@SmeetsS , if you have a moment could you clarify this? I'm unfamiliar with using custom javascript in Splunk.  I have a bunch of dashboards with this issue in the default launcher app. I created a nopopup.js in etc/apps/launcher/appserver/static.  I then modified the dashboard statement in the source to: <dashboard version="1.1" theme="dark" script="nopopup.js"> But this doesn't seem to work.  Am i missing something? ... View more

Apologies for the delayed response, I was out of the office for a few days.  Your example does work, thank you! I must've had a typo or something initially. ... View more

I apologize if I'm being confusing. Let me try to explain it better.   This backup server backups databases.  I need to make sure none of the databases are on the same storage as the backup server.  Because if we lost that storage we would lose both our backups and the database. Here's the steps i'm trying to do with SPL. 1. Lookup what storage BackupServer is using with a search.  Something like a  index=servers server=backups | fields Storage 2. Make sure No Databases are using that Storage.  I do not know which storage the backup server will be on, it could move around. index=servers server=*Database* storage!=[Storagestringfromabove]   This is the search i've thrown together so far.  The only way I can think of to accomplish 1 & 2, is to output my backup storage to a lookup table, then look for a match. index=servers source=*vmdk* VM=*database*| fields Datastore VM | search [inputlookup backup_server.csv | fields Datastore] | table VM Datastore ... View more

When I try that I just get my BackupServer.  I shouldn't clarified, i'd like a search that only Shows me Database3 in the example dataset, but without knowing the Storage is "BackupStorage" to begin with.  I need to lookup the datastore of backupserver, then make sure none of the others are on there. ... View more

I have a nearly identical issue.   This gives me three hosts out of ~600. | tstats count where index=_internal by host   But this search returns 600 hosts, however it takes forever to run. index=_internal | stats count by host   ... View more

Any luck with this? I actually have the same issue. ... View more

My timezone is set to default system timezone. Looking at it now, it seems to primarily be one sourcetype mailog-too-small, but only on some hosts. The event has the correct time, but the actual event time is 4 hours ahead. ... View more

When I encounter this problem I'll typically set initCrCLength to something long like 4096. Sometimes, when really barely anything in a file changes yet I still want it ingested when its modified each day, i'll add a CHECK_METHOD = modtime to props.conf Hope that helps.     ... View more

Surprisingly when we had professional services out initially, this was a long and convoluted search. Ours essentially works like this:  A scheduled search writes all ldap assets to a lookup table. Something like this:   | localop | ldapsearch domain="default" search="(objectClass=computer)" attrs="sAMAccountName, distinguishedName, dNSHostName, managedBy" | rex max_match=5 field=distinguishedName "OU=(?<dn_parsed>[^,]+)" | eval category=lower(replace(mvjoin(dn_parsed, "|"), " ", "_")) | eval priority=case( match(category, "domain_controller|exchange|citrix"), "critical", match(category, "server|disabled"), "high", match(category, "workstation|desktop|mobile|laptop"), "medium", match(category, "staging|test"), "low", 1==1, "unknown" ) | eval is_expected=if(priority=="high" OR priority=="critical", "true", "false") | eval nt_host=replace(sAMAccountName, "\$", "") | rename dNSHostName AS dns managedBy AS owner | eval val2lookup = coalesce(dns, nt_host) | lookup dnslookup clienthost as val2lookup output clientip as ip | fillnull value="unknown" category, priority, bunit | table ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av | dedup nt_host | outputlookup ldap_assets     Another search then looks for all hosts in splunk and compares it to the lookup table above.    | tstats count where index=* OR index=_* NOT host=127.0.0.1 by host index | eval host=lower(host) | eval host=lower(case(match(host,"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"),host,match(host,"mydomain\.com$"),host,1==1,host.".mydomain.com")) | append [ | inputlookup ldap_assets | makemv delim="|" category | search category=servers | mvexpand category | eval dns=lower(case(dns=="localhost.localdomain",nt_host.".mydomain.com",1==1,dns)) | lookup dnslookup clientip as ip outputnew clienthost as dns | stats count by dns | fields - count | rename dns as host] | eval in_host_list=if(isnull(count),true(),null()),in_splunk=if(isnotnull(count),true(),null()) | append [|inputlookup manual_host_list.csv | fields host | eval in_host_list="True"] | stats values(*) as * by host | where isnull(in_host_list) OR isnull(in_splunk) | search in_host_list=true | eval splunk_data="No Data" | table host splunk_data     To me this is a pretty nasty solution to something that should be relatively simple.  I've honestly never spent the time to try and fully understand these searches.  They work for us, and they're a mess so i'll leave it be.   ... View more

If you're able to access the Linux box it sounds like you have ssh access from your Windows box.  You should be able to download the Splunk RHEL rpm from the splunk download site.  Then PSCP, SCP, or WINSCP it over to the linux box.  You can then yum localinstall like you would any other package. ... View more

Hey Andrew, on one of our subscriptions I did receive an error.  It was different than yours though, it seemed to be because I had the old Azure app and new Cloud services app running at the same time.  When I disabled the old input it began working. It then worked flawlessly for ~4 more event hub inputs.  I'm honestly not sure what your error would mean. ... View more

I have the exact same issue after transitioning from the Microsoft Azure Add-on for Splunk to Splunk Add-on for Microsoft Cloud Services.   The settings have changed slightly, but this worked just fine in the old Azure app. ... View more

For anyone who stumbles in the future Rich was right, but I think his example was not.  I did not need VM between search and not in the second search.  The final search was:     index=vcenter source=*tag* | dedup VM | fields VM | search NOT [search index=vcenter source=*tag* Category=Backup* | fields VM]     ... View more

Thanks Rich.  When I run the subsearch by itself with | format i do get a whole list of: (VM="VM1") OR (VM="VM2") OR (VM="VM3") I'm not following on where I have the extra VM in my subsearch though? ... View more

FWIW i had similar issues that went away after upgrading to the new version that supports 8.0. I'm assuming this had something to Python migration. ... View more

Splunk makes these apps, makes these migration mandates, then fails to do it themselves. ... View more

Thank you! This definitely got me on my way, i've got it working now. ... View more