Can I press enter in a splunk search and not do a search it just moves the text to a new line. In excel it is to press alt and enter I think ... View more

I have a splunk dashboard with multiple panels/searches. My sample dashboard below. I want to be able to declare a variable at the top that is available to every search below, on the dashboard. Can this be done in advanced XML. Appreciate any advise. My sample dashboard. For example, I am using VaribleX = 500 as the variable to be shared across the dashboard. <form> ... VaribleX = 500 <row> <panel> <title>device=BRT01KPR component="GigabitEthernet1_0_1.200" Mbps</title> <table> <search> <query> search 1 ... | timechart span=d sum(VariableX) </query> <earliest>-1d@d</earliest> <latest>@d</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> ... </table> </panel> <panel> <title>device=BRT01KPR component="GigabitEthernet1_0_1.200" Mbps</title> <table> <search> <query> search 1 ... | timechart span=d sum(VariableX) </query> <earliest>-1d@d</earliest> <latest>@d</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> ... </table> </panel> </row> ... <row> <panel> <title>device=BRT01KPR component="GigabitEthernet1_0_1.200" Mbps</title> <table> <search> <query> search 1 ... | timechart span=d sum(VariableX) </query> <earliest>-1d@d</earliest> <latest>@d</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> ... </table> </panel> <panel> <title>device=BRT01KPR component="GigabitEthernet1_0_1.200" Mbps</title> <table> <search> <query> search 1 ... | timechart span=d sum(VariableX) </query> <earliest>-1d@d</earliest> <latest>@d</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> ... </table> </panel> </row> </form> ... View more

I have a dashboard that has a number of tick boxes. I have 4 in one panel at the top of the dashboard (snipped of tick box that I can see and tick) and 4 in a panel at the bottom of the dashboard (snipped of tick box that is greyed out so I can't tick/untick) The 4 in the panel at the bottem appear greyd out so I can't tick them. Any idea why this is the case? I am pretty sure it ws not greyed out in the past. EDIT1 working one: <row> <panel> <input type="checkbox" token="show trend1" searchWhenChanged="true"> <choice value=""></choice> </input> <input type="checkbox" token="show forecast1" searchWhenChanged="true"> <choice value=""></choice> </input> <input type="checkbox" token="show forecast1 for ham" searchWhenChanged="true"> <choice value=""></choice> </input> <input type="checkbox" token="show forecast1 for kpr" searchWhenChanged="true"> <choice value=""></choice> </input> </panel> </row> greyed out one: <row> <panel> <input type="checkbox" token="show trend2" searchWhenChanged="true"> <label>qq - show trend2 (4G incoming only)</label> <delimiter> </delimiter> </input> <input type="checkbox" token="show forecast2" searchWhenChanged="true"> <label>show forecast2 (4G incoming only)</label> <delimiter> </delimiter> </input> <input type="checkbox" token="show forecast3" searchWhenChanged="true"> <label>show forecast3 (4G incoming+outgoing only)</label> <delimiter> </delimiter> </input> <input type="checkbox" token="show forecast2" searchWhenChanged="true"> <label>show forecast3 for ham (4G incoming+outgoing only)</label> <delimiter> </delimiter> </input> <input type="checkbox" token="show forecast2" searchWhenChanged="true"> <label>show forecast3 for kpr (4G incoming+outgoing only)</label> <delimiter> </delimiter> </input> </panel> my fixed one: <row> <panel> <input type="checkbox" token="show trend2" searchWhenChanged="true"> <choice value=""></choice> </input> <input type="checkbox" token="show forecast2" searchWhenChanged="true"> <choice value=""></choice> </input> <input type="checkbox" token="show forecast3" searchWhenChanged="true"> <choice value=""></choice> </input> <input type="checkbox" token="show forecast3 for ham" searchWhenChanged="true"> <choice value=""></choice> </input> <input type="checkbox" token="show forecast3 for kpr" searchWhenChanged="true"> <choice value=""></choice> </input> </panel> </row> Not sure what happened there. Pretty sure it was working when I first created it. Could be going mad. Thanks very much all the same for pointing me in the right direction. While I have you, are spaces in token names - good/bad? Any other general comments on my possibly poor syntax? tks ... View more

What is wrong with this rex?? This is the rex that the system gives me when I do a extract fields option. index=x ... | rex "^(?:[^"\n]*"){3}(?P<index_ks>[^"]+)" I am getting Mismatched ']'. when I do the search. This is the regex working here https://regex101.com/r/LxVFbf/1 Another way to write it is like this, although not as generic: index=* | rex "index="(?P<index_ks>.*)";" which works see here: https://regex101.com/r/YCn7h6/1 However, the result single quotes at start and end e.g. 'result1' 'result2' in Splunk, but not in the regex101 example. Would like to understand this better. ... View more

Can I have more than 2 time controllers in the 1 dashboard that are independent of each other? So 1 time controller can control the timeframe on 1 chart and the 2nd time controller can control the timeframe of This is the code for 1 but how do I make the other one? <input type="time" searchWhenChanged="true"> <label>Timeframe</label> <default> <earliestTime>-1d</earliestTime> <latestTime>now</latestTime> </default> </input> ... <earliestTime>$earliest$</earliestTime> <latestTime>$latest$</latestTime> ... View more

Here is my dropdown list (renamed the counters for illustration here) <input type="dropdown" token="counter"> <label>Select Counter:</label> <default>Counter1</default> <choice value='sum(Counter1) as "Counter1"'>Counter1</choice> ... <choice value='sum(Counter1) as "CounterN"'>CounterN</choice> </input> And this is what it looks like: (It allows me to search the counters) But it only allows me to select 1 counter from the drop down. How can I select more than 1 counter in the dropdown menu? ... View more

I have 2 searches: search1 and search2 search 1 gives : _time kpi1 kpi2 kpi3 kpi4 2016-01 493.26 636.06 56.322 1129.32 search 2 gives : _time kpi1 kpi2 kpi3 kpi4 2017-01 193.26 44.06 34.322 239.32 I combine them with the append (e.g. search 1 ... | append [ search2 ...] ) _time kpi1 kpi2 kpi3 kpi4 2016 470.55 277.07 37.060 747.62 2017 193.26 44.06 34.322 239.32 but not the time format loses the month (e.g 2017-01 becomes 2017) How do I get it to hold on to the month? _time kpi1 kpi2 kpi3 kpi4 2016-01 470.55 277.07 37.060 747.62 2017-01 193.26 44.06 34.322 239.32 ... View more

How do I move a string cat operation from the search and store it in an extracted field option that Splunk offers under events? This way the string cat won't appear in the search. I can use string cat to create my fields the way I want with this format subrackNo "-" SlotNo "-" boardType ... | strcat subrackNo "-" SlotNo "-" boardType fields | timechart max(kpi) by fields And this give me this format 0-1-SPUb 0-11-SPUb 0-16-GOUa THis is one of the rows from my data set: 2016-12-18 23:59:59,DeviceName=Device1,subrackNo=2,boardType=GOUc,SlotNo=23,SubsystemNo=1,CPUoccupancy=3,Throughputoccupancy=0 Now what I want to be able to do is do this in the extracted field option that splunk offers, so I don't have to do it in the search as I am doing with the string cat above. So this way my search could be like this with the string cat removed. ... | timechart max(kpi) by fields EDIT1 this might the path to take using regex - https://regex101.com/r/nPatfn/1 ... View more