I want all results from a search to be the default for a multiselect input box. I don't think it can be done with SimpleXML but I suspect it can happen with JavaScript using the val method. How would I run the search from the search manager, retrieve the results and fill in the Multiselect box? ... View more

I have a chart which has a time picker to look at the the volume of data indexed on all our master license servers. When you click on one of the hosts, a new panel appears with a chart and table based on the previous panel. I want to provide a timepicker for that panel and set the defaults to the time selected in the previous panel. <input type="time" token="all_master_time" searchWhenChanged="true"> <label></label> <default> <earliest>-7d@h</earliest> <latest>now</latest> </default> </input> ... <panel ... > <input type="time" token="slavetime" searchWhenChanged="true"> <label></label> <default> <earliest>$all_master_time.earliest$</earliest> <latest>$all_master_time.latest$</latest> </default> </input> Is this possible? ... View more

In the blog posting "Making a dashboard with tabs (and searches that run when clicked)" http://blogs.splunk.com/2015/03/30/making-a-dashboard-with-tabs-and-searches-that-run-when-clicked/ On tab 5, the author uses a fact that appears undocumented, if a token is undefined, the search will not happen. I have looked all over the web for info about this feature and wonder if someone knows where this is documented as a feature. I know it is mentioned in the article but it would be nice if this was put in documentation. ... View more

I did the two following searches using the same license_usage.log file and got different results for yesterday's total bytes used by that indexer. Why are they different and which is more accurate? index=_internal host=splunk source=*license_usage.log type="RolloverSummary" slave=09F538B3-E658-4C42-A213-EE89679465E0 | eval _time=_time - 43200 | bin _time span=1d | eval TotalBytes=b/1024/1024/1024 Result: 63.288 GB index = _internal host = splunk source = *license_usage.log type = "Usage" i=09F538B3-E658-4C42-A213-EE89679465E0 | stats sum(b) as TotalBytes | eval TotalBytes=TotalBytes/1024/1024/1024 Result: 63.2525 GB Same time span - different result. ... View more

I want one total for the bytes sent to both the main and default index since they are both the same index. The license_usage.log file records them as different indexes because I believe we have forwarders not configured to send to a specific index. 02-17-2016 05:07:19.006 -0500 INFO LicenseUsage - type=Usage s="WinEventLog:System" st="WinEventLog:System" h="WS-Piano" o="" idx="default" i="09F538B3-E658-4C42-A213-EE89679465E0" pool="auto_generated_pool_enterprise" b=5922 poolsz=204010946560 02-17-2016 05:07:20.488 -0500 INFO LicenseUsage - type=Usage s="udp:514" st=syslog h="129.6.79.11" o="" idx="main" i="E3E369A5-DE83-47BC-804E-153BC246D021" pool="auto_generated_pool_enterprise" b=94889 poolsz=204010946560 Here is the search used by the Usage over 30 days for index use via the licensing selection under settings. I have removed the eval's that are not pertinent to the question. | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st,idx Is there a way to rename those idx called "default" to "main" before doing the sum and then be able to sum both default and main into one total for my report? ... View more

We had to put the log files in the /san/splunk/var/log/splunk directory vs the /opt/splunk/var/log/splunk directory. Of course, I can modify apps that have hard coded the path to files in that directory. Is there a way to use props or transform on the indexer with the awkward path so the source will show up as /opt/splunk/var/log/splunk on the search head? That way, I don't have to modify the search in apps needing to find files in the /san/splunk/var/log/splunk directory. ... View more

I want to keep more than 5 copies of eventgen.log. The log file is located in /opt/splunk/var/log/splunk, but is not one of the standard log files. How do I configure Splunk to keep more copies of this file? It looks like $SPLUNK_HOME/etc/log.cfg has specific lines for each log file and I don't know what to add to this file to manage eventgen.log. ... View more