I've seen a few of my colleagues recently use a command called multireport which seems to be largely undocumented to solve some search conditions that have been very challenging to solve otherwise.  Is there a splunk dev who is close to the developer of multireport who would care to shed light into a full synopsys of how this command can be used and any potential arguments it accepts? ... View more

I'm trying to use a link list dropdown to fill in URL's of specific csv files from the splunk lookup editor app into a dashboard panel.  I've followed the instructions to re-enable iframes in splunk 8.0x+ and the frame itself forms, but its stuck saying "loading"  After doing some web browser debugging, it appears this is because the lookup editor app is calling javascript and there is an HTML tag that sets class="no-js" but I'm not a very good HTML debugger and I can't tell if this is being done in the parent apps css or in the child apps css.  I think however, if I could get the iframe to support the javascript I should be in good shape.  Its all the same splunk instance, but I haven't had any luck yet.  Any help is greatly appreciated! ... View more

This seems like it would be straightforward enough based on the documentation, but I have been completely unsuccessful at implementing this method.  Basically I am setting up an interactive dashboard where someone provides an ID in one of a few different valid formats.  From there, I  want to normalize all the potential ID's associated in the different sources for that user and pull together a set of panels from otherwise isolated systems.         <search id="User_Lookup"> <query>|inputlookup user_inventory.csv" | $ACCT_TYPE|s$| fields *</query> <done> <condition match="'$result.doneProgress$' = 1"> <set token="tok_email">$result.dv_email$</set> <set token="tok_altId">$result.dv_u_AltId$</set> <set token="tok_samact">$result.dv_u_logonid$</set> <set token="tok_sso">$result.dv_u_sso$</set> </condition> </done> </search> <title>Top 10 External Email destinations.</title> <search> <query>sourcetype=stash source="summary_mailstuffs" src_user=$tok_email$ | top 10 dest_email</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search>         But the dashboard never appears to recognize that $tok_email$ is being set from the base search.  I am 100% certain the field and value exist in the base search.  Where am I going wrong? ... View more

Hello, I am wanting to write an app for Splunk ES that can leverage the ability to integrate the investigation toolbar on the bottom and manage investigations within the context of a completely different app.  Is there a particular app template I should reference in order to do this? ... View more

We recently moved from a stand-alone ES splunk search head to a clustered splunk ES search head, and we've started to see doubling, and in some cases tripling up of some of our correlation search results where we've configured throttling that we have not seen on the stand-alone machine.  Scenario: correlation search scheduled to run 23 minutes after the hour every 6 hours. search looks back 24 hours to now().   Throttling is set to 1 day.  Search runs, generates notable events.  12 hours later, search generates notable for the same events it found in the first run, implying that the search likely ran once on the same search head, and on a different search head the second time.   Is there a way to confirm that all search heads have the same criteria for what should be throttled and for how long?     ... View more

I'm trying to do some lookup table rationalization because we have some sources changing that we're pulling into lookup tables and I'll need to find new sources for some of my data types.  I'm trying to find a better way to get stats on fields used for lookup and inputlookup matches as well as output results, so I have a better way to weight the criticality of certain data sources in my org and push for better data coverage at the source for important fields.    The way I've done this so far is through | rest for saved searches and macros followed by an unholy amount of regexes to capture all of the worry-free use of cases and conditions and in-line renames using AS and WHERE.   I haven't even started with views... There simply must be a better way.   Is there anything in splunk_introspection that would basically count the equivalent of sum(count) of a particular lookup field by any saved search or macro? ... View more

I'm trying to use splunk on a search head I don't manage but I noticed that whenever I try to use erex on the search head, the regex never comes back to me. I see logs at the end of my search that erex executed fine: 05-04-2020 21:41:04.191 INFO DispatchExecutor - END OPEN: Processor=erex 05-04-2020 21:41:04.366 INFO script - Invoked script erex with 6203295 input bytes (20351 events). Returned 41 output bytes in 120 ms but I can't find anywhere in the search.log or in the GUI where the learned regex is being displayed. My guess is that the level of logging required to print this output may be too high. What is the required logging level for erex to function? ... View more

I'm trying to figure out how to do a conditional rex statement that looks at a windows file path and determines if the last segment of the path has a ., it creates a field called extension, but if it doesn't end with an extension, it creates a field called directory and puts the full value (with spaces) of the last directory in the segment. Is there a way to do a conditional statement like this with rex? ... View more

In this case I'm using a PBS job scheduler and whenever splunk sees a uncorrectable memory error I want it to offline the node within PBS itself. the local command line syntax would be something like: pbsnodes -o $hostname$ qmgr -c 's n $hostname$ comment="Splunk offlined this node due to uncorrectable memory errors" Thus far I've been unsuccessful in having any way to trigger this as an alert action to a search. Any help would be greatly appreciated! ... View more

I've got a test set of hosts using collectd to gather process information, and I'm struggling how to get mstats to give me a by clause of the process name. Can someone help me out with this? ... View more