Hey @phil_wong, It seems that previously there was a method to create a backup from the ITSI app itself to include the Unix content packs which I believe is outdated now. Also, ITSI v4.8.x is a quite outdated version. Please have the app upgraded to the latest version and it will also bring new features and installation/configuration of content packs will be easier.  ... View more

Hey @jbrocks , @SplunkDB2022  Setting conditional drilldowns to set values for token and hiding the panel is not supported in the Dashboard Studio. Here is the reference link for comparing the features between Classic Dashboard and Dashboard Studio - https://docs.splunk.com/Documentation/Splunk/8.2.5/DashStudio/IntroFrame#Dashboard_features  ... View more

Additionally, if you want to have the event opened up in a new tab upon clicking on the SLA value in the table, you will need to define drilldown and link it to a search. You can find the related information here - https://docs.splunk.com/Documentation/Splunk/8.2.4/Viz/DrilldownLinkToSearch  Be sure of using variables like $click.value$ and $click.value2$ while using drilldown to achieve proper use case ... View more

Hey @jcorcoran508, You can proceed ahead with further modules. The data seems to be perfect and not sure what is the need for delimiting a white space character in the description field. Also, I can see in the screenshot that the description field is properly extracted by the json sourcetype. ... View more

Hi ITWhisperer,   OK - I got that working eventually - thanks! So my main comment here is how difficult this is to do - isn't this a pretty common scenario? I simplified my actual requirements here hugely - I'd like load of the dashboard elements to affect each other. I'll write up some notes and link them.   thanks again everyone!   Jim   ... View more

Hey @lamnguyentt1, Found the same question while exploring community answers and here's your solution - https://community.splunk.com/t5/Getting-Data-In/How-do-you-calculate-the-size-of-indexed-data-as-per-source-type/m-p/441649/highlight/true#M76998  index=_internal source=*license_usage.log* type=Usage idx=<yourindexname> | eval GB=b/1024/1024/1024 | stats sum(GB) by st ... View more

I am just trying to feed data into another repoerting solution that uses fielbeat. That monitors log files. Plan is to feed the exported content to filebeat ... View more

Concurrent searches can be controlled using base_max_searches and max_searches_per_cpu. But those are global settings only as mentioned by @isoutamo It would be better to restrict the users based on roles and apply the limits globally. Creating roles based on apps can become a complex job for managing roles, current and future users, current and future apps as well.  ... View more

Hey @somari, Found this in one of the accepted answers. You can try that if it works for you. Here is the link to the answer - https://community.splunk.com/t5/All-Apps-and-Add-ons/Unable-to-initialize-modular-input-Webtools-Add-on/m-p/528361/highlight/true#M64122 ... View more

Hi @EvansB, let me understand: do you want to use _time for grouping events or as a field to display? in the first case you could use the hint of @tshah-splunk , but is useful to add a bin command before the stats to group results, otherwise you'll have too many results: | bin _time span=1d | stats values(*) as * by _time if instead you need to display _time as a field, you can put it in the stats options, using some function: values(to have all the distinct values of _time, earliest to have the first value, latest to have the latest value. In both situations, you have also, at the end, to convert _time from epochtime to human readable format using strftime. Ciao. Giuseppe ... View more

We were able to get it working by amending the source type on the HEC token, and setting the character limit to 1mb (1,000,000 characters) ... View more

Hi those are good starting points to get a list of your apps and indexes, but there are lot of other REST endpoints to get more information about your apps. https://docs.splunk.com/Documentation/Splunk/8.2.4/RESTREF/RESTconf is REST API Reference and here is on conf talk where apps' configs have get via it https://conf.splunk.com/files/2019/slides/FN1315.pdf. This is something which you really need to read. r. Ismo ... View more

Hi @anil1432, I couldn't understand much of what do you mean by data usage? If this is in the context of license usage based on sourcetype, you can navigate to Monitoring Console -> Indexing -> License Usage -> License Usage - Previous 30 days dashboard and filter the data to display the dashboard split by "sourcetype". And since it is based on timechart, you can find the usage for different periods of time as per your need.    If this is in the context of event count based on sourcetype, you can run the following search query between specific time intervals to get the count of events for that specific sourcetype for the defined time interval | metadata type=sourcetypes index=* splunk_server_group=dmc_group_indexer splunk_server_group="*" | fields sourcetype, totalCount | sort - totalCount | search sourcetype=gshshsh | rename sourcetype as Sourcetype, totalCount as "Event Count"  ... View more

Hi @vineela, the best approach is that you could aggregate results in the base search and then display in each panel a subset of data. Only to explain:  if you want in a panel count the results of:      index=xyz  sourcetype="dtc:hsj" tcode="1324" in another count the results of:      index=xyz  sourcetype="dtc:hsj" tcode="1324"  OR tcode="234"  and in a third one all the others, you could put in the basesearch something like this: index=xyz sourcetype="dtc:hsj" | eval condition=3 | eval condition=case(tcode="1324","1",tcode="1324" OR tcode="234","2") | stats count BY condition then in each panel you will be able to filter results (condition=1 or condition=2 or condition=3 Ciao. Giuseppe ... View more

Perfect, this is exactly what I was looking for! ... View more

Was trying to understand if the schedule was defined within double quotes or not ... View more

From splunk_TA_Nix app few sourcetpye are missing like -sourcetype protocol is not excute in bin command sh protocol.sh  no data is showing .can you please let me what is the reason of missing sourcetype. ... View more

Hey Neeraj,  Thanks for explaining the use case. GET Workflow action will not be able to save the values in a field. It'll just redirect you to another website using the field you specify. And workflow actions would also not be helpful in achieving your objective. Will need to look for another solution to it. ... View more

I've follow the Docs about route data https://docs.splunk.com/Documentation/Splunk/8.2.4/Forwarding/Routeandfilterdatad#Filter_data_by_target_index In this doc, it's recommended to do: "If you want to forward only the data targeted for a single index (for example, as specified in inputs.conf), and drop any data that is not a target for that index, configure outputs.conf in this way: [tcpout] #Disable the current filters from the defaults outputs.conf forwardedindex.0.whitelist = forwardedindex.1.blacklist = forwardedindex.2.whitelist = #Forward data for the "myindex" index forwardedindex.0.whitelist = myindex This first disables all filters from the default outputs.conf file. It then sets the filter for your own index. Be sure to start the filter numbering with 0: forwardedindex.0." Now, I'm testing your config, I'll update my answer in case of that config works. Otherwise, I will test other configs to find the working one. ... View more

Monitoring Console can work on Standalone mode as well. If you want the whole environment to be monitored via Monitoring Console, then all the Splunk Components should be added as distributed search peer to the monitoring console. You can find the related information here - https://docs.splunk.com/Documentation/Splunk/8.2.4/DMC/Addinstancesassearchpeers https://docs.splunk.com/Documentation/Splunk/8.2.4/DMC/Deploymentsetupsteps  To configure monitoring console for standalone environment, find reference here - https://docs.splunk.com/Documentation/Splunk/8.2.4/DMC/Configureinstandalonemode  https://docs.splunk.com/Documentation/Splunk/8.2.4/DMC/Singleinstancesetup  ... View more

Since renderXml is set to true, the sourcetype of your event would be considered as XmlWinEventLog:Security. So, you can define a similar stanza in the local directory of the app with the blacklist setting and you should be good with your objective.  ... View more

Here's the link to other solution - https://community.splunk.com/t5/Deployment-Architecture/Monitor-rolling-restart-time/m-p/524535/highlight/true#M18076 ... View more

Just clicking on the update button should be good to upgrade your app. Also, restart is not required post-upgrade.  ... View more