What is the advantage of using rex in a search V saving it as an extracted field? Example of using rex in a search: index=core ....| rex ".*,.*CPU:CPU=(?P<CPU>[^,\"]+)" | rex "Core:Core ID.=(?P<coreID>\d*)," | rex "Subrack No.=(?P<subNo>\d*)" | rex "Slot No.=(?P<slotNo>\d*)," | strcat userLabel "-" coreID "-" slotNo "-" subNo object_formatted | timechart useother=f span=1h avg(c117498312) by object_formatted But I could also save it as an extracted field and tie it to some sourcetype. Mainly interested in speed, so is one way faster than the other? Does it just make your search shorter? ... View more

Can you do conditional formatting, like in Excel, in Splunk? For example, can I have conditional formatting on the percent column that the cell color will change based on : if >=80% Red if >50% and <=80 Orange if <=50% Red name Value percent name1 900 90% name2 500 50% name3 700 70% name4 300 30% name5 200 20% I know you can do heat maps in Splunk, but they do not do what I want. ... View more

I am using a checkbox to show/hide multiple rows. I have some rows that have a single chart that spans the full width of the screen. But when I load the dashboard, the charts in question are hiding, and when I tick the check box to show the charts/rows, the charts appear but they only span half the width of the screen, aligned to the left. I can do a refresh on the panel/chart and the chart will refresh and then span the full width of the screen. How do I rectify this so that when the charts show they show at the full screen with. this is my skeleton below: <form> <label>dashboard name</label> <row> <panel> <input type="checkbox" token="show_more_token" searchWhenChanged="true"> <choice value="show more details">show more details</choice> </input> </panel> </row> <row depends="$show_more_token$"> <panel> <chart> ... </chart> </panel> </row> <row depends="$show_more_token$"> <panel> <chart> ... </chart> </panel> </row> <row depends="$show_more_token$"> <panel> <chart> ... </chart> </panel> </row> </form> test ... View more

Is there a tagname I can use in simple XML that I can put multiple rows in that I can then toggle hide/show? for instance the below skeleton would show: row row row Can I have something like, below, where I can sho/hide the 2nd and 3rd row together?: row <tagname depends="$mytoken$"> row row </tagname> skeleton dashboard below: <form> <label>dashboard name</label> <fieldset autoRun="true" submitButton="false"> <input type="checkbox" token="sourcetype_token" searchWhenChanged="true"> <choice value="show">show</choice> <choice value="hide">hide</choice> </fieldset> <row> <panel> <chart> ... </chart> </panel> </row> <row> <panel> <chart> ... </chart> </panel> </row> <row> <panel> <chart> ... </chart> </panel> </row> </form> ... View more

Looking at understanding better how lookups work in Splunk. As I understand it, there are 3 steps: 1. lookup table files - basically you add your *.csv file 2. lookup definitions - name your lookup definition and link it to the above *.csv file 3. Automatic lookups - this is where you do you mapping from the fields that are already in splunk with the fields in your *.csv What I want to know specifically is as follows: If i had a lookup that was working fine off a csv file that only had X number of rows, lets say this: lookupA,ValueToReplaceLookup A,America B,Beijing C,Columbia And then sometime later, I come along and I just want to add a few new rows to the csv e.g. lookupA,ValueToReplaceLookup A,America B,Beijing C,Columbia D,Denmark E,Eygpt What is the best way of doing this without breaking anything? Do I just delete the existing csv and replace it with the new one, keeping the same name, and then I don't have to do step 2 & 3 above? Or is there a better way of doing it? ... View more

In the pic below, is there a way that you can display the country name in the pop up instead of the lat and long values? EDIT1 trying to answer woodcocks comment below The stats that feed the above pic look as follows: (it is taken from Splunk 6.x Dashboard Examples) geobin latitude longitude GET POST bin_id_zl_0_y_3_x_2 -10.00000 -55.00000 8 6 bin_id_zl_0_y_4_x_1 19.43420 -99.13860 5 2 bin_id_zl_0_y_4_x_2 11.37778 -73.14076 12 6 bin_id_zl_0_y_4_x_5 16.67630 77.27630 12 7 The stats that feed the map I am working on looks like this: (but i get the same view with lat and long on the popup as above) latitude longitude NumberofRegisteredSubscribers ks_countryname -25.274398 133.775136 1442 Australia 37.09024 -95.712891 662 United States Similar questions here http://answers.splunk.com/answers/129281/map-geostats-display-city-instead-of-latitude-and-longitude.html https://answers.splunk.com/answers/302088/splunk-625-label-the-maps-popup.html ... View more