A small tip: | makeresults | eval "Severity Level"=split("1,2,3,4", ",") | mvexpand "Severity Level" Can also be created like this: | makeresults count=4 | streamstats count as "Severity Level" ... View more

to know the sourcetype with the field in the lists, I haven't found a scalable method to do this.  But if combinations of sourcetypes and fields of interest are few and known, and there is no identical field name in different sourcetypes, you can rename each field to contain info about its sourcetype. ... View more

I see what you are saying, on my test instance with 8.2.5 the splunk_essentials app is there and uses approx 4mb.  The good news is that when Ive come to upgrade it to 9.1.x I can see that the splunk_essentials app is not there, so I wonder if this is now going to be excluded moving forwards. Hopefully for future versions you will not need to worry about this. ... View more

Based on the tagging of SYSLOG based on the front tag, I would assume that this is being ingested into a syslog server and then sent to an Indexer or Heavy Forwarder. If this is the case, the Splunk Add-on is not going to help you in this situation if this is the case. I usually ingest the data from SYSLOG and then use regex to extract the field names when I am conducting searches. If this is being monitored on the server that is using a Universal Forwarder, then ensure that you are monitoring the /var/log locations with the splunkbase app on the forwarder and on the indexer. ... View more

UPTIME,server,server,Linux,4,4,2023-08-02 16:17:28,300,1440,"16:17:28 up 90 days; 11:34; 0 users; load average: 0.04; 0.18; 0.17" --- the raw data The alert used:  index=nmon host=* eventtype=uptime source=perfdata uptime=* | fields _time host uptime | eval host=upper(host) | where uptime <= 600 | sort uptime | dedup host | lookup hostscope.csv host OUTPUTNEW Application as application PLATFORM as platform Environment | search platform!=ONPREM | eval urgency=case(Environment="PROD" OR Environment="PREP", "high", isnotnull(Environment), "medium") | table host uptime application platform Environment urgency ... View more

You are 100% sure your HF are listening on port 8089. ss -pultan | grep LISTEN should result in some like this: tcp LISTEN 0 128 0.0.0.0:8089 0.0.0.0:* users:(("splunkd",pid=3870899,fd=4)) ... View more

Thanks! ... View more

You need the username and password.   If you do not have it, but have control of your index server, you can reset it using cli, then reconnect search head to all index servere. ... View more

Then you make a dashbord with time picker to select 1day, 1 week or 1 month. ... View more

What do you mean with Dat Set Version of all Linux ? ... View more

I tried the same thing as you suggested then Issue got Resolved. Thank you!!! ... View more

Hi @KalebeRS , please try: index="" host= sourcetype=csv source=C:\\ pverProduct!="pverProduct" | table pverProduct | dedup pverProduct Ciao. Giuseppe ... View more

If you like a custom format, yes, then your need to use eval and not convert. PS if you can accept the answer it would be fine 🙂 ... View more

Yes it should work like this. Personally I try to avoid windows dc dns, but that’s another story. ... View more

You will need access to the _internal index to do this, or ask you administrators to create a report  or summary index for you. ... View more

Not still sure how it works, but you need the html section and the table id= <dashboard version="1.1" theme="dark"> <label>Table with color Based on Status</label> <row> <panel> <title>Compliance check</title> <html depends="$alwaysHideHTMLCSSPanel$"> <style> #tableColorFinalRowBasedOnData table tbody td div.multivalue-subcell[data-mv-index="1"]{ display: none; } </style> </html> <table id="tableColorFinalRowBasedOnData"> <search> <query> | makeresults | eval _raw="Version,Count,Status win 2012,20,compliance win 2008,35,Non-Compliance Xen 2.4,40,compliance win 2016,24,Non-Compliance" | multikv forceheader=1 | table Version Count Status | eval color=case(Status="compliance","#53A051",Status="Non-Compliance","#DC4E41") | foreach Version Count Status [ eval &lt;&lt;FIELD&gt;&gt;=mvappend('&lt;&lt;FIELD&gt;&gt;',color)] | fields - color </query> </search> <format type="color" field="Version"> <colorPalette type="expression">mvindex(value,1)</colorPalette> </format> <format type="color" field="Count"> <colorPalette type="expression">mvindex(value,1)</colorPalette> </format> <format type="color" field="Status"> <colorPalette type="expression">mvindex(value,1)</colorPalette> </format> </table> </panel> </row> </dashboard> ... View more

Have a look at this: https://www.splunk.com/en_us/blog/tips-and-tricks/exporting-large-results-sets-to-csv.html?locale=en_us ... View more

A better way to do this that will always works correctly: (tested in 9.0.5) <option name="charting.fieldColors">{"error":#FF0000,"warn":FFFF00,"info":00FF00}</option> ... View more

Updated link: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Configurationparametersandthedatapipeline ... View more

If  you change authorization of splunk folder, you can access splunk folder on Windows. You can follow the step below. 1. Right click - splunk folder 2. Click - property menu 3. Move - Security Tab 4. Click - Edit 5. Click - Add 6. Search and Add - Users Group  7. Confirm ... View more

Hi @jotne , The following setting in the web.conf will help in specifying the dashboard name,   [settings] enable_risky_command_check_dashboard = false splunk_dashboard_app_name = <string> Here, splunk_dashboard_app_name will help in disabling the warning to the required app only. Kindly upvote, if found helpful.  ... View more

This question is a bit of a mess and I cannot make sense of it.  Probably you should start over and be more clear.  We usually do not care much about your existing SPL.  What we REALLY care about is CLEAR SAMPLE DATA (preferably with generation SPL, like I show below) and CLEAR DESIRED OUTPUT.  It looks VERY much like your data is being sent in wrong and that each current event is actually multiple events.  You should reindex it and break up these event clumps into single events.  If the problem is that each clumped event lacks a correlation ID (so if you split them, the relationship is lost), then you should take a look at cribl because it has a feature to do this.  You can contact me directly because that discussion is more complicated than we can do here. In any case, here is what I have for a start:   | makeresults | eval _raw=" 2023-03-31 05:14:16,447 - __main__ - INFO - {\"Id\": \"123456JKL\", \"Table1\": \"employee\", \"Time1\": \"3.04\"}" | append [| makeresults | eval _raw="2023-03-31 05:14:16,393 - __main__ - INFO - {\"Id\": \"123456JKL\", \"Table2\": \"salary\", \"Time2\": \"4.05\"}"] | append [| makeresults | eval _raw=" 2023-03-31 05:20:16,393 - __main__ - INFO - {\"Id\": \"123456JKL\", \"Table3\": \"salary1\",\"PayLoad\": {\\\"type\\\":\\\"test\\\",\\\"name\\\":\\\"jas\\\"}"] | eval _time = strptime(_raw, "%Y-%m-%d %H:%M:%S,%3N") | kv pairdelim="{,}" kvdelim=":"   ... View more

Here is  a solution that seems to work for us to find origin of those error messages. This search should show if you have problem with too long fields.   index=_internal source="*splunkd.log" "Received metadata string exceeding maxLength"   This is due to that Splunk tries to create a indexed field that has more than 1000.  Looking trough the logs its not easy to see where this come from.  So with some tips from mmccul I have made this search.   index=<your index> | table [| walklex index=<your index> type=field | search NOT field IN (_indextime date_* punct time*pos) | stats count by field | table field | mvcombine field | return $field ] | foreach * [| eval <<FIELD>>_Len=len(<<FIELD>>)] | table *_Len | stats max(*) as * | transpose header_field=column | rename "row 1" as count | sort -count | rename count as Length, column as FieldName | head 10 | rex mode=sed field=FieldName "s/_Len$//"   What it does: `walklex` will list all indexed fields for an index.  Then with some commands make a list of all interesting fields and return it to the table `| foreach * [| eval <<FIELD>>_Len=len(<<FIELD>>)]` Calculate the length of each field. Then we find the the max length for each field and final get the top 10 field with largest bytes. If there are field with 1000 bytes, there are for sure some fields that are longer, so go trough the raw data and see if there are some regex that do eat to much of the line.This may not be the best/fastest way but seems to work for us. ... View more

If you have may fields and do not know the name of them or variable number of fields, you can run it like this: | stats max(*) as max_* ... View more

The sample messages you posted are conformant JSON.  I don't understand why you need to use rex to extract - or why you need extraction at all.  If these are _raw, Splunk would have automatically recognized it and give you a field named locationCategoryCodes{}.locationCode.  As I always say, do not treat structured data as text.  If for whatever reason Splunk doesn't give you that field, you can use spath to extract all fields ("nodes" in JSON lingo) in these messages. Here is emulation using your sample data:   | makeresults | fields - _time | eval test=split("{\"Item Id\": \"1\", \"locationCategoryCodes\": [{\"categoryCodes\": [{\"categoryCode\": \"CAT_1\", \"ruleID\": [\"138563\"]}], \"locationCode\": \"ABC\"}, {\"categoryCodes\": [{\"categoryCode\": \"CAT_1\", \"ruleID\": [\"138563\"]}], \"locationCode\": \"XYZ\"}, {\"categoryCodes\": [{\"categoryCode\": \"CAT_2\", \"ruleID\": [\"138561\"]}], \"locationCode\": \"DEF\"}, {\"categoryCodes\": [{\"categoryCode\": \"CAT_3\", \"ruleID\": [\"138614\"]}], \"locationCode\": \"IJK\"}], \"timestamp\": \"2023-01-27T00:10:32.367 +0000\"}|||{\"Item Id\": \"2\", \"locationCategoryCodes\": [{\"categoryCodes\": [{\"categoryCode\": \"CAT_1\", \"ruleID\": [\"138563\"]}], \"locationCode\": \"ABC\"}, {\"categoryCodes\": [{\"categoryCode\": \"CAT_3\", \"ruleID\": [\"138614\"]}], \"locationCode\": \"IJK\"}], \"timestamp\": \"2023-01-27T00:10:32.367 +0000\"}", "|||") | mvexpand test | eval isgood = if(json_valid(test), "yes", "no") ``` quick test to see if message is conformant ``` | rename test as _raw ``` data emulation above ``` | spath ``` use this if Splunk doesn't give you locationCategoryCodes{}.locationCode ``` | stats count by locationCategoryCodes{}.locationCode | rename locationCategoryCodes{}.locationCode as "Location Code"   Location Code count ABC 2 DEF 1 IJK 2 XYZ 1 ... View more