Hello, NEW INFO BELOW Looking a detailed doc/vid on Service Analyzer (SA).  Having issues with permitting users an pre-filtered SA and blocking their ability to switch to another filter, or turn off filtering completely. My flawed(?) understanding is there is really only a single SA which contains every service within ITSI. Using Teams, we should be able to create other SAs permitting permitting different access. However, that is not working; or I am missing something in the process. While I can save a new SA with the filter on service or tag in place; the user can click the X on the service or tag filter and see all services and tags available, including CPs, which they do not have read/write permissions to. =================================== Here are some more details. Created role tre_user, inherits from itoa_user. Assigned my end users to that role. Users can no longer edit and save our premade deep dives (DD). They can only modify and save as new DD; which is what we wanted them to be able to do. When the tre_user logs in to ITSI they are taken to the default service analyzer (SA). We want them to be directed to a different SA. Also, don't want them to be able to access only a preset group of filters and flags within this assigned SA. We are using the KPI base searches from the Monitoring Microsoft Windows Content Pack (CP). This worked without issue for our various services. However, we had to created an additional individual service for each entity. 11 services covering 42 entities 42 services, one for each entity On our Glass table (GT) we have a main tab that displays all 11 services. These include KPIs for C: and 😧 drives as well as CPU and the Service Health Score (HS). Clicking on the HS will open a new tab in the GT displaying the entities for that service with the individual KPIs for each entity. We had to create a separate service for each entity in order to use the threshold range colors from the KPIs. If we modify the KPI base searches by adding something like | where entity = "server_1", the search becomes an adhoc search and we lose the threshold ranges and colors. Therefore, we created use the base KPI search and in the entities tab we add only one entity. We have 42 entities; therefore, 42 additional services. Here is the SA. We want the tre_user to see only the top section (11 services); while the the bottom section should not be visible in the SA, but accessible from the GT. Checkout this forum question of WHY we need to an individual service for each entity. Using Aliases in Deep Dives and with other ITSI components(?)  Is there an easier way to do the above? As a side question. Working with GT or Dashboard Studio (DS) we have come across some editing issues we did not experience in Classic Dashboards. We used to be able to develop in separate CD and then copy the rows/panels from these separate CDs into the main CD. Development was efficient. Now with GT/DS, we can't do this. Only one developer at a time can work on the GT/DS. And if another developer left their GT/DS open, even if it was not in Edit mode; if they clicked Edit without refreshing or exiting and returning first, the first developers code was gone. Any best practice tips on how you and your teams have handled this? It is really time consuming. Thanks in advance and God bless, Genesius ... View more

Hi, I hope someone is able to provide a solution very quickly. (Apologies). We created a team to see only certain services in the analyzer. Something changed, but we don't what. When those uses login their SA should have a filter set up; and if they were to close that filter, the other possible filters would not be seen. That changed somehow(?). We can't go to a backup because today there have been well over 500 glass table edits (x/y position, data source, interaction, etc.) that were made. The other issue is this team now has access to the editing Deep Dives potentially overwriting our work. Strangely, they can't edit the glass table (thankfully). Thanks in advance for your guidance and support, God bless, Genesius ... View more

Hi, I added this to the D&V and not ITSI because the json used in glass table and dashboard studio should follow the same structure. Correct? Here is a sample of the dataSources from my gt/db. "dataSources": { "ds_fRdCg1iz": { "type": "ds.search", "name": "STAR Application - ServiceHealthScore", "options": { "query": "`get_full_itsi_summary_kpi(SHKPI-f4eb7372-4e0a-4dcb-9e6d-056c3151feda)` `service_level_kpi_only` | timechart cont=false latest(alert_value) AS alert_value, latest(alert_color) AS alert_color" }, "meta": { "kpiID": "SHKPI-f4eb7372-4e0a-4dcb-9e6d-056c3151feda", "serviceID": "f4eb7372-4e0a-4dcb-9e6d-056c3151feda" } }, Unlike the other values which include a key (type: ds_search OR name: STAR blah blah) the ds search name does not have a key. It is just ds_fRdCg1iz. I need to create a table these values. ds_fRdCg1iz, STAR Application - ServiceHealthScore There are hundreds of these searches. Thanks and God bless, Genesius ... View more

Hello. Installed the Content Pack for Monitoring and Alerting, which required installs of some app from Splunkbase. One of these was the Treemap Viz. Splunk states this EoL. However, the Splunkbase indicates this is compatible with 10.0 of Splunk Enterprise. How do I use this viz my ITSI glass tables; unable to find it. Thanks and God bless, Genesius ... View more

Hello, We have 43 hosts dispersed over 11 services. For each service the KPI threshold values and colors are inherited by the single value viz. However, drilling down to another glass table the KPI cannot be filtered on the individual hosts without losing the threshold ranges and colors. We are about to undertake the arduous task of using modified KPI search, adding a command to filter on the host, AND manually updating the thresholds.  Is it possible to filter the KPIs in a glass table by the host and still use the KPI thresholding ranges and colors? Thanks and God bless. Genesius PS I was not able to find ITSI under Select Location. I chose Dashboards & Visualizations and a Label of Dashboard Studio. But this is an ITSI issue. ... View more

Hi, We have an issue with ITSI deep dives. DD uses the FQDN but only displays the first and last few characters, replacing the middle with dots. We have a 20+ character FQDN with the distinction  being those middle (dotted characters). Ex: us-triall1-hh-l.state.xx.us us-tri....xx.us Another issue in DD is it only displays the host/entity_title of the first and last host, even when using the widest swim lane size. Thanks in advance and God bless. ... View more

Hello, We have a search head cluster and an ITSI instance. How do we replicate the tags.conf files from various apps on the SHC to ITSI? These are needed for running the various module searches, and other ITSI macros. Did someone create an app to handle this? Thanks and God bless, Genesius ... View more

Hello, Here is what I have. Lookup file containing 52K rows Fields: DATE, USER, COUNT Require forecasting user access, on Sundays, to sensitive data based on 6 months of events to train (Jan-Jun) 6 months forecasting (Jul-Dec) Data from 2020, so we know the results, but we want to see how close the forecasting was to the actual data DATE format YYYY-MM-DD beginning with 2020-01-05 and ending on 2020-12-27 (Sundays) 52 values USER 1000 values Lookup file; there are 1000 USER values for every DATE; the COUNT is 0 if they did not attempt access, otherwise it is the number of attempts The original lookup is over 1.5 million events (each containing the USER and TIME of attempt) Original TIME value was YYYY-MM-DD HH"MM:SS. But we are concerned with how many attempts that day. Went to ChatGPT to help code the SPL; however, it "claimed" MLTK needed to be in a count of each user for every Sunday, and could work with the original events. Thanks in advance for your help. God bless, Genesius ... View more

Hello, We have a lookup csv file: 1 million records (data1); and a kvstore: 3 million records (data2). We need to compare a street address in data2 with a fuzzy match of the street address in data1 - the bold red text below -returning the property owner. Ex" data2 street address:    123 main street  data1 street address:    123 main street apt 13 We ran a regular lookup command and this took well over 7 hours. We have tried creating a sub-address (data1a) removing the apt/unit numbers, but still a 7 hour search. Plus if there is more than one apt/unit at the address, there might be more than one property owner. This is why a fuzzy-type compare is what we are looking for. Hope my explanation is clear. Ask if not. Thanks and God bless, Genesius (Merry Christmas and Happy Holidays) ... View more

Hello, This is the result from one of my rows in Search & Reporting (Web). Job Code 039081934400000 (4) 082441325900000 (199)   However, when my code is used in a classic dashboard the results are this.   Job Code 039081934400000 (4) 082441325900000 (199)   How do I control my dashboard output to display like my search output?     | inputlookup job_codes_2024.csv ```all fields in the lookup above begin with the letter j, except for the field cntrl``` | foreach j* ```add line feed at the end of all fields beginning with the letter j``` [| rex field=<<FIELD>> mode=sed "s/$/\n/g"] ```group all fields by the cntrl value``` | stats values(*) as * by cntrl     Thanks and God bless, Genesius ... View more