Hey, there is two solutions: Use a browser plugin that allows screenshots even for pages that are bigger than your screen. I think Firefox might actually have this on board. There is a app (in Beta status) from Splunk PS, which you could try, available here. Be aware that it's completely unsupported, and requires some effort to set it up. The built-in PDF function as well as PDF printing are pretty broken. Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂 ... View more

At this point, your stats() has already removed all time information, so it's no longer possible to draw a timechart. Do you actually want a time chart, that means the values for one or multiple series over a certain time frame? If yes, what time frame would that be? ... View more

Hey, you're sending a string where Splunk expects bytes, a comparable situation is explained here: https://stackoverflow.com/questions/33054527/python-3-5-typeerror-a-bytes-like-object-is-required-not-str-when-writing-t?utm_medium=organic&utm_source=google_rich_qa&utm_campaign=google_rich_qa I'd try to just change with open("ST1_23_Mai_2018.csv", "r") as lines: to with open("ST1_23_Mai_2018.csv", "rb") as lines: Hope that helps! ... View more

Hey, try running this: /opt/splunkforwarder/bin/splunk validate files It will check your install for missing files, and give you a hint what is wrong. ... View more

Mh, never heard of that, but I'm also not really a Windows admin guy, so thanks for the update 🙂 ... View more

Hehe, I read that, but I wasnt clear to me that you meant that... which might be a non-native-English issue with me, sorry 😉 ... View more

Just to add on this - because you explicitely asked for "already indexed events" - you can do this like shown above, but it will not be persistent. Data, once indexed, can not be changed afterwards (permanently), only in every search again and again. ... View more

You can try to rename those fields, so they start with an _ . Fields starting with an _ still exist, but are invisible - so you shouldn't see them, but they should be available to you. Try | rename yourfield as _yourfield . Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂 ... View more

I'd try this: | chart sum(event_count) over DateHour by zone ... View more

Can you show the results you get when you remove the last part of your search (the | timechart ... )? ... View more

Ah, sorry, I overlooked that. Do you only have one event per hour and zone? ... View more

Yes, and it will make it a positive value, so if: * zone_A is 50 * zone_B is 60 It will return 10, not -10. If you don't want this, just make it eval difference=zone_A - zone_B ... View more

IIRC, metrics.log is done by each indexer, and reports what that indexer sees. license_usage.log is only done by the License master, and combines all input, so that would be the better choice. Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂 ... View more

From v7.1, Splunk requires you to set the admin password, because else people tend to stick with changeme 😉 You can put in whatever password you like, but make sure to remember it. Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂 ... View more

Just to add, if Splunk recognizes a timezone information in the timestamp, any TZ = setting will be ignored/overruled. ... View more

Try to append this: | eval difference=abs(zone_A - zone_B) | eval percentage=round(difference/zone_B*100), 2) Make sure you actually want abs() (this will always return a positive value), and which zone you want to base your percentage on. Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂 ... View more

So, you want to run this on a certain host, that is not a Splunk instance, or only has a UF? You wan't a script that regularly pings some IPs from a CSV file? ... View more

I don' think this is possible without writing a custom Javascript and implementing that into your dashboard... ... View more

If that's the case, it's an issue with the rest of your query. Eval never filters anything out. ... View more

There are things to consider, but it is possible. ... View more

Use this: | eval usage=case(like(_raw,"%FirstClass%"),"A_Grade",like(_raw,"%SecondClass%"),"B_Grade",like(_raw,"%ThirdClass%"),"C_Grade", true(), "failed") Case will take the first statement that is true, so the true() will be the last-case-fallback and return "failed" for all that did not meet any other criteria before. ... View more

It is only required on the search head(s). ... View more