This should be determined by the sort order for your data. However, there seems to be an issue with it. If you look at the bottom of the page in the docs, you see some communication regarding sort not working for the order of the trellis panels, only for the data in the table at the bottom. The last comment was from June 28th regarding the issue. The sort command issue is SPL-142769 Frobinson splunk, Splunker June 28, 2017 From the docs: https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Viz/VisualizationTrellis To change the order in which segments appear, adjust the search to sort or change search result order. ... View more

Assuming the messages above are the entire event, you could do something like this: BASE SEARCH | rex field=_raw ":(?<imagetype>\w+)" | stats count by imagetype ... View more

It is not recommended to ingest data through the Search Head. For Add-ons with a GUI configuration, you would want to install a Heavy Forwarder. Take a look at this table from the docs for the Box Add-on. ... View more

Try something like this. It is different than your search, but you will get the idea: sourcetype=access_combined | stats count as Count by action | rangemap field=Count "900-950"=900-950 "951-1000"=951-1000 default=">1000" | table action range ... View more

Which app were you interested in. Most of the apps on Splunkbase are free and can be installed in Splunk (trial or not). If you are looking at a trial of one of Splunks premium apps, you can do a 7 day sandbox in the Cloud for Enterprise Security and IT Service Intelligence. This is with preloaded data to basically allow you to kick the tires on the app. Request Enterprise Security or IT Service Intelligence Sandboxes here If you are referring to apps that have a cost through a vendor or other party, then that would be something you would have to reach out to the vendor to see about a trial. ... View more

What version of the Add-on are you using. There is apparently a new add-on which is intended to replace TA-sep and TA-sav. It is actually intended to run side-by-side with the older add-ons, so there is no migration required. The docs indicate that it supports Symantec Endpoint Protection version 12.x and later. This could be your issue. https://splunkbase.splunk.com/app/2772/ ... View more

I just noticed that you "ran the search" to remove the index. This is actually a command you would need to run via the CLI. Are you the administrator of the Splunk instance? If this is a single server instance (meaning you downloaded from splunk.com and installed it), then you should be able to remove the index from the GUI. However, if it is a distributed environment (meaning a separate search head, and multiple indexers, then the index would need to be removed from each indexer, via command line, using the command you typed in the search bar it seems. ... View more

Do you have multiple indexers? ... View more

A Heavy Forwarder would be needed to do any filtering of data at the source. Otherwise you could do the filtering at the indexer side. You could handle it like you would if you were trying to anonymize data, like when you mask a credit card number or other PII (Personally Identifiable Information). In that scenario, you are basically breaking the data into pieces, then concatenating it back together, replacing a piece of the data with X's or #'s, masking part of it. In your scenario, you could use the same method, but instead of replacing some of the data with another character, you just concatenate the data you want, leaving out the data you don't want. Take a look at this documentation on anonymizing data: http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Anonymizedatausingconfigurationfiles ... View more

There is a difference between the receiving port (default 9997) that a forwarder would send data to, and a listening port, say UDP 514 if you are sending syslogs to some port where Splunk is listening for that data stream. All of your data would be coming in to 9997 if it is coming from forwarders. Your source would not reflect the receiving port that the forwarders are sending data to, like it would in the UDP 514 example. Are you trying to send any data coming from the forwarders on to another destination? ... View more

In you search, you could use earliest and latest. For example: index=yourindex sourcetype=yoursourcetype earliest=-1mon@mon latest=@mon You could also set the time selector to Previous Month before saving the Alert. ... View more

Add the following to the end of your search: your search....| sort -count ... View more

Add the following to your sub-search: index="si_errors" sourcetype="si_LateEnd" earliest=-24h@h latest=now ... View more

You could use a sub-search for this. Try something like this: source=D:\\XSP\\importhelpers source=IH_Daily\\DebugImportHelper End | rex field=source "importhelpers\\\+(?LateClientID[^\\\]+)" NOT [ search index="si_errors" sourcetype="si_LateEnd" | eval LateClientID=ClientID] ... View more

A saved search in Splunk is the same thing as a Report. You could start by opening the panel in your existing dashboard that uses that data in search (hover over the panel and click the magnifying glass at the bottom. This will open the search for that panel. Modify the search to represent your data in a table, then save it as a Report (Save As...Report). ... View more

You may want to take a look at this app: https://splunkbase.splunk.com/app/3177/ It lets you bypass the requirement for installing the Support Add-On for Active Directory. ... View more

I believe the purpose of this visualization is to plot single values as opposed to pie charts. Is there a reason for not using the native Splunk map visualization? ... View more

Can you provide us with a sample few events from your data? ... View more

You could do that with the "Restrict Search terms" field within a role: ... View more

Is it two different Splunk environments? Can you provide more information on what the reason for load balancing across two different groups would be? ... View more