexers or just one check out this answer about the so called server affinity https://answers.splunk.com/answers/168363/distributed-setup-question.html and maybe change the setting to forceTimebasedAutoLB = true in outputs.conf Hope this helps to get you started ... cheers, MuS ... View more

Hi coronetfoca, I hope I got your question right, but this should give you a point to start: | gentimes start=-1 | eval foo="\"id=\"39\" = 00\", \"id=\"39\" = 01\"", _time=now() | rex max_match=0 field=foo "\"id=\"39\"\s=\s(?<myFoo>[^\"]+)\"" | mvexpand myFoo | eval approved=if(myFoo="00",1,null()), not-approved=if(myFoo>"00",1,null()) | chart count(approved) AS approved count(not-approved) AS not-approved by _time This will give you an example and the important lines are the two last ones, lines 1-4 are only used to produce fake events. So what happens here: | gentimes start=-1 will create a dummy event | eval foo="\"id=\"39\" = 00\", \"id=\"39\" = 01\"", _time=now() evals foo and _time | rex max_match=0 field=foo "\"id=\"39\"\s=\s(?<myFoo>[^\"]+)\"" using regex we get the value you need into a field called myFoo | mvexpand myFoo expands the multivalue field into single value field | eval approved=if(myFoo="00",1,null()), not-approved=if(myFoo>"00",1,null()) checking if the value of myFoo matches an approved or a not-approved | chart count(approved) AS approved count(not-approved) AS not-approved by _time charting it by time Just adapt it to your needs with the historical counts. Hope this helps ... cheers, MuS ... View more

Once you have identified the report / saved search you can delete it using the UI http[s]://yourservernamehere:[yourporthere]/[yourlocale-here]/manager/search/saved/searches on the server where it is saved use the CLI REST call methods mentioned in this answer https://answers.splunk.com/answers/66880/deleting-several-saved-searches-in-one-call.html edit the savedsearches.conf file on the Splunk instance running the saved search. Hope this helps ... cheers, MuS ... View more

Always a pleasure to point people to this answer https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html as well 🙂 cheers, MuS ... View more

Just found another nice option hideFilters="True" ... View more

update ping ... ... View more

Hi gokool2u, Just had to solve exactly this problem 😉 Using Splunk 6.5.1 I created a form with a dropdown and was able to hide it using like this: <input type="dropdown" token="dm" searchWhenChanged="true" depends="$foobarbaz$"> This way I was still able to use it as a drill down target and provide the $dm$ token. One thing, there is a link that says Show Filters and by clicking on this the dropdown will not appears again. Hope this helps ... cheers, MuS ... View more

@ahjmcaleer, down voting a over three years old post is pretty harsh .... but I'm also here to help, so find the most recent link here http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Eventstats I'm looking forward for your upvote 😉 ... View more

Thanks for the hint @dale.lakes8769 ! I had to add a line break after the link otherwise the second l is being cut off - very strange ?!? Anyway added the link as well. ... View more

Hi daniel333, have a look at the Splunk Monitoring Console and within there at the Index detail view which can be found at this uri /app/splunk_monitoring_console/index_detail_instance . This will give you plenty of details and some good searches to start with. Hope this helps ... cheers, MuS ... View more

Hi wkupersa, No, this is not possible. Talk to the guys that can configure the indexers and let them do the changes for you on the indexer. If this is not possible for what ever reason, create another scripted input that returns events in the format you need them and run this scripted input on the search head. Hope this helps ... cheers, MuS ... View more

Hi chrisw3, the easiest way to get what you want is to use the max() option with stats but since you did not provide enough information on your actual use case, I don't know if this will work for you or not. But you can try this run everywhere search to get an idea who it works: index=_internal sourcetype=splunkd OR sourcetype=splunkd_access OR sourcetype=splunk_ui_access | stats max(*) AS * This will list you all max values for all fields from all source types on one row. Maybe it's worth to check this answer as well https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html to get more ideas how to solve this problem. This answer is expandable to more sources / sourcetypes / indexes 😉 Hope this helps ... cheers, MuS ... View more

Hi @naqviah, if you want to monitor user logins by SSH you can for example use the Splunk Add-on for nix https://splunkbase.splunk.com/app/833/ Follow the docs to install it and configure it to monitor the logs that will show you the SSH login of a user. cheers, MuS ... View more

Hi tweaktubbie, the latest version of Splunk support HTML or plain text by default http://docs.splunk.com/Documentation/Splunk/6.5.1/Alert/Emailnotification But if you still need to change the python script sendemail.py manually make sure the python intention do match (Python is picky on spaces or tabs usage) also check the python.log in Splunk for any errors. You can also run the script like this to see what is going on: $SPLUNK_HOME/bin splunk cmd python $SPLUNK_HOME/etc/apps/search/bin/sendemail.py add here any option you need cheers, MuS ... View more

Sorry for the late answer, but the best place to check this would be the docs http://docs.splunk.com/Documentation/Splunk/latest/Security/AboutsecuringyourSplunkconfigurationwithSSL?r=searchtip#Getting_your_certificates cheers, MuS ... View more

Hi criferr, Maybe not the best answer, but check the Inspect feature of your browsers on the page to see if you get anything at all or not. I can re-call that there once was trouble related ad-blockers blocking the latest versions of some Splunk js leading to a blank or grey screen. Also, check the Splunk Web logs if you see any errors related to your access troubles. Hope this helps ... cheers, MuS ... View more

This was just something I observed - it could have been a reason why things go weird. Check the _internal as long as you have it for the top sending sourcetype or host and try to figure out where the data originates and what path it takes into the indexers. Verify all involved conf files using the btool command http://docs.splunk.com/Documentation/Splunk/6.5.1/Troubleshooting/Usebtooltotroubleshootconfigurations check _internal for any information related to bucket replication. This is not everything, but gives you a starting point... ... View more