I am attempting to find out how long a RT search will go for before it simply stops. If I crank up my session time-out time to say 30 days, and I am to run an RT search all that time, would it be live or time out? ... View more

Does the hidden chart formatter module have the ability to use a fields' results as an axis name. Say if I wanted to use something like the value of the 'counter' field for the y axis title, can it do that? I tried 'charting.chart.yaxis.field.counter' as a parameter, but it didn't take. I'm assuming my syntax is wrong, and I couldn't find anything in the documentation on it, so I figured I would ask. Thank you! ... View more

I have a team of users who only need brief access to my splunk environment. Is there a way to take either a user or a role, and apply them, say for 30 day's, and then the accounts are disabled / deleted? ... View more

I know I've done this before, and I've completely forgotten, and I didn't see anything in the documentation on how to chart a value over time of a field. Im' having a complete brain fart. I am attempeint to chart the value of a field over time (in this case perfmon values) this is my search: sourcetype=Perfmon* object=Processor counter="% Processor Time" | timechart Value by host Can someone please refresh my memory on how to do this? ... View more

I am attempting to find the duration of each downtime instance that has occurred in the last 24 hours, and I am attempting to use the transaction command to do so. I am currently using WMI to query service state, and I'm looking to visualize when the 'State' field changes from "Running" to "Down" and then the duration between the first "Down" State message, and the next "Running" state message. I'm looking for the results to be in a table that looks kind of like this: DT1 (time of first down message),DT2 (time of next "Running" message), ,host Sourcetype=<mysourcetype> Name=<servicename> | transaction State maxpause=10 | timechart max(duration) by Name,host I don't know if this is the best way to go about this, because my query doesn't seem to be returning the data i'm looking for. Any help would be greatly appreciated! ... View more

I am using the sideview app, in order to see if I can make some blinky lights within splunk. Currently I have a search already that works, as well as a dashboard that changes color upon specific parameters. Now I am wondering if I can make the lights 'blink' or flash. I found this within CSS http://www.w3schools.com/css/tryit.asp?filename=trycss3_animation1 Which is exactly what i'm look for, and I think I can embed this within an HTML module. When I try this (copy and paste the code) it screws up the whole view, but changes the background color just like in the example, which while looking cool, doesn't help at all. 😃 I was just wondering if someone could help me make ONLY the row flash instead of the entire background? PS... this is my XML: <view isSticky="False" isVisible="true" onunloadCancelJobs="true" template="dashboard.html" stylesheet="application.css"> <label>Test View</label> <module name="AccountBar" layoutPanel="appHeader" /> <module name="AppBar" layoutPanel="appHeader" /> <module name="SideviewUtils" layoutPanel="appHeader"/> <module name="Message" layoutPanel="messaging"> <param name="filter">*</param> <param name="maxSize">2</param> <param name="clearOnJobDispatch">False</param> </module> <module name="HTML" layoutPanel="viewHeader"> <param name="html"><![CDATA[ <h1>Test Page</h1> ]]></param> <module name="Search" layoutPanel="panel_row1_col1" autoRun="true"> <param name="search">sourcetype=WMI:Service host=host_chi Name=service1 | sort - State | sort - host | dedup host | eval "field1"=case(State="Running","OK",State="Stopped","Down") | convert timeformat="%m/%d/%Y %H:%M:%S" ctime(_time) AS "Updated" | table "Updated",host,"field1" </param> <param name="earliest">-15m</param> <module name="Table" layoutPanel="panel_row1_col1_grp1"> <param name="rowClass">$row.fields.field1$</param> <module name="HTML" layoutPanel="panel_row2_col1"> <param name="html"> <![CDATA[ <style type="text/css"> .Table tr.OK { background-color:#66FF66; } .Table tr.Down { background-color:#DB4D4D; } .Table tr.yellow { background-color:#fef200; } .Table tr.blue { background-color:#0090d6; } </style> ]]> </param> </module> <module name="Redirector"> <param name="arg.host">$row.fields.host$</param> <param name="popup">True</param> <param name="url">test_view2</param> </module> </module> </module> </module> </view> ... View more

I am attempting to incrase the number of RealTime searches a search head can spin up at one time. I am getting this message when I load a monitoring dashboard: The maximum number of real-time concurrent system-wide searches has been reached. current=41 maximum=38 Does anyone know where I can change this setting? I have been looking all over the box. Thank you! Travis ... View more

I am currently attempting to create a 'summary' type of view within a dashboard stating that this list of services (svc1,svc2,svc3,svc4) are all running on the machine, but is only displaying and either "OK" or "DOWN" Status. If ANY of these services are down, this query should show the "DOWN" status, as this is just a summary panel. The search I am working with currently is as follows: sourcetype=WMI:Service (Name= OR Name= OR Name= OR name= OR Name= ) | dedup host | eval State = if(State == Running, "OK", "Down") |table _time,host,Name,State| rename Name as "Service Name" That being said, it gives me the display i'm looking for (1 status of either OK or DOWN per machine) though if 1 of the 5 services are down, the summary 'State' field doesn't change to "DOWN". I suppose I'm attempting to summarize the running state of 5 services into one instance of either "OK" if all 5 services are running, but even if only 1 of them is not, then the summary field would switch to a "DOWN" state. Let me know if I don't make sense right now.. i've been looking at these things all day, so I apologize for any minced words. Any help is greatly appreciated! ... View more