What version of Splunk you're on? In 6.2.4 this works like a charm. Using your example: "artist_name","track_name" Rihanna,"You Da One" Rihanna,"We Found Love" as music2.csv and a dashboard like this : <dashboard> <search id="baseSearch"> <query> | inputlookup music2.csv | search artist_name=* | table artist_name bc_uri track_name </query> </search> <row> <panel> <chart> <title>Chart 1 - Not Working</title> <search base="baseSearch"> <query> chart count over artist_name by track_name limit=100 </query> </search> <option name="charting.chart">column</option> <option name="charting.chart.stackMode">stacked</option> </chart> </panel> <panel> <chart> <title>Chart 2 - Working</title> <search> <query> | inputlookup music2.csv | search artist_name=* | table artist_name bc_uri track_name | chart count over artist_name by track_name limit=100 </query> </search> <option name="charting.chart">column</option> <option name="charting.chart.stackMode">stacked</option> </chart> </panel> <panel> <chart> <title>Chart 3 - Working</title> <search base="baseSearch"> <query> chart count(track_name) by artist_name </query> </search> <option name="charting.chart">pie</option> </chart> </panel> </row> </dashboard> If you still think it's a bug, feel free to open one at http://www.splunk.com/r/bugs ... View more

Okay, probably I wasn't too clear. The problem is most likely within your data. The provided sample works in a adapted search like this host="MusicData" artist_name=* | chart count over artist_name by track_name limit=100 but I assume the error or breaking event is somewhere else. If you're willing and if it's possible to provide a complete set of the _raw events, I will contact you and will have a closer look on this. ... View more

Hi ishangajera, This is no bug or no support case worthy problem. I used your provided examples and your dashboard and it works like a charm. It more looks like some strange line in the event data that breaks the regex . Instead of using the regex command to remove the unwanted line, simply use artist_name=* in your base search like this host="MusicData" artist_name=* and it will get you the same result. Give it a try and report back. cheers, MuS ... View more

the (? ) is for a named matching group and you can use the P with in or not, both will work. As well in regex101.com you will get the explanation of your regex on the top right side ... View more

it should be like this in Splunk: ... | rex "'(?P<field>\d+)\"" | stats count(field1) by field and to explain it; it will match a ' single quote and creates a matching group of all digits until the next " double quote. Where as your original regex was like: ^ assert position at start of the string [^'\n]* match a single character not present in the list below Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy] ' the literal character ' \n matches a line-feed (newline) character (ASCII 10) ' matches the character ' literally (?P<field1>\d+) Named capturing group field1 \d+ match a digit [0-9] Quantifier: + Between one and unlimited times, as many times as possible, giving back as needed [greedy] ... View more

Hi ualbanytech, you probably should have done so. Meanwhile we arrived at Splunk verison 6.2.4 and folderize works again. Running your last example | metadata type=sources | folderize maxfolders=20 attr=source sep="/"| sort totalCount d will give you this result: cheers, MuS ... View more

Okay another lesson learned; the [tcp://0.0.0.0:9999] will not work it has to be set to an IP and then it works. Using [tcp://192.168.56.101:9999] and telnet to 192.168.56.101 port 9999 sending a foo I can see the event in the main index. ... View more

and did you use the /g flag to match global in regex101 ... View more

can you provide the others as well? ... View more

Hi ishangajera, what does the job inspector for this search chart 1 report? Could you provide some sample events? ... View more

Hi sarnagar, Yes, but remember to modify the search to search for the lookup field called alert_status=enabled based on my example. You will name it what ever fits in your environment. It maybe some effort to modify all the alert searches once, but it is well worth it in the end. ... View more

Like @emiller42 said, if you hide or disable the search app you will end up having default UI components unavailable. One approach for you could be: clone the search app and modify it to your needs and then hide the default search app. ... View more

Got it now - I think 🙂 See my updated answer ... ... View more

Okay in this case you need to use the OR in the search instead of AND like this: index="prod" sourcetype="PRD:syslog" PROXYNAME="UAPI" URI="/vehicle/DeviceFullFillment" TransactionStatus=fail OR TransactionStatus=success | fields PolicyNumber by TransactionStatus ... View more

Does your events really contain both fields like TransactionStatus=fail and TransactionStatus=success in the same one single event? ... View more

just to add, this will also work: index="prod" AND sourcetype="PRD:syslog" AND PROXYNAME="UAPI" AND URI="/vehicle/DeviceFullFillment" AND TransactionStatus=fail AND TransactionStatus=success | fields PolicyNumber by TransactionStatus ... View more

Hi athorat, based on your comments I did update the answer, so try this: index="prod" sourcetype="PRD:syslog" PROXYNAME="UAPI" URI="/vehicle/DeviceFullFillment" TransactionStatus=fail OR TransactionStatus=success | stats count(TransactionStatus) AS myCount by PolicyNumber, TransactionStatus | where myCount>="2" | table PolicyNumber TransactionStatus This will search all PolicyNumber which have either TransactionStatus=fail or TransactionStatus=success and count them by PolicyNumber , the where claus will get back all PolicyNumber which have a count of more or equal of 2 and the shows the result as table . Hope this matches your requirements ... btw values are case in-sensitive that's why you can search for TransactionStatus=Fail or TransactionStatus=FAIL or TransactionStatus=fAil and all will return the same events. cheers, MuS ... View more

Hi the_wolverine, the default interval is 5 minutes, where Splunk runs a search to update existing data model summaries. It runs a maintenance process every 30 minutes to remove old, outdated summaries. See the docs http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/Acceleratedatamodels#After_you_enable_acceleration_for_a_data_model Before decreasing the interval; I would check if the data model acceleration summary search runs without error and on time, see the docs on this http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/Acceleratedatamodels#How_Splunk_Enterprise_builds_data_model_acceleration_summaries Hope this helps ... cheers, MuS ... View more

Hi sarnagar, at some of my costumers in use a lookup table which holds all host names and another field called alert_status which either shows enabled or disabled . Using this lookup table on host=* as automated lookup will provide for each host a field which shows the alert_status . The costumers can edit the lookup table either by using the lookup editor https://splunkbase.splunk.com/app/1724/ or by using the outputlookup command. Finally you have to use the field alert_status in your alert searches, so you only search on: this is your alert search alert_status=enabled | ... This will only search for hosts with alerts enabled in the lookup file. Hope this helps to get you started ... cheers, MuS ... View more

The only way to restrict the views listed is to use the match option like this: <view source="unclassified" match="dashboard"/> This will only show dashboards which contains the name dashboard but still shows them if they are shared globally in another app. ... View more