Hi @niketn! The steps to move the lookup editor code into my own app worked great, thank you! In light mode, everything is working perfectly. However, for dashboards that are in dark mode, the editable lookup tables are being displayed as white text on a white background. Do you (or anyone else) have any tips on how to make the lookup editor tables display correctly in dark mode? Even just changing the background colour or text colour of the embedded editable lookup would be really helpful. Thank you so much for any help! ... View more

This topic is covered pretty well  via the props/transforms settings as such:   transforms.conf [mv_extract] REGEX = \*\*\sRABAX\:\s(?<ABAPRABAX>.*) MV_ADD = true REPEAT_MATCH = true  reference: https://community.splunk.com/t5/Getting-Data-In/Multi-value-field-extraction-props-conf-transforms-conf/m-p/210426 ... View more

This one is pretty straightforward - keep in mind that the GET request will return in it's response a Search ID (sid). You can then, in a few minutes, return the results of that SID by just visiting the link, such as: https://<host>:8000/en-US/app/search/search?sid=1686664178.1739 If you would rather have the API pull the results back, send another GET to /<app>/jobs/<sid>/results like this - you can specify options such as output_mode and others: curl -u admin:changeme \ -k https://localhost:8089/servicesNS/admin/search/search/jobs/1423855196.339/results/ \ --get -d output_mode=json -d count=5  official docs here: https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/ExportdatausingRESTAPI ... View more

Older question - but this still came up as a hit on my search results while trying to help another customer, so this might be useful here. You have to run (or let the splunk agent run and manage) the monitors and scripts responsible for monitoring exchange related logs. To start - I would locally (like to your laptop) download the Add-On, https://splunkbase.splunk.com/app/3225 From there, explore the inputs.conf configurations available in the subdirectories. These define what is to be collected. If you notice, there are a ton of inputs available. These are set to OFF by default. Let's take a look at one of them under \TA-Windows-Exchange-IIS\default\inputs.conf ####Exchange Server Version 2010 - Start#### [monitor://C:\Program Files\Microsoft\Exchange Server\V14\Logging\Ews] whitelist=\.log$|\.LOG$ sourcetype=MSWindows:2010EWS:IIS queue=parsingQueue index=msexchange disabled=true initCrcLength=8192 The monitor stanza is defining the location of the path - so in this case, the files are stored in that file path (...\logging\EWS). The whitelist/allowist statement specifies that all files in that directory ending in .log or .LOG are to be allowed. The 'disabled' statement is currently set to false, as per the default.  To get this working, copy this stanza to a /local/inputs.conf directory, change disabled to '=false' and deploy to the machine that is running exchange. You will need a a UF, or Heavy Forwarder or some other way to getting data to splunk indexers. Use a similar process for the many other inputs you have available.  Do not turn on all inputs unless you really need them and have done capacity planning as it can be a lot of volume.  ... View more

This is an older thread, but as I recently stumbled upon it and encountered some confusion, in the hopes it clarifies this topic a bit, here's my experience. I've used the previously suggested search (ie, including '| alert.track=1' ) and found that as of this writing in (Splunk 9.0.4), alert.track=1 seems to mean that the 'action' of 'Add to Triggered Alerts' is enabled for that particular alert, and because that specific 'Add to Triggered Alerts' action isn't available for Reports, one can conclude it is in fact an Alert. Conversely, though, alert.track=0 isn't exclusive to Reports, and an Alert can use other actions aside from 'Add to Triggered Alerts', like email/slack/etc and in that case alert.track=0. In fact, that 'Add to Triggered Alerts' action isn't listed in the 'actions' field in the search results, only alert.track=1. So to summarize alert.action=1 does explicitly mean Alert, but alert.action=0 does not exclude it from being an Alert. Unsure if this functionality changed at some point in the years since this question was asked. Depending on one's interpretation of OP's question, alert.track value may or may not be relevant. In any case, thanks to all who responded as this has helped me a great deal in solving my own requirements. ... View more

| stats earliest(_time) AS Earliest_Time | eval Earliest_Time=strftime(Earliest_Time,"%Y-%m-%d %H:%M:%S") can be replaced by a simple  | stats earliest(_time) AS _time Splunk formats _time by default which allows you to avoid having to reformat the display of another field dedicated to time display. ... View more

Hi @dkeck  What is the use of  move_policy = sinkhole   And In which scenario we go for batch ?  ... View more

Just came along this old post, happy to give some karma to an old friend  😊 ... View more

Thanks, that solves the problem I've been struggling with. ... View more

I can confirm - this is the definitely the issue!! Thanks hayduk - I will escalate this as much as I can -ali from Splunk PS ... View more

Thanks for this! Helped us out in our very large environment ... View more