worked like a champ - note it is a restart required.  Debug Refresh (I tried a short cut) did not work.  There were several spots in the files that needed the change. Thanks! ... View more

this old problem bit me today.  Go to 'All Fields' and deselect all fields, then close that window.    Once that was settled, I was able to reselect the 'All Fields' option and the Event Viewer repopulated.  Not sure why it worked, but it did and thought I'd share. ... View more

this old problem bit me today.  Go to 'All Fields' and deselect all fields, then close that window.    Once that was settled, I was able to reselect the 'All Fields' option and the Event Viewer repopulated.  Not sure why it worked, but it did and thought I'd share. ... View more

been there, tried that.  they couldn't get them now either.   Also, in the quantities I'm looking for, that's a challenge.  I go through up to between 5 to 10 a quarter.  I used to pick up between 20 and 30 at then end of .conf and they lasted a year.  Also, I'm not always the only group within my org that need/wants them.  If I could buy them from the store, that'd be a sound and fair option. ... View more

I used this today for a results panel - thank you. However, If you just have html to present (instructions or overview or what ever) you can use the html5 tags <panel> <html> <details> <summary>here's the deetz</summary> <p>the deetz you're talking about</p> <details> <summary>sub-deetz</summary> <p>the nested sub deetz in html</p> </details> </details> </html> </panel> ... View more

Thanks kvswathi - I had the same problem. my curl wouldn't work - your edit suggestion did. And debug refresh works too (w/o restart) ... View more

this was a bad change. Finally got around to upgrading a small dev environment from 6.x and don't like it at all. Such a major change w/o an easy way to opt out creates a bad customer experience. Why make it so hard to change it back? Also, the release notes for 7.1 don't really explain that the custom colors for apps will be majorly impacted. Screen captures in operational SOPs are now all obviously out of date and have to be rewritten as well as internal training documents. ...sigh. I understand the desire to keep the UI fresh, but this was not well thought out. Why not put a way to mod the dashboard.css in the UI? Still love Splunk - but this is frustrating. ... View more

Thank you for doing what you do. It's a great app. I've got it pointed at my stream app and am finding some interesting results. I'm on version 2.0 of the app- just installed it last night. I'm using Firefox 60.0.2 (64-bit) on a windows 10. I've got the feature enabled, confirmed looking in the xml. I have disabled browser plug-ins that might interfere. I still can't find the feature. ... View more

I was playing with koshyk's query and came up with this one. Make sure you use fast mode and event sampling 1:100,000 or else it might take forever. index=whatever |rename _bkt AS bucketId, _cd AS cd |stats earliest(_time) as first_event latest(_time) as last_event by bucketId |join type=left bucketId [|dbinspect index=whatever |fields bucketId, state] |stats first(first_event) AS first_event, last(last_event) AS last_event dc(bucketId) AS buckets by state |eval last_event=strftime(last_event,"%m/%d/%Y %H:%M") |eval first_event=strftime(first_event,"%m/%d/%Y %H:%M") |table first_event, last_event, state buckets |sort - last_event And if you want to see 'em all: index=* |rename _bkt AS bucketId, _cd AS cd |stats earliest(_time) as first_event latest(_time) as last_event by bucketId, index |join type=left bucketId [|dbinspect index=* |fields bucketId, state index] |stats first(first_event) AS first_event, last(last_event) AS last_event dc(bucketId) AS buckets by state index |eval last_event=strftime(last_event,"%m/%d/%Y %H:%M") |eval first_event=strftime(first_event,"%m/%d/%Y %H:%M") |table index first_event, last_event, state buckets |sort - last_event ... View more

Thank you! works exactly as intended in the search app. I truly appreciate the time and effort you spent putting this together. I think your answer will be viewed and used by many. Any thoughts on my it won't work in my home made app? I haven't started troubleshooting this yet; I think there might be an underlying dependency I'm not aware of. Other splunk answers indicate if might be css? If someone could point me in the right direction on where to start looking... jeffland, if you're coming to .conf this year, seek me out, I owe you a beer. ... View more

Thanks jeffland, but I can't seem to get this to work. I've placed the js in the [app]/appserver/static directory and changed the permissions & owner to match js in other apps. I've poked, prodded, tweaked and cajoled this seven ways from Sunday and can't seem to get it to change the token. Restarting splunk after each js mod. Perhaps I'm not that adept at troubleshooting the java script. Perhaps another set of eyes on this might see something I'm missing. I tweaked the sample you provided to better illustrate what I'm working with (and renamed the js file): <form script="resetappt,js"> <label>_temp input button</label> <fieldset submitButton="false"> <input type="text" token="app" searchWhenChanged="true"> <default>*</default> <label>Input</label> </input> </fieldset> <row> <panel> <chart> <search> <query>index=_internal sourcetype=$app$ | stats count by sourcetype</query> <earliest>-15m</earliest> <latest>now</latest> </search> <option name="charting.chart">pie</option> <drilldown> <set token="app">$click.value$</set> </drilldown> </chart> <html> <center> <p>$app$</p> <button type="button" id="buttonId" class="btn">Reset</button> </center> </html> </panel> </row> </form> the script info: [root@doolin static]# pwd /opt/splunk/etc/apps/test_app/appserver/static [root@doolin static]# ls -la -rw-r--r--. 1 splunk splunk 261 Feb 10 03:09 resetappt.js [root@doolin static]# more resetappt.js require([ 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/simplexml/ready!' ], function ($, mvc) { var tokens = mvc.Components.get("default"); $('#buttonId').on("click", function (e){ tokens.set("form.app", "*"); }); }); Sumpin in there isn't working. I appreciate your time and assistance. [edit - I did notice the comma in the sample in the form tag and tried it both with the comma and a period] ... View more

My challenge is that it doesn't work at all. ... View more

I think this is new in 6.5, but I've been able to set variables with an env call in xml <row> <panel> <html> <h1>Welcome $env:user_realname$ </h1> You are logged in as $env:user$ </html> </panel> </row> ... View more

Awesome! Stream app 6.6.0 now has ICMP. Thank you. ... View more

Here's something I cobbled together based on several answers: index=* |eval index_sourcetype=index+"-"+sourcetype |chart limit=0 count(*) as * by index_sourcetype |untable index_sourcetype field value |xyseries field index_sourcetype value ... View more

Sooooo..... it's been a couple of years; but I still don't see ICMP in the Stream App? I'm currently running nfdump just so I can get the ICMP, but would much rather use just the Stream app. Looking to detect and alert on icmp tunneling, a method to stealthy exfil data out of a compromised network. (http://www.cs.uit.no/~daniels/PingTunnel/) . ... View more

Thanks MuS - The disable in the UI wasn't enabled. I figured it out - I had to go into the data input and repoint the syslog inputs (UDP & TCP) back to the main index. Luckily, my custom field extractions were re-enabled. Once I repointed the data inputs, the 'disable' option in the apps tab was there. ... View more

Thanks for getting back to me. I'm currently working on getting YAF with DPI to work, but would really rather have Stream. ... View more