Are the both full enterprise versions? Free version cannot create alerts. ... View more

For median calculation, I considered only disinct values and not all values! This was a wrong way to calculate ... View more

When clicking on the panel inside of the dashboard you can create a drilldown at the bottom of the side panel. You can then make a drilldown to a different dashboard and send a token with it! I haven't found an option to link directly to a search or report like in a classic dashboard though. In your example you would create a dashboard drilldown to a dashboard with panels displaying details involving the data of the bar chart. You set the Token in the drilldown options like: Token_Name = row.ROW_NAME.value Then once you click on the bar chart in viewing mode you are sent to the other dashboard including the value of the bar/row name. I hope this helps! _______________________________________ If this was helpful please consider awarding Karma. Thx! ... View more

Thanks ... View more

Glad I was able to help! ... View more

yeah, but i am looking for panel 3 , 4, 5 as pie charts .  ... View more

If you want to make a check against recent data then the answer of @gcusello will work. If you want to have a solution based on states (independently of time ranges) to check if the action changed then you could create a KVStore that stores the last/wanted state of the fw_rule_action. To do so you have to create a KVStore with all the fields you need (in this case: src_ip,dest_ip,dest_port,fw,fw_rule_action) You save the "correct" state of fw_rule_action with the combination of fields in the KVStore. Now if new events with the same combination of values appear you can check against the KVStore what the fw_rule_action was and if it matches the one from the live data. If it does you can ignore it, if it doesn't you can act on it. I hope this helps! 🙂 _______________________________________ If this was helpful please consider awarding Karma. Thx!   ... View more

Glad to hear that! You're Welcome! 😄 (You could mark my answer as the solution to complete/close the question 😉 ) ... View more

Forcefully changing the local directory when updating an app would go against the purpose of the folder structure since it is made to guarantee to keep your changes even when updating the app.   I think the only solution that secures a healthy Splunk Environment would be to manually adjust/remove the local changes that interfere with the new ones.  Look through the local version of the dashboard the customer created and find any changes they want to keep in the new one. Delete the local version and you'll see the one created in the default directory. Then make the changes the customer wants to keep in the dashboard thus creating a new local version. You could also rename the current local dashboard to "dashboard_old.xml". This would result in both dashboards being shown and allows for the transition of the changes while both Dashboards are still intact. I hope one of those solutions works for you! _______________________________________ If this was helpful please consider awarding Karma. Thx!   ... View more

worked for me, much appreciated. ... View more

Glad to hear that 🙂 ... View more

The percentage shown is calculated as part of the Pie Chart Visualisation. As far as I know there are no Formatting Options (UI or SourceCode) that can change this. So the only way I can imagine is to make a custom visualisation that is an exact copy of the Splunk-Build Pie Chart and modify the code in there.  But I don't know if that effort is worth it. My only other guess would be to look into the code of the page and see if there is a possibility to modify it through HTML Code Inserted into the XML Code of the Dashboard but that's a far stretch _______________________________________ If this was helpful please consider awarding Karma. Thx! ... View more

Worked perfectly. Thank you and I obviously gave you Karma 😀 ... View more

As @FelixLeh pointed out, the maxspan is a valid option and will limit any transaction length to 5s. The others are not valid transaction options. If the question is to find transactions less than 5 seconds, then maxspan it is Read the man pages here - it should clarify https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/Transaction#Txn_definition_options   ... View more

HI @risingflight143, good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

As @FelixLeh said, usually there must be some transaction identified which bind those event to the same physical event. You said that in this case it is a day. So we can do it by this way index=anIndex sourcetype=aSourceType aString1 ("START of script" OR "COMPLETED OK") | eval startTimeRaw = if (match(_raw, "START of script"), _time, null()), endTimeRaw = if (match(_raw, "COMPLETED OK"), _time, null()) | bin span=1d _time as trcId | stats range(_time) as duration values(startTimeRaw) as startTimeRaw values(endTimeRaw) as endTimeRaw by trcId | eval durationHuman = tostring (duration, "duration") | table trcId, startTimeRaw, endTimeRaw This divide events to 1 day slots and within those slots it calculate duration between start and end events. Probably you need to check that duration > 0 and if need take abs for it to get it right direction.  ... View more

| lookup Blocked_IP src_ip OUTPUT src_ip as is_blocked creates a field is_blocked for every event where a matching IP is found in the lookup. | where isnull(is_blocked) then removes all events where the field is_blocked has a value (all events that have a matching ip). ... View more

These articles could help you: https://community.splunk.com/t5/Splunk-Search/Masking-data-using-regex-during-Indexing/m-p/319796 https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata ... View more

Splunk searches your data for stuff and tells you what it finds.  The list of things it did NOT find is infinite and would make for a very unhelpful report/dashboard.  That's why you need a list of things for Splunk to search for and put in your dashboard. ... View more

This worked!   | eval ip=mvdedup(split(replace(ip, "\n", " "), " "))   An engineer at work gave me this (yours is better):   |rex mode=sed "s/([0-9\.]+)\n.*/\1/g" field=ip   However, it only works for the ip field and you would have to create a custom regex for each field.  I will have to get with the admin to fix the data coming in.  Also, we had an issue with the data getting formatted in each field, where it made the data look like a giant column.  This was the fix:   |eval ip = replace(ip, "\n", " ")   ... View more

Hi, I have no knowledge of how this type of search behaves..but if this kind of directory also has fields can't you just use |fields attribute_name_field to get rid of any other field but the name?  (like I said im just blindly guessing since I have never used Idapsearches! I hope you can resolve your problem!) ... View more

Hi @simonafcbrown, (relatively new member here as well so I might be wrong about some stuff and PLEASE anybody correct me if I write something wrong 🙂) From what I understand from your post you have already indexed your csv file through the "add Data" function of Splunk.  If not you have 2 options: 1. Click the splunk logo(top left), click add Data and upload your csv as an input file. During this process you can set an Index your Data will get sent into. (Default or custom Index) To access this data in a search for your dashboard simply start your search with: index=yourIndexName searching with just this string will give you any indexed events in the selected time range! Then you can follow up with your desired search. 2. You can also create a Lookup from your csv Data. A  file with columns and rows can be loaded as a Lookup in Settings->Lookup->new file (Lookup table files) Then also create a new Lookup Definition for your uploaded Lookup File. You can access the created Lookup File in your search through: | inputlookup yourLookupName if all was done correctly you can search your source for data! To add your search to a Dashboard just go to "Save as" in the top right of your search and create a Dashboard  from there. You can also add Searches to existing Dashboards here if you pick "Existing" I hope my explanation was helpful!  also for most of the questions you have, docs.splunk is your friend 🙂 https://docs.splunk.com/Documentation   ... View more

Even though it would technically work it's not quite what I'm looking for. My goal was to avoid if or case functions to make the formatting of the tag_value easier.. but maybe it's the only possible way.  Thanks for your suggestion though! Maybe it'll help anyway. ... View more

@aditsss, The query is only missing resolved state, I added below. But I couldn't understand "All these columns contains numeric values". I think you meant about some other columns since state columns are string in your search. If you can post some sample data, we can have better recommendation. | inputlookup mnr_rally_defects.csv | sort -rundatetime | dedup state | eval state=case(state="Submitted" OR state="Fixed" OR state="Open", "OPEN", state="Closed" OR state="Resolved","Closed", 1==1,state) | table rundatetime state   If this reply helps you an upvote is appreciated. ... View more