We are creating a custom action when an itsi event happens based on the CustomGroupActionBase as documenten here. However I cant find anywhere what data is expected to be returned when caling the get_group method. When looking at the docs it says:   get_group() Gets the episode that triggered the custom action. This method relies on get_results_file() and expects the returned file path to be a .csv.gz format.   The documentation of get_results_file says: get_results_file() Gets the results file, which is where results are temporarily stored.   We want to make sure the fields we currently see in the dict that is returned by get_group doesnt change, even better if we understand which file/where the data is coming from. We are afraid we use fields that are not always filled which would result in an error in our code.   ... View more

I'm trying to make a test with data that I onboarded with the collect command. What I see is that when I insert an event that is exactly the same as existing events, the data that I insert is not able to be searched on the fields while it is possible with the data that is normally onboarded. My guess is that the transforms.conf configuration is not running on collect events, but I can not figure out how i can make sure it happens.   How can I force a transforms.conf to also run on data onboarded with collect? ... View more

I want to test if my ITSI kpi's are working as expected, im creating fake events, with collect, that should trigger the kpi. However the existing onboarding onboards data that avoids the trigger of the correct kpi state e.g. I onboard my data at minute 1, minute 2 the real data is onboarded, minute 5 the kpi base search runs. it takes the last state and sees everything is correct. How can i disable all data onboarding in an easy way for running tests? ... View more

In one of our dashboard we have a table with a custom action, When the user clicks on a field we check if it is the delete field and if so get the name of the field we want to delete. We can put it in a javascript variable. We also have a search that needs to use this variable. Something like: where someVariable is update in a function.   var someVariable = "" var validateChannelCanBeDeletedSearch = new SearchManager({  id: "validate something",  autostart: false,  search: `| inputlookup some | search some_field="${someVariable}"` });  Later we manually trigger the search. The problem is that the update value of someVariable is not used in the query. How can we make it use the updated value. ... View more

In an online example that lets you export a splunk result, I found the following code.   <a class="btn btn-primary" role="button" href="/api/search/jobs/$export_sid$/results?isDownload=true&amp;timeFormat=%25FT%25T.%25Q%25%3Az&amp;maxLines=0&amp;count=0&amp;filename=$filename_token$&amp;outputMode=csv">Download CSV</a>  This does almost exactly what I want, so I tried to find more information of what is happening. I see some parameters there and I want to understand them. isDownload=true&amp; timeFormat=%25FT%25T.%25Q%25%3Az&amp; maxLines=0&amp;count=0&amp; filename=$filename_token$&amp; outputMode=csv I think the fields are almost self explaining but I would like to read the official documentation, also I would like the know what other possible parameters I can provide. When looking for the documentation I only found : Search endpoint descriptions - Splunk Documentation But this does not describe the parameters passed in the example. Where can i find an explenation of the parameters used?  ... View more

We were testing performance and for some reason a join with an inputlookup is faster than a direct lookup. Sample query: | dedup serviceid | rename serviceid as service_id | join type=outer service_id [| inputlookup service_runtime ] VS index=itsi_summary | dedup serviceid | rename serviceid as service_id | lookup service_runtime service_id I thought the lookup would be faster and basicly execute the join with the inputlookup itself. But after trying a few hundred times 99% of the time the join with inputlookup is faster. In what cases should we use lookup instead of a join with an inputlookup? ... View more

I have the following query that runs fine: index=someindex original_index=someindex earliest=1553986800 latest=1554069600 | eval date_display = strftime(1553986800, "%a %B %d %m") | stats values(date_display) as date_determined | return $date_determined When I use this search as a subsearch like... index=some_license_index earliest=1553986800 latest=1554069600 | eval determine_date = [ search index=some_index original_index=some_index earliest=1553986800 latest=1554069600 | eval date_display = strftime(1553986800, "%a %B %d %m") | stats values(date_display) as date_determined | return $date_determined ] | stats sum(bytes) as "License Usage" by original_source ...I get the following error: Error in 'eval' command: The expression is malformed. When I change it to... index=ahm_summary_license_usage original_index=swtr_logs earliest=1553986800 latest=1554069600 | eval determine_date = [ search index=ahm_summary_license_usage original_index=swtr_logs earliest=1553986800 latest=1554069600 | eval date_display = 1234 | stats values(date_display) as date_determined | return $date_determined ] | stats sum(bytes) as "License Usage" by original_source ...It works fine (note the eval in the subsearch) ... View more

Is it possible to make a dashboard.js for all pages (global)? I want to run a specific script that adds a machine id to the header on every page in the splunk environment. The script works perfectly at the moment for a specific app but im not able to run it on every page. ... View more

Lets say I have the following json data onboarded. { "slaves": [{ "id": "1234", "hostname": "12556" }, { "id": "1245", "hostname": "1266" }] "masters": [{ "id": "2234", "hostname": "22556" }, { "id": "2245", "hostname": "2266" }] } The result that I want is that for each slave I get an event with sourcetype indexnamex:slave and for each master I want to put each event in sourcetype indexnamex:master So in indexnamex:slave I want 2 events indexnamex:slave Event1 {"id": "1234","hostname": "12556" } indexnamex:slave Event2 { "id": "1245", "hostname": "1266" } And in indexnamex:master also two events indexnamex:master Event 1 { "id": "2234", "hostname": "22556" } indexnamex:master Event 2 { "id": "2245", "hostname": "2266" } I can not split on e.g. hostname x } as it is the same for slaves and masters. Is it possible to do splitting in multiple steps? e.g. first split on "slaves" : and "masters": and after that split do a split on what is left? If not are there any other options? note: the example is simpler than my real data as it is 10k lines. ... View more

Im trying to come up with the values for the amount of max concurrent historical searches because we get the error: the maximum number of concurrent historical searches on this instance has been reached I know in the limits.conf we can set the values that are used to set the limit: from splunk docs https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf?utm_source=answers&utm_medium=in-question&utm_term=limits.conf&utm_campaign=refdoc " max_searches_per_cpu = < int> The maximum number of concurrent historical searches for each CPU. The system-wide limit of historical searches is computed as: max_hist_searches = max_searches_per_cpu x number_of_cpus + base_max_searches " When I check resourse management I dont even see 1 machine with 1% load all are around 0.5% We have 3 searchheads 2 indexes 1 mgmt. How should i determine the values for "max_searches_per_cpu " and "base_max_searches" as It seems unnecessary to me that we get errors when our load is so low. ... View more