Use Below options  <option name="link.exportResults.visible">0</option> <option name="link.inspectSearch.visible">0</option> <option name="link.openPivot.visible">0</option> <option name="link.openSearch.visible">0</option> <option name="link.visible">0</option> <option name="refresh.link.visible">0</option> ... View more

@manish_singh_77 - did you ever figure this out? I'm having the same problem. ... View more

Worked for me, thanks! ... View more

But dividing it by 1000 makes it less accurate. Isn't there a way to convert it but also keep the miliseconds.  I found a post that in splunk it's only possible to convert 10 digits timestamp. But that post is from 2015. Hope splunk has more possibilities now ... View more

Did you install the Juniper add-on?  It must be installed on the search head as well as the indexer or HF (whichever touches the data first). ... View more

Did you ever find a solution to this? I've tried so many combinations of 'possible solutions' I've seen posted, but none of them have worked for me. ... View more

This does the 'split by' function. I need the dc(hostName) month by month, to divide the number of severities, by severity ... View more

What is your current props.conf for this sourcetype and can you provide some sample events? ... View more

The raw file is multiline events OR everything is coming in single line? Does the file name always contain extension of the file?? ... View more

You can add link tags to the xml source and give form page in it so that it takes the search given in that form page ... View more

The dollar sign ($) trick is just what I needed. ... View more

Must've been thinking too hard. I tried to do it in the gui originally and it just put $host_tok$ everytime. Thanks a million! ... View more

I do not mean permissions at the file level in the OS (linux); I mean Knowledge Object permissions within Splunk. Go to "Settings" -> "All Configurations" and set "App Context" to "All" and "Owner" to "Any". Search for your lookup KOs. Look at the "Sharing" setting for each one and make sure that "Read" is checkmarked for "Everyone". ... View more

What works for us. We have a SHD cluster and authentication is provided by ADFS SSO. For every query, add quotes around action=log* .. For some reason, splunk is NOT detecting action = login attempt as a key-value pair ... may be because there is a space ? ... Example: index=_audit sourcetype=audit user=* "action=log*" The above works! ... View more

Hi, Did you tried to change splunk_logo_black.png in the folder /opt/splunk/share/splunk/search_mrsparkle/exposed/css/skins/default css file? /* change the app logo here. set the height/width for your image, as well as the path to the image */ .appLogo { height: 43px; width: 80px; background: url(/static/img/skins/default/splunk_logo_black.png) no-repeat 0 0; } Hope it works, Skender ... View more

@jravida - I moved your comment on this old one to an answer, since you solved the problem and reported the solution. Please accept your answer to mark the question answered. ... View more

Well, I'm glad you found something that works. I have never had it behave the way you described above, and as you might expect, "it works on my machine" :-), so I'm not sure where my suggestions went wrong. But the important thing is that you've solved your problem. ... View more

Did the strength of the event-timestamp-incrementation increase in very recent memory? I believe this particular message (max_rawsize_perchunk) has to do with the SIZE of the events. The _raw is the text of the events, so rawsize perchunk has to do with when we read a chunk (this can be different quantities of events based on a few factors like batch mode vs nonbatch, size of buckets, distribution across time, etc), but typically is capped at ten thousand (10,000). To avoid bad scenarios like reading in 10,000 events each of which are 1MB of text in size (oops, 10GB of raw and your box falls over), there's a ceiling on the maximum amount of data we're willing to read in from _raw. If this feature is working ideally, you could still get a slowdown if that chunk pushed your system into a low memory scenario which might cause some amount of swapping until the search exits. If the feature is not working well, then it could cause slowdowns for other reasons (that I don't know). I would suggest checking the memory scenario on the index nodes and the search head, and if no one else has a better answer about this problem working with support to nail it down. ... View more

We found the cause of the error. The datastream for the index wasn't being parsed correctly; the milliseconds was not being extracted. This meant that if say 100 events all occured in the same second, as Splunk wasn't extracting the milliseconds, they would have all appeared to have happened simultaneously from a Splunk perspective. This apparently confused Splunk, and performance went bad. Fixed the parsing, and now the we can search on the index just fine. ... View more

CEF standard says that the version field is mandatory, so "+"es are not an error. Header Information CEF uses syslog as a transport mechanism. It uses the following format, comprised of a syslog prefix , a header and an extension , as shown below: Jan 18 11:07:53 host CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|[Extension] The CEF:Version portion of the message is a mandatory header. The remainder of the message is formatted using fields delimited by a pipe ("|") character ... ... View more

There's a reason @somesoni2 is always the #1 or #2 ranked user on Answers 😜 ... View more