Hi Thanks for this - this worked very well. Cheers for the help ... View more

Hi - Boths answers are wonderfull -Thanks very much ... View more

Hi Thanks for the trellis tip  - But is there a way to group the overlay to the correct graph? Below, I am looking for 2 graphs, which turn into 4. I have an overlay for each data set.   ... View more

Hi Thanks very much for this great answer. This worked very well. CHeers  ... View more

O wow - this is great, and thanks very much for the efforts on this.  Cheers Robert ... View more

Well, sometimes you have to work what you have. Nothing shameful about it 😉 Just be aware that this format might require you to craft your searches much more thoughtfully if you want them to be relatively quick. For example, since you have this whole keyname=something,value=somethingelse setup, you can't do a simple something=somethingelse search because that field isn't extracted and isn't know until you plow through your data with the foreach command. But you can limit your initial search results in that case by simply searching for "somethingelse" as search term regardless of where in the event it is. This can hugely improve your search times. ... View more

@robertlynch2020 to answer your composite field question: Creating composite fields is simply a pattern to join MV fields where you have an equal correlation between those fields, i.e. for your example ... | fields traceId spanId parentSpanId start end | eval composite=mvzip(mvzip(mvzip(mvzip(traceId, spanId, "###"), parentSpanId, "###"), start, "###"), end, "###") | fields composite | mvexpand composite | eval tmp=split(composite, "###"), | eval traceId=mvindex(tmp, 0), spanId=mvindex(tmp, 1), parentSpanId=mvindex(tmp, 2), start=mvindex(tmp, 3), end=mvindex(tmp, 4) | fields - tmp composite so it's just a pattern that fits the scenario where using stats will not solve your problem. Note always use fields to ensure ONLY the fields you want expanded, so as to minimise memory usage - that also will mean using | fields - _time _raw as they will remain after a positive fields statement because they are _ prefixed fields so are not automatically excluded. Do NOT use table before an mvexpand as table causes the data to be sent to the search head, so the expansion is done on the SH. (There is a possibility that it will be optimised away, but don't rely on that). Explicitly use fields so that it remains in the indexing tier and if you have multiple indexers, the memory footprint will be distributed.   ... View more

| stats values(X_*) as * by _time This line removes all the other fields. You would need to add more fields to this if you want more fields to be kept. ... View more

HI Thanks - I Got it. https://classic.splunkbase.splunk.com/app/3119/ However why is this happening,  there are lots of functions in the normal dashboard that are not in the dashboard studio, so how come we are forced over. Or is this nothing to do with the new Dashboard studio? + I don't see many questions about DS being asked or answered. Any help + insights would be great on this. Robert ... View more

Thank you, it worked for me ... View more

Probably the cleanest way to do this is as @tscroggins suggested: Make a browser extension that changes the interface. Another workaround would be to ignore the app drop-down menu completely and instead make a navigation menu in your apps which has links to the various app versions and supports multi-drop-down. It may be cumbersome to maintain but it will look better. ... View more

Updated the accepted solution with the actual solution 😎 ... View more

Are you looking dispatch directory or how many search jobs are running? If later then you can use _audit index to get number of jobs. ... View more

yes - Sorry - i thought i did - cheers for help 🙂 ... View more

I think you're lookin for fillnull_value  https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/tstats#Optional_arguments ... View more

To add - the only way back was rebooting the machine - then it all works fine ... View more

Hi Thanks for this. I have the following on 3 indexers.   In the DB folder, the hot buckets have the same name on some indexes, so I don't think I can copy these. Perhaps I should not copy them over and go for the other ones. I also see the data in the datamodel_summary section, but I have no data models on this data. Perhaps I don't need to copy these as well? Cheers Rob   ... View more

Hi Thanks for the feedback. We can have a lot of row, I will have a look at the other app cheers Rob ... View more

Replace <form> with <form version="1.1"> (optionally) <form version="1.1" theme="dark"> ... View more

@Vasulaxnik  Can you please share your sample code and JS?  Or Let's follow the community best practice create new questions and tag me for new comments and conversations :).   KV ... View more

Sounds like you need to raise it as a new idea unless someone has already raised it, in which case up-vote it. So, either an option to set the series default colours by app or by extending the charting.seriesColors option to cover tables. ... View more

HI After trying this is does not work sorry - any other ideas?   Thanks Robert ... View more

HI @SplunkingKnight  Not sure what I am doing wrong here. I am setting it in local on my app. But I am getting this on a startup.   An the colors are still very bright. I am using this to applay it any help would be great -  ... View more

Hey! Yeah OTel file exporter can be used.  https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/exporter/fileexporter You could also configure otel to filter the data you want and send to file and hec simultaneously! https://github.com/signalfx/splunk-otel-collector/tree/main/examples/otel-logs-routing Splunk otel distro has these components: https://github.com/signalfx/splunk-otel-collector/blob/main/docs/components.md ... View more