Yes, You can do like that ... View more

Hi @anooshac    If my understanding is correct, then you can try this. In static option, Task1_all --- "Task1_a" OR "Task1_b" OR "Task1_c" Task2_all --- "Task2_a" OR "Task2_b" OR "Task2_c"   My Simulation Current Values in the dropdown   I tried to combine splunk_web_access and splunk_web_service as Splunk_web I used, Splunk_web --- "splunk_web_access" OR "splunk_web_service"   This is working for me!!!   Regards         ... View more

Yes, it is right ... View more

Hi @djreschke    This is based on the default timezone of the Splunk server. The time zone can be changed based on the steps in the link below.   Set your time zone Choose the time zone in which you view events, anomalies, and threats. Select your username from the menu. Click Profile. Select Preferences. Select a Time Zone of UTC or Local. The local time zone is detected based on your web browser settings. Click OK to save.  Reference Link: https://docs.splunk.com/Documentation/UBA/5.0.5/User/Profile   Regards ... View more

Hi @michaelnorup  Based on my understanding, the regex you are using is matching all the events. So you need to use any unique value in the regex. Ex. Eventcode.   Else you can disable this input [WinEventLog:Microsoft-Windows-Powershell/Operational] disabled = 1 ... View more

You can do that by doing 2 changes, 1. Using the dedup command to remove the duplicates. 2. Reduce the Time range of the search.   Regards ... View more

Hi @jagdipSingh    Please try this [monitor://C:\logdir\*\*\Katre\log\*]   [monitor://C:\logdir\...\...\Katre\log\*]   Regards ... View more

Hi @ND    Based on my understanding, You have to run the search in the dynamic option in multiselect filter as shown below. If the search is completed, then the results will start populating if you start typing "spl" then it will show the partial matches in the dropdown as shown below.     Regards ... View more

Hi @ikrainovic    This might help you, https://community.splunk.com/t5/Splunk-Search/List-of-Serverclass-and-apps-in-deployment-server/m-p/540084 ... View more

Hi @Wim    The dashboard will run the search in the indexer, that is the data transferred to the Splunk indexer from the agent. But there will be some data transfer from the Splunk Enterprise to the Agent (UF).  The will be some instructions send from Splunk to the agent via 8089 port.  Apart from this, there will not be any downstream packet transfer between this two.   Regards, ... View more

Hi @mxanareckless    The following are some of the scenarios where this issue can arise.  1. Check the permissions for the index and the dashboard with the User. 2. Check the Scheduled report's permission (Private, App, system). 3. Increase the priority of the Email alert.   ... View more

Hi @Linze99    You can use the "delimiter" (colon) for the field extraction process. ... View more

Hi @aasabatini    This is happening due to a lack of resources. Please increase the machine's RAM and CPU and try again. It will work... ... View more

Try this,   index="123" OR index="456" (team=green OR  team=blue) ID=123*   ... View more

Hi @alanhodreamshub    You have to include the lookup life in the search for mapping the id and name. Try this one Search: index=myidx type=groups | lookup groups.csv groupid OUTPUT groupname | table _time groupid groupname ... View more

Hi @sanjum01  You can hide the Legends by using the following parameter. <option name="charting.legend.placement">none</option> But the drill-down is enabled. Without clicking the value there is no point in using the drill-down. If there is more info regarding the requirement, it will be better to sort it out. ... View more

Hi @PPrice    As per my understanding, You can use "mvexpand" and "dedup" commands in search to get unique results in rows. I tried this,   Thanks.. ... View more

Hi @Mary666    As per my understanding, you can use the field name and the value with the starting common character with a wildcard.   Source: 1 field:SerialId value: 123* Source:  2 field: SerialId value: 123* This will fetch the common values from that fields.   Example Screenprint:   Thanks   ... View more

Hi @adetheodore  In Splunk Enterprise, you can use the "Splunk App for Infrastructure" for Windows Monitoring.  APP URL: https://splunkbase.splunk.com/app/3975/ Installation Reference: https://docs.splunk.com/Documentation/InfraApp/2.2.4/Install/Install If you are monitoring the local machine, then the "Monitoring Console" will provide the necessary details about the local machine metrics. Reference: https://docs.splunk.com/Documentation/SplunkCloud/8.2.2109/Data/MonitorWindowsperformance#Enable_local_Windows_performance_monitoring   Thanks ... View more

Hi @vagnet    This is working for me.   ... View more

Hi Vagnet   You can try this @vagnet ,   | from datamodel:"Authentication"."Insecure_Authentication" | search "*Failure*" | rex field=_raw  "Failure\sReason:\t\t(?<Failure_Reason>.*)\n" ... View more

| makeresults | eval mv_string = "a,b,c,d" | eval mv_ascending = split(mv_string, ",") | mvexpand mv_ascending | sort - mv_ascending | table _time mv_ascending ... View more

Hi Ejwade   You can try this, | makeresults | eval mv_string = "a,b,c,d" | eval mv_ascending = split(mv_string, ",") | mvexpand mv_ascending | sort - mv_ascending | mvcombine mv_ascending   ... View more