A co-worker thought to build a new dashboard in 9.3.2 and compare the source code I ended up stripping out the tabs and layout definitions.  Looks like a syntax changed from 9.3 to 9.4.  With those removed and the rest of the tags lined up under layout, the page works.   You got me looking in the right place, so I'll mark this as accepted. ... View more

Technically, yes, but everything is a little re-arranged in the code.  My tabs and items tags are at the very bottom of the page.   I'll see if I can line it up to match what you have here and see if it works.  ... View more

A second layer of sed script successfully strips the excess whitespace, but it doesn't look like I can include a double quote, even encoded, without Splunk escaping it in the value.  I was really hoping to chain several OR statements into a single lookup value, but I guess that isn't possible. ... View more

I did an inputlookup to get my field (uploads) and used this piece of search I found on another post: | fields uploads | rex field=uploads mode=sed "s/(\d+)/%\1/g" | eval decode=urldecode(uploads) I think I'm very close, but my decoded string has a space between every character looking something like this: \ \ \ \ * \ \ b r a n c h \ \ s y s t e m \ \ t y p e 1 \ \ *   ... View more

We ended up with some corruption after a server migration that required a restore from backup.  Now the Lookup Editor is working again. ... View more

No luck.   The Health and Status dashboards work, so it does see the lookups, we just can't access them in the main screen.  We're currently on Splunk 9.2.2, so maybe it will clear up once we move to 9.3. ... View more

I will try both approaches today and see what happens.  Thanks for the suggestions! ... View more

Correction, I need to re-pin them in reverse order, as the most recently pinned app goes to the top. ... View more

Now I notice that all of the apps that existed prior to the upgrade are all already pinned.   The only unpinned apps are the few we have added since then.  Presumably that means I can just unpin everything and the re-pin in the order I want.   I miss the dragging. ... View more

Thank you, I will have our team look into these and see if there is anything we can salvage of our current system.  I feel like Goofy from Disney's Jack & the Beanstalk, slicing bread so thin it is transparent. ... View more

At this point, you will basically be editing the various .conf (inputs, outputs, props, transforms) files in Notepad or some other text editor.  The CLI will mostly for issuing commands to Splunk, which in the beginning will be mostly ./splunk stop,  ./splunk start and ./splunk restart. Are you running headless, or do you have access to the web interface? ... View more

Thank you @gcusello, I was worried this might be the answer.  As much as we can, we are leveraging the API to build dashboards into our main website and effectively replicating the dashboards in HTML, pulling the values from Splunk.  That keeps the users out of Splunk entirely and may be the direction we need to go.     ... View more

With the changes in v3.6.0 of the app in the past month, is this still valid? ... View more

I don't have any solutions, but we started seeing this on our system this week, though I don't think it followed any updates.  Looking for the sendRcvTimeout reference, I notice that has begun showing up in the Splunk logs just in the past month.  The only thing we're doing new is starting to experiment with the loadjob command to reference some fairly large jobs.  We only have a single indexer and a single search head.  We are running 8.2.1. ... View more

I'm sorry, I got so lost in trying to explain and show what I was doing wrong, I got sidetracked from actually trying your suggestion.  This works perfectly, thank you! ... View more

That was what I tried first, but got lost in how to format the search in the 'value' field.  I get the idea that all of the escaping is preventing the token variables from the drilldown from being populated.  When I inspect the search after running it, it still just shows my $host_tok$ and $client_tok$ instead of the values passed from the previous panel.  When I was just  passing tokens from the radio buttons to a standard search, it worked fine, I just didn't have the flexibility I needed in the search. Here is the panel source, I tried a straight search for Download and tried using CDATA for the Upload (which was just a mess), but in neither case do the tokens populate: <panel> <input type="radio" token="method_tok"> <label></label> <choice value="search index=navyclientiis sourcetype=navyclientiis cs_method=HEAD OR cs_method=GET [|inputlookup all_mid-tiers|where Unit=&quot;$host_tok$&quot;|table host] cs_client=$client_tok$ |rename cs_uri_stem AS &quot;File Downloaded&quot; |eval Status=sc_status.&quot;.&quot;.sc_substatus|table _time &quot;File Downloaded&quot; Status">Downloads</choice> <choice value="&lt;![CDATA[|index=navyclientiis sourcetype=navyclientiis cs_method=POST [|inputlookup all_mid-tiers|where Unit=&quot;$host_tok$&quot;|table host] cs_client=$client_tok$ |rename fn AS &quot;File Uploaded&quot;|eval Status=sc_status.&quot;.&quot;.sc_substatus | table _time &quot;File Uploaded&quot; Status]]&gt;">Uploads</choice> </input> <html>Select Upload or Download to see client traffic.</html> <table depends="$client_tok$"> <title>Detail for $client_tok$</title> <search> <query>$method_tok$</query> <earliest>-48h</earliest> <latest>+12h</latest> </search> <option name="count">15</option> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel>   ... View more

3 years later, I'm finally getting around to using this and it works great.  Thanks! ... View more