This XML allowed me to freeze the first column and column title: <row depends="$never$"> <panel> <html> <style> #myTable div [data-view="views/shared/results_table/ResultsTableMaster"] td:nth-child(1) { position: fixed;; left: 0 !important;; z-index:9 !important;; position: sticky !important; } #myTable div [data-view="views/shared/results_table/ResultsTableMaster"] th:nth-child(1) { position: fixed;; left: 0 !important;; z-index:9 !important;; position: sticky !important; } </style> </html> </panel> </row> Then, use the myTable as the id in the <table> id ... View more

Here's a couple of ways of getting a list of Windows services and the status of these services into Splunk: Windows Host Monitoring In the inputs.conf file add a stanza like this: [WinHostMon://Service] interval = 600 disabled = 0 type = Service index = windows This will collect a list of services, and status, every 10 minutes, from the system running the Splunk Forwarder. More documentation here: https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Inputsconf#Windows_Host_Monitoring WMI Create a WMI.conf file and add the following stanza: [WMI:WindowsServiceState] interval = 600 wql = select Name, DisplayName, Description, State from Win32_Service disabled = 0 index = windows This will collect the same data as the previous example, however its more customisable - for example you can use WMI to narrow down to collecting data on only specific services, or even querying a remote server. More documentation here: https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Wmiconf ... View more

This one works , verified 🙂 ... View more

Hi @sb01splunk, I tried using your second code, but the value of token "ProjectName" as all_projects  It does not take the query results in the dropdown.  Can you please suggest how to resolve it? Thank you Taruchit ... View more

(To be fair, the unique delimiter isn't necessary if you know your data well enough to pick a static one that won't conflict; it would be more performant than calculating a random integer every event) ... View more

This is beautiful, Thanks! ... View more

See @woodcock 's answer ... View more

First of all, did you already setup linux cgroups? Your understanding of indexers is correct, but please spin this into a new question to keep things clearer for everyone ... View more

Hi, It is also possible, without hidden panel If your search is taking time to execute, so till your search execution is not completed, you will see the token variable as panel title. <row> <panel> <title>$panel_title$</title> <table> <search> <query>index=foo |timechart count as devAppCount | eval devAppC=10*devAppCount | head 1 | table devAppC</query> <earliest>-1h@h</earliest> <latest>now</latest> <done> <set token="panel_title">$result.devAppC$</set> </done> </search> </table> </panel> </row> ... View more

If i understand your query right, you don't want to use * but you want to explicitly specify values like val1 OR val2 etc To do this you'll have to add a few lines(lines 6 - 12) to the end of the query as shown here index=XXX "app"=D forwApp=$App$ host=$host$ | rename resStatus as s | eval Tstatus=case(like(s, "1%"),"Informational",like(s, "2%"),"Success",like(s, "3%"),"Redirection",like(s, "4%"),"Client Error",like(s, "5%"),"Server Error") | search Tstatus="$field3$" | dedup s | rename s as search | appendpipe [| format] | rename search as label | eval value=label | eval label=if(match(label,"OR"), "ALL", label), sortord=if(label=="ALL", 0, value) | sort sortord The sortord is just there to ensure that ALL appears first on the list. you can omit that if you don't need it. Your input will just have the following. <input type="dropdown" token="status" searchWhenChanged="true"> <label>Select response status code:</label> <fieldForLabel>s</fieldForLabel> <fieldForValue>s</fieldForValue> <search> <query>index=XXX "app"=D forwApp=$App$ host=$host$ | rename resStatus as s | eval Tstatus=case(like(s, "1%"),"Informational",like(s, "2%"),"Success",like(s, "3%"),"Redirection",like(s, "4%"),"Client Error",like(s, "5%"),"Server Error") | search Tstatus="$field3$" | dedup s | rename s as search | appendpipe [| format] | rename search as label | eval value=label | eval label=if(match(label,"OR"), "ALL", label), sortord=if(label=="ALL", 0, value) | sort sortord</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> </input> Note: This will only work if your search has any results. IF not, your input will never populate Hope this helps Cheers! ... View more

MY BAD! Last 15 minutes should be fine (stupid tiny mobile phone screen). ... View more

This is wonderful @woodcock, Thanks for your help! ... View more

Thanks Sandeep but there is nothing in inputs.conf ... View more

| stats count(Error) as ErrorCount | where count>10 This should do it! Please accept the answer if it helped, thanks! ... View more

Actually, I got it. Had to tweak a few things. Thank you for the help! ... View more

If this is helpful, accept the answer, please. ... View more

the age of data is defined as the retention police. Check this additional link where you can have more information about it -> https://answers.splunk.com/answers/553180/how-to-find-the-retention-period-of-an-index.html ... View more

Thanks for the answer, however our client network is super sketchy about pulling from and monitoring that way. We are basically getting a one way from from them to us. So far I have found the following articles related to this setup below. The issue I get now is that if the data is in its own index (lets say security_logs), I get everything EXCEPT those logs but if I use REGEX=(WinEventLog:Security) or REGEX=(WinEventLog | Security), I get all the WinEventLog from things that put their data into the main index. https://docs.splunk.com/Documentation/Splunk/6.4.3/Forwarding/Routeandfilterdatad#Replicate_a_subset_of_data_to_a_third-party_system https://answers.splunk.com/answers/448100/is-it-possible-to-index-and-forward-a-specific-sou.html https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf#IndexAndForward_Processor----- ... View more

Thanks for suggestions. Have to monitor splunk state FROM the splunkforwarder. Tried a 5 second tcpdump to target indexers but sometimes it sees nothing, sometimes sees a lot of traffic.....will try the splunkd.log suggestion. ... View more

| inputlookup lookupfile1 | lookup lookupfile2 host OUTPUTNEW host as isFound | where isnull(isFound) Hope this helps, Thanks! ... View more

Ok,I understood why it doesn't works. I have renderXml=true and if I check the windows event,there's not any field i was looking for. I must change the logic,parsing the raw xml and looking through it. ... View more

| makeresults | eval raw="01/10/2019 08:22 ABC_PORTAL 200 01/10/2019 08:24 ABC_PORTAL 01/10/2019 08:26 ABC_PORTAL 01/10/2019 08:28 ABC_PORTAL 01/10/2019 08:30 ABC_PORTAL 01/10/2019 08:32 ABC_PORTAL 503 01/10/2019 08:34 ABC_PORTAL 503 01/10/2019 08:36 ABC_PORTAL 503 01/10/2019 08:38 ABC_PORTAL 503 01/10/2019 08:40 ABC_PORTAL 200 01/10/2019 08:42 ABC_PORTAL 200 01/10/2019 08:44 ABC_PORTAL 200 01/10/2019 08:46 ABC_PORTAL 503 01/10/2019 08:48 ABC_PORTAL 01/10/2019 08:50 ABC_PORTAL 01/10/2019 08:52 ABC_PORTAL 01/10/2019 09:54 ABC_PORTAL 01/10/2019 09:56 ABC_PORTAL 01/10/2019 09:58 ABC_PORTAL 503 01/10/2019 10:00 ABC_PORTAL 503 01/10/2019 10:02 ABC_PORTAL 200 01/10/2019 10:04 ABC_PORTAL 200" | makemv delim=" " raw | mvexpand raw | rex field=raw "(?<time>\d+/\d+/\d+ \d+:\d+) (?<title>\w+)" | rex field=raw "(?<response_code>\d{3})$" | eval _time=strptime(time,"%m/%d/%Y %H:%M") | fillnull | fields - time,- raw | autoregress response_code as reg | fillnull | where reg!=response_code | fields _time title response_code reg | delta _time as duration | autoregress _time as Downtime_start | eval Downtime_end=_time | where response_code!=200 | eval Duration = tostring(round(Downtime_end - Downtime_start),"duration") | foreach Downtime_* [eval <<FIELD>> = strftime(<<FIELD>>,"%m/%d/%Y %H:%M")] | fields title , Downtime_start,Downtime_end , Duration,response_code | eval response_code=if(response_code==0,"slow_connection",response_code) | fields - _time Hi, How about this? ... View more

Thanks @somesoni2! This worked perfectly. "I wasn't sure if last item - "table PercentageGreater" - would work in the "single" element in the dashboard, but it did." ... View more

@sandeepmakkena Just so I understand. Although the field (column) has been renamed, and we can no longer use the original name in eval, rex, or other commands. However, the original name is still available to be used as a token which can be passed to other child dashboards, and other panels on the parent dashboard? Thanks and God bless, Genesius ... View more