Ah! I did not know you could put an id on the search element in the xml and reference that from JavaScript. Splunk's XML dashboard and accompanying JavaScript documentation is abysmal. Thanks a ton sir. ... View more

Oh, also make sure to set the permissions on the macro to at least shared within the app. You might want to make it globally shared. ... View more

This is possible now with straight SPL using the REST API. The below solution is based on SA-rest_get_lookup but with some fixes for escaping special CSV characters. Create a macro called remotelookup (Settings -> Advanced search -> Search macros). Destination app: Wherever you want it Name: remotelookup(2) Definition: rest splunk_server=$server$ /services/search/jobs/export search="| inputlookup $lookup$ | foreach * [eval <<FIELD>> = replace(replace(replace(replace(<<FIELD>>, \"\\n\", \"@@NewLine@@\"), \"\\r\", \"@@CarriageReturn@@\"), \"\\\"\", \"@@DoubleQuote@@\"), \"NULL\", \"@@NULL@@\")] | fillnull value=NULL | rename _* AS tmp_*" output_mode=csv | fields value | rex max_match=0 field=value "(?P<value>^.+)\s" | eval header=mvindex(value,0), value=mvindex(value,1,mvcount(value)) | rex max_match=0 field=header "(?P<header>\"[^\"]+\"|[^,]+)" | mvexpand value | rex max_match=0 field=value "(?P<value>\"[^\"]+\"|[^,]+)" | eval tuple=mvzip(header,value,"#####") | fields tuple | eval primarykey=md5(tostring(tuple)) | mvexpand tuple | rex field=tuple "^(?P<field>.*)#{5}(?P<value>.*)$" | eval field=trim(field,"\""), value=if(value=="NULL","",trim(value,"\"")) | fields primarykey field value | eval {field}=value | fields - name, field, value | stats values(*) as * by primarykey | fields - primarykey | rename tmp_* AS _* | fieldformat _time=if(isint(_time),strftime(_time, "%s"),_time) | foreach * [ eval <<FIELD>> = replace(replace(replace(replace(<<FIELD>>, "@@NewLine@@", " "), "@@CarriageReturn@@", ""), "@@DoubleQuote@@", "\""), "@@NULL@@", "NULL") ]   Arguments: server,lookup Validation Expression: $server$!="" AND $lookup$!="" Validation Error Message: You must provide a server and a lookup. You can then call it this way. | `remotelookup("server name", "lookup.csv")` If you want to sync a local lookup to match the lookup on another server you can do this in a report and set it to run on a schedule. | `remotelookup("server name", "lookup.csv")` | outputlookup lookup.csv One thing to note is that the server where the macro exists needs to have the remote server as a search peer so that it can access that server's REST API (Settings -> Distributed search -> Search peers). ... View more

So, I tried this and have a couple days worth of data. Here is the SPL I used. I have it running every morning at midnight and it pulls from a window of yesterday. | dbinspect index=* | stats max(rawSize) as rawSize, values(index) as index by bucketId | eval _time=now() | bin _time span=1d | stats sum(rawSize) as rawSize by _time, index | collect index="summary" I would expect day two to be larger than day one. Alas, it is not. It was in fact -83GB different. So, I'm not sure this method will work. : ( ... View more

Yeah, i had thought about the freezing buckets as well. I think if I ran it every day at midnight and set the time range to yesterday I shouldn't have to worry about frozen buckets. If the time range is small enough that it would never fall outside the frozenTimePeriodInSecs and so long as my search window stays the same for each run I think that would work. I could then collect that into a summary index. Then after I get a couple days worth of summaries I could start doing the delta to get the previous day's change in bytes. ... View more

Oh, I think I see what you are saying. I could potentially summarize the data every day and then subtract yesterday's bytes from todays bytes ... that might work. ... View more

Unfortunately, that won't work for getting me internal index bytes ingested per day as buckets can span multiple days. ... View more

No, I don't want license consumption. I already know how to get that using the above SPL. I'm looking for bytes ingested for the  internal indexes. ... View more

Yes, it would be nice if it watched the file and reloaded the config when the server file was updated. I think the only real option is to set up your process that updates the machine list to reload  the deploy-server  after the list is updated. ... View more

The regex for the encrypted password values needs to be updated. Encrypted vales can start with more that just $1$ now.  I've seen $1$, $7$, and $6$. I use \$[0-9]\$ for the regex ... Windows C:\Program Files\Splunk> Get-ChildItem -Recurse *.conf | Select-String -Pattern '\$[0-9]\$.' -List Linux find ./etc/ -type f -name "*.conf" -exec grep -iH "\$[0-9]\$." {} \; find ./etc/ -type f -name "*.conf" | xargs grep -iH "\$[0-9]\$."   ... View more

Yeah, unfortunately without getting into scripting it doesn't look like you can dynamically change the colors via configuration. ... View more

Does this meet your requirements? ... View more

Does this meet your requirements? ... View more

The body part was to bold the body of the table. The other CSS that @ITWhisperer was suggesting was also targeting the body of the table and not the head. ... View more

You're welcome. ... View more