Yes works with 7.0.0 as well. Thanks @arowsell ... View more

Did this bug just re-appear in Splunk 7? Not able to see the indexes in the role window anymore after the upgrade from 6.0.0 -> 7.0.0 ... View more

Adding to Martin's point, you may as well create a scripted solution which will give you more flexibility. Moreover if you are just copying the sendemail.py to your own app it will not be overwritten upon upgrade but may malfunction upon the original sendemail.py structure change for on splunk instance. I have been following the same method for colors, font, resizing text + own scripted alerts. ... View more

Hi, Why dont you keep it simple? (host=xxx* "url1") AND (host=yyy* "url2") |eval execute_time2=case(host=yyy*,execute_time)| timechart span=30m p50(execute_time) AS xxx50 |appendcols [search host=yyy* "url2" | timechart span=30m p50(execute_time) AS xxx50, p50(execute_time2) AS yyy50] Thanks, L ... View more

Daniel the props.conf will have to be set up on the indexer not forwarder. They will get adjusted according to your config for the newer entries. you can modify anything for the indexed items or better re-index them. ... View more

why dont you just put endswith="complete" that should cover both the ending points. ... View more

I was refering to the script which is configured for a realtime alert. I personally feel there is not much use of a realtime alert. rather schedule it to run every minute or two. It will affect the performance for sure as the CPU core will be occupied. There is no best practice available currently but you will know this by experimenting in your test environment. ... View more

Adding to that, Don't configure the script for real time alerts, it will continuously trigger the script every minute irrespective of the results found or not. ... View more

Hi Sbeamro, i am not able to get the complete details as the symbols got omitted in your comment. But what i can understand is you want to include the alert subject in your SMS !? You can take advantage of the parameters which will supply you the values directly. Don't mention the $alert variable while mentioning the script file in the alert set up page. Please see the below argument values. ` Arg Environment Variable Value 0 SPLUNK_ARG_0 Script name` 1 SPLUNK_ARG_1 Number of events returned 2 SPLUNK_ARG_2 Search terms 3 SPLUNK_ARG_3 Fully qualified query string 4 SPLUNK_ARG_4 Name of report 5 SPLUNK_ARG_5 Trigger reason. For example, "The number of events was greater than 1." 6 SPLUNK_ARG_6 Browser URL to view the report. 7 SPLUNK_ARG_7 Not used for historical reasons. 8 SPLUNK_ARG_8 File in which the results for the search are stored. Contains raw results. ` ... View more

First try disabling the firewall. if not then ask your network team to look into it telnet IP_Add 8089 it has to be successful to make it work further ... View more