It REALLY helps to see your XML. Try something like this: <form> <label>Show Hide Using checkbox</label> <fieldset submitButton="false"> <input type="checkbox" token="emailORnot" searchWhenChanged="true"> <choice value="emailORnot">Email Results?</choice> </input> </fieldset> <row> <panel> <table depends="$emailORnot$"> <search> <query>index=_internal | stats count BY sourcetype | sendemail to="user@domain.name" subject="Dashboard Report" paperorientation="landscape" papersize="letter" width_sort_columns="true" sendresults="true" server="smtp.domain.name"</query> <earliest>-60m@m</earliest> <latest>now</latest> </search> </table> </panel> <panel> <table rejects="$emailORnot$"> <search> <query>index=_internal | stats count BY sourcetype</query> <earliest>-60m@m</earliest> <latest>now</latest> </search> </table> </panel> </row> </form> ... View more

@woodcock, thank you for your response and correcting my incorrect usage of the command. Unfortunately, it still does not have any effect on the Y-Axis, but in looking back at my initial message I see that I did not make it clear that the Y-Axis scale I am referencing is the Y-Axis labels on the scale from 0 to 100, not limiting any data that might be spurious and causing a column over 100% appearing in the chart. I do appreciate you time and help. Thank you Randy ... View more

Thank you somesoni2. While I was aware of the notification settings, I had not considered/understood that I would include tokens in the text. This would allow me to use a standard global default footer with the ability to modify it with the token. I was unaware of the savedsearches.conf file and the additional ability to modify the footer of the message as well as the optional PDF report. RNB ... View more

@somesoni2 , could you please help to extract the value as shown below, thanks in advance. \"business\":{\"code\":[\"1221\"] this is exist in every event. So, I want to be store that value in type_value field. required output type_value=1221. ... View more

Hi RNB, I cannot solve this problem, but i can help you to find a different way to achieve this. If I get it correct you want to match the -1- in #APF-1-ADD_TO_BLACKLIST_FAILED ? If this is correct, you can use field extraction like you tried and simply search for the values you're interested in. Try something like this: your base search to get the events here | rex "\:\s[\#\%](?<myField>.*?)\:" | search myField="*-1-*" This will create a new field called myField (name can be changed to what ever) containing APF-1-ADD_TO_BLACKLIST_FAILED and CCM_CALLMANAGER-CALLMANAGER-6-DeviceRegistered based on the provided examples. The last | search will only return all myField values which contains a -1- . After you got all working, setup automatic field extraction http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles and you no longer need to use rex . hope this helps to get you started ... cheers, MuS ... View more

Well, there are a lot of details there. First of all, each summary job should in general write to a different summary index. If you want to create a summary, then you should do as I said above and send your sistats output to a summary index for that search/job. There is a setting on the jobs page that lets you set the index, though you do need to create the index ahead of time. When you want to view the results, you have to query from that specific summary index. ... View more

Hello, Here is a regex that I've tested and it works with your sample data. outside:(?<scr_ip>((\d{1,3}.)){3}\d{1,3})/(?<scr_port>\d+[^\s])(?:[\s\w]+):(?<dest_ip>((\d{1,3}.)){3}\d{1,3})/(?<dest_port>\d+[^\s]) wildcard: outside:(?<scr_ip>[^/:]+)/(?<scr_port>\d+[^\s])(?:[\s\w]+):(?<dest_ip>[^/:]+)/(?<dest_port>\d+[^\s]) Also I would consider adding this to Field extractions for that source type. which would look like this. outside:(?P<scr_ip>((\d{1,3}.)){3}\d{1,3})/(?P<scr_port>\d+[^\s])(?:[\s\w]+):(?P<dest_ip>((\d{1,3}.)){3}\d{1,3})/(?P<dest_port>\d+[^\s]) wildcard: outside:(?P<scr_ip>[^/:]+)/(?P<scr_port>\d+[^\s])(?:[\s\w]+):(?P<dest_ip>[^/:]+)/(?P<dest_port>\d+[^\s]) You could alternatively added this to your transform.conf and associated with the source within your props.conf. I also suggest purchasing Regex tool like RegexBuddy it very handy. Hope this helps or gets you started. If it does dont foget to accept or vote it up. Updated and verified regex for your examples listed: wildcard: src\s+(?:[\w_-]+):(?<scr_ip>[^/:]+)/(?<scr_port>[^\s]+)\s+dst\s+(?:[\w_-]+):(?<dest_ip>[^/:]+)/(?<dest_port>[^\s]+) Regex break down: src\s+ - set begin of regex and match scr and white space (?:[\w_-]+): -None capture group to match everything before colon(:) and after previous regex (?<scr_ip>[^/:]+) - capture group that capture any data after colon(:) and before slash(/). Basiclly wild card with expections -(?<scr_port>[^\s]+) - capture group that capture any data after slash(/) and with no white space.Basiclly wild card with expections \s+dst\s+ - regex for white space and dst (?:[\w_-]+) - None capture group for any data after dst and before colon (:) (?<dest_ip>[^/:]+) - Capture group for any data not colon or slash. Basiclly wild card with expections : - regex for slash (/) (?<dest_port>[^\s]+) -Capture group for any data not whitespace.Basiclly wild card with expections I can create a regex wild card capture as long as you specify upper and lower bounds of your string. ... View more

I added the missing / between the round brackets to what I had but I still had problems. I kept fiddling with what I had unsuccessfully, but cutting & pasting exactly what you have does the job. Thank you. ... View more

Well it's certainly a great deal easier with Sideview. Download Sideview Utils from Splunkbase and check out the embedded docs around 'linking'. I don't have an example specifically about linking drilldowns from charts but the table example is very similar. Or you can feel free to post the XML or email me and I'll show you. ... View more

It looks like you have a search that is looking for uncommon events and then is using collect manually (not recommended) to put those events into the default index. This is probably duplicating events every time it is running. Some missing info is the time range that this search is bounded to. I'm suspicious that it's running over all time and thus duplicating the matching events over all time every time it is running, thus more than doubling the work with every invocation. I recommend disabling the search, or simply removing the collect from the search, as I don't see what it could be doing for you. As for your reconciliation question, I'm not sure what's happening exactly. You may have to work with support to figure it out. However we know that we have trouble with extremely large numbers of results for one source in the same second. This is because our backing store is sorted by second, but our UI output is expected to sort by subsecond as well, so if we have to sort 4 million events by a non-indexed field, it's going to go to heck. This is a very rare case in real data, so it didn't get to the top of the prioritization pile, although it's starting to get worked on now. ... View more

I'm having some trouble getting this to work as well,( I only want to save 6 months back) I've created a indexes.conf and put it in /splunk/etc/system/local/indexes.conf And the only line in that file is frozenTimePeriodInSecs = 15768000. I've restarted splunk several times, but nothing happens. What would be the easiest way to remove data older than six months and keep it that way based on what I've done? Keep in mind I've barely touched Splunk, I just installed it. Cheers! ... View more

If charting.nullValueMode does not work for you try: <option name="charting.chart.nullValueMode">value...</option> ... View more

BTW, you need a higher score before you can add a comment; it's not your browser. ... View more