HI @henryf ,   I assume you've run the boot-start command to generate the service file: ./splunk enable boot-start -user splunk -systemd-managed 1   You can check what the service name is by looking here: ls -l /etc/systemd/system   On my host it's called splunkd.service so I start splunk by running: systemctl start splunkd   Make sure you match the case and name with the service file.   Give that a go and see if it starts. There's more info in docs: https://docs.splunk.com/Documentation/Splunk/latest/Admin/RunSplunkassystemdservice   Cheers, Daniel ... View more

HI @ashvinpandey, There's probably a more efficient method, but this should get you started: | gentimes start=-5 ``` Generating data starts``` | eval_time=starttime, instance_list="instance_1;instance_2;instance_3;"| streamstats count as id | eval instance_list=if(id=5,"instance_1;instance_2", instance_list) | makemv instance_list delim=";" | makejson output=raw | rex mode=sed field=raw "s/instance_list\":\s+\"([^\"]+)\"/instance_list\":[\"\1\"]/" | table raw, _time | spath input=raw path=instance_list{} output="instance_list" ``` Generate data ends``` ``` Get the first and last entries by _time ``` | eventstats max(_time) as oldest, min(_time) as youngest | where _time=oldest OR _time=youngest | eval oldest_instance_list=if(_time=oldest,instance_list,null()), youngest_instance_list=if(_time=youngest,instance_list,null()) ``` split out the instance_list to see the individual lines ``` | mvexpand instance_list ``` Get the combined instance_lists and times ``` | eventstats values(youngest_instance_list) as youngest_instance_list, values(oldest_instance_list) as oldest_instance_list earliest(_time) as oldest_time, latest(_time) as youngest_time | stats count, values(youngest_instance_list) as youngest_instance_list, values(oldest_instance_list) as oldest_instance_list, values(oldest_time) as oldest_time, values(youngest_time) as youngest_time by instance_list ``` Any count of 1 means this instance_list was missing from either earliest or latest ``` | search count=1 ``` Combine the data to create a good message for the alert ``` | stats values(*) as * by count | nomv oldest_instance_list | nomv youngest_instance_list | nomv instance_list | eval youngest_time=strftime(youngest_time,"%Y-%m-%d"),oldest_time=strftime(oldest_time,"%Y-%m-%d") | eval message="There was a difference in snapshot: " + youngest_time + " [" + youngest_instance_list + "] vs " + oldest_time + " [" + oldest_instance_list + "] The following instance(s) were different: " + instance_list | table instance_list, message This search creates the json data at the top, then finds any difference between the most recent and oldest events. E.g. Earliest: instance_, instance_2, instance_3 Latest: instance_1, instance_2 Gives this result: It gives all the instances that were different, and a message for the alert. Cheers, Daniel     ... View more

Hi @super_saiyan,   You can update limits.conf to change the Show Source settings.  The docs mention that results are "pruned" so while you increase the limit, you may still not get an increase in events displayed. https://docs.splunk.com/Documentation/Splunk/latest/Admin/limitsconf#.5Bshow_source.5D [show_source] distributed = <boolean> * Whether or not a distributed search is performed to get events from all servers and indexes. * Turning this off results in better performance for show source, but events will only come from the initial server and index. * Default: true distributed_search_limit = <unsigned integer> * The maximum number of events that are requested when performing a search for distributed show source. * As this is used for a larger search than the initial non-distributed show source, it is larger than max_count * Splunk software rarely returns anywhere near this number of results, as excess results are pruned. * The point is to ensure the distributed search captures the target event in an environment with many events. * Default: 30000 max_count = <integer> * Maximum number of events accessible by show_source. * The show source command will fail when more than this many events are in the same second as the requested event. * Default: 10000 max_timeafter = <timespan> * Maximum time after requested event to show. * Default: '1day' (86400 seconds) max_timebefore = <timespan> * Maximum time before requested event to show. * Default: '1day' (86400 seconds)   Cheers, Daniel ... View more

Hi @bamflpn, The peer-apps/xxx/local directory has higher precedence than etc/system/local on indexers. (see docs: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles#Precedence_within_global_context.2C_indexer_cluster_peers_only) To confirm the location of the setting that's overwriting your coldToFrozenPath, you can run btool on your indexers: ./splunk btool indexes list --debug | grep coldToFrozenPath   That should print out each line of all indexes.conf on the host that contribute to the final indexes config for the coldToFrozen option. Find the line that has the wrong value and that's the file that you should update.    If you want to delete the system/local/indexes.conf file you should first check what it's doing. To see what other config is being used from system/local/indexes.conf you can run: ./splunk btool indexes list --debug | grep system/local Any config that is listed will be applied to that indexer from the system/local/indexes.conf file. Either move the config to a peer-apps app, or just remove it if you don't need it.   Cheers, Daniel ... View more

Hi @POR160893,   I mocked up a similar dashboard and it looked fine in my browser when the window was maximised, but got the same bunched up look when the window was smaller. I played around with the CSS and got it looking ok no matter how small the window went. Here's what I ended up with: <row depends="$CSS$"><html><sytle> .singlevalue{width:10%!important;} .splunk-single, .svg-container{width: 100%!important;min-width:auto!important;;} .dashboard-row .dashboard-panel .panel-element-row div.single { min-width:auto;} rect{width: 100%!important;} </style> </html> </row> Note I set the single value width to 10% because there are 10 panels (100% / 10 = 10%) Give it a go and see how you get on.   Cheers, Daniel ... View more

Hi @sizemorejm, On Simple XML dashboards (aka Classic Dashboards) you can do that by using tokens. When you set a token, you can make panels or rows show, or make searches run. To make it show when the token exists use this: <row depends="$token$">  There's more info on docs here: https://docs.splunk.com/Documentation/SplunkCloud/9.0.2303/Viz/tokens#Access_tokens_to_show_or_hide_user_interface_components   Here's a sample dashboard with 4 tabs that show based on which button you click: <form version="1.1"> <label>Tabbed Dashboard</label> <description>https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Dashboard/m-p/646374#M52808</description> <fieldset submitButton="false"> <input type="link" token="page" searchWhenChanged="true" id="tab_menu"> <label></label> <choice value="Tab 1">Tab 1</choice> <choice value="Tab 2">Tab 2</choice> <choice value="Tab 3">Tab 3</choice> <choice value="Tab 4">Tab 4</choice> <change> <condition value="Tab 1"><set token="show_tab_1">true</set><unset token="show_tab_2"></unset><unset token="show_tab_3"></unset><unset token="show_tab_4"></unset></condition> <condition value="Tab 2"><set token="show_tab_2">true</set><unset token="show_tab_1"></unset><unset token="show_tab_3"></unset><unset token="show_tab_4"></unset></condition> <condition value="Tab 3"><set token="show_tab_3">true</set><unset token="show_tab_1"></unset><unset token="show_tab_2"></unset><unset token="show_tab_4"></unset></condition> <condition value="Tab 4"><set token="show_tab_4">true</set><unset token="show_tab_1"></unset><unset token="show_tab_2"></unset><unset token="show_tab_3"></unset></condition> </change> </input> </fieldset> <row depends="$show_tab_1$"> <panel> <title>Tab 1</title> <table> <search> <query>| makeresults | eval title="Page 1"</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> <row depends="$show_tab_2$"> <panel> <title>Tab 2</title> <table> <search> <query>| makeresults | eval title="Tab 2"</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> <row depends="$show_tab_3$"> <panel> <title>Tab 3</title> <table> <search> <query>| makeresults | eval title="Tab 3"</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> <row depends="$show_tab_4$"> <panel> <title>Tab 4</title> <table> <search> <query>| makeresults | eval title="Tab 4"</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> <row depends="$CSS_ONLY$"><html><style> #tab_menu { width: fit-content!important; } div#tab_menu button{ height: 38px!important; border: 1px solid #cccccc; min-width: 100px; /* background-color:#ffffff; */ width: auto; padding: 10px; margin-right: 8px; color: #333333; height: 55px; border-radius:7px; font-size: 16px; } div#tab_menu button[aria-checked="true"]{background-color:#006eaa!important;color:white!important;} </style></html></row> </form> Cheers, Daniel ... View more

Hi @DS904458,   Depending on how you want to use the list of numbers, you may be able to use a macro. E.g. this search: index=_internal sourcetype=splunkd | eval list= `generate_list(50,10,7)` | makemv list delim=" " | table _time, sourcetype, list Returns a list of 7 numbers from 10 to 50 : The macro definition is: [generate_list(3)] args = max,min,length definition = [|makeresults count=$length$\ | streamstats count as id\ |eval value=if(id=1,$min$, round($min$ + (id-1) * (($max$ - $min$) / ($length$ - 1)),1))\ | stats list(value) as value\ | nomv value\ | eval value="\"" . value . "\""\ | return $value] errormsg = Please only enter numbers for: Max, Min, Length. iseval = 0 validation = tonumber(max) >0 AND tonumber(min) >-1 AND tonumber(length) >0   It could also be used as the search for a dropdown on a dashboard, e.g.: | makeresults | eval list=`generate_list(50,10,7)` | makemv list delim=" " | mvexpand list | table list Does that help? Cheers, Daniel   ... View more

Hi @McMac84, Running searches are all logged to the _audit index - you can get details on cancelled searches there:   index=_audit action=search info IN("cancel","cancelled") | timechart span=15m count by user limit=15   I believe "cancel" is system-cancelled, and "cancelled" is user-cancelled, but that's just my guess based on this docs page. Cheers, Daniel   ... View more

Hi @Hadas  I've published a new version of the app since your post - try upgrading to the latest version to see if your issue is resolved. https://splunkbase.splunk.com/app/4438   Cheers, Daniel   ... View more

Hi @gabriel_vasseur  You can achieve this in JavaScript - the following will test to see if the theme is dark mode or not, and use that to determine which CSS to dynamically load. Here's the Javascript&colon; require(['jquery', 'api/SplunkVisualizationUtils'], function($, vizUtils) { // Splunk Answers: https://community.splunk.com/t5/Building-for-the-Splunk-Platform/Different-custom-CSS-depending-on-dark-VS-light-mode/m-p/631551#M10940 var isSplunkDarkMode = false; function addCss(fileName) { var link = $("<link />",{rel: "stylesheet", type: "text/css", href: fileName}) $('head').append(link); } if (typeof vizUtils.getCurrentTheme === "function") { // safe to use the function isSplunkDarkMode = (vizUtils.getCurrentTheme()=="dark"); }else{ //version 6.x, 7.0 isSplunkDarkMode = false; } //Update to point to your app / stylesheets here: var stylesheet = (isSplunkDarkMode) ? "/static/app/search/dark.css" : "/static/app/search/light.css" addCss(stylesheet); }); You need to update the links to point to your stylesheets as this one assumes they are in the search app. Create the files in $SPLUNK_HOME/etc/apps/<appname>/appserver/static/ Then update the app name above changing "search" to the actual app name. Cheers, Daniel ... View more

Hi @eholz1, You can try the small/medium/large trellis sizing to see if they give you enough white space between the blocks. If not, you can try tweaking the CSS: <row depends="$CSS_ONLY$"> <html><style> div.viz-facet-size-medium{border:1px solid blue;margin-right: 65px;margin-bottom:65px;} </style></html> </row>   The above makes my medium panels look like this: The blue outline is just to help visualize how big the gaps are. Tweaking the margin to 5px gives: The different CSS classes to tweak are: div.viz-facet-size-small{margin: 0px 15px 15px 0px;} div.viz-facet-size-medium{margin: 0px 15px 15px 0px;} div.viz-facet-size-large{margin: 0px 15px 15px 0px;} Cheers, Daniel ... View more

Hi @sai_krishna, Try this: <fieldset submitButton="false"> <input type="dropdown" token="reportingDayA"> <label>Reporting Day Misra apu</label> <fieldForLabel>readableDateA</fieldForLabel> <fieldForValue>epochA</fieldForValue> <search> <query>| tstats count where index=_internal by _time span=1d | eval readableDateA=strftime(_time,"%F") | eval epochA=strftime(_time,"%s") | dedup readableDateA | sort - _time ``` get latest and call it "latest" ``` | eventstats max(epochA) as latest | eval readableDateA=if(epochA=latest,"Latest",readableDateA) </query> <earliest>-7d@d</earliest> <latest>now</latest> </search> <selectFirstChoice>true</selectFirstChoice> </input> </fieldset>   The search will get all the dates, and label the most recent one "Latest".  Due to the way the list is sorted, this entry is the first one in the list. We can use that to our advantage by using the selectFirstChoice option for the dropdown - that makes the first entry in the list selected. Here it is in a dashboard: <form version="1.1" theme="light"> <label>Answers</label> <fieldset submitButton="false"> <input type="dropdown" token="reportingDayA"> <label>Reporting Day Misra apu</label> <fieldForLabel>readableDateA</fieldForLabel> <fieldForValue>epochA</fieldForValue> <search> <query>| tstats count where index=_internal by _time span=1d | eval readableDateA=strftime(_time,"%F") | eval epochA=strftime(_time,"%s") | dedup readableDateA | sort - _time | eventstats max(epochA) as latest | eval readableDateA=if(epochA=latest,"Latest",readableDateA) </query> <earliest>-7d@d</earliest> <latest>now</latest> </search> <selectFirstChoice>true</selectFirstChoice> </input> </fieldset> <row> <html> <h1>You selected: $reportingDayA$</h1> </html> </row> </form> Cheers, Daniel ... View more

Hi @mayurr98, I tried out a new props that looks like it's getting the fields to ingest correctly -  transforms.conf [cs_srctype] CLEAN_KEYS = 0 DELIMS = , FIELDS = action,category,dest,file_name,file_path,severity,severity_id,signature,signature_id,vendor_product props.conf [cs_srctype] KV_MODE = none REPORT-cs_srctype = cs_srctype SEDCMD=s/^((?:[^,]+,){4}[^,]+)(?<=\\),/\1\\,/ I've only added one additional line in the props - a sedcmd to add an escape to any trailing slash in the file_path segment. With that config set up, the data is ingested with the correct vendor_product field: Cheers, Daniel   ... View more

Hi @justanothersplu, I think Bin has just the feature you're looking for: aligntime You can pass aligntime the following: earliest - snap to the earliest time (down to the second), and let everything bin off that latest - similarly, snap to the latest time <time-specifier> This is what you'll need: set it to @m to snap to the current time to the minute See docs: Bin Try running this: index=_internal | bin _time span=60m aligntime=@m All the bins will snap to the current minute, and go back in 60m increments. Note - this won't work if you set your search time range to end some time in the past, but will work if you only want to snap to the current clock time. To be able to get buckets to snap to the minute based on your search time and not the clock time, you could try something monstrous like: index=_internal | bin _time span=60m [ | makeresults | addinfo | eval aligntime=strptime(strftime(info_max_time,"%Y-%m-%d %H:%M:00"),"%Y-%m-%d %H:%M:%S") | table aligntime | return aligntime ] I don't recommend it, but this search will calculate the latest search time to the minute, and use it to add to the bin command.  I think the first option will suit your needs best. cheers, Daniel ... View more

Hi @Tincho , It can be a bit of a pain creating regexes inside quotes, because you have to escape characters for the string, and escape characters for regex - meaning you double up on escaping characters. Here's a search that takes domain\\\\user and converts it to domain\user in a couple of different ways: | makeresults| eval user_name="DOMAIN\\\\\\\\USER" ``` Using replace - escaping multiple times ``` | eval user_name_replace=replace(user_name, "\\\\\\\\\\\\\\\\","\\") ``` Using sed ``` | eval user_name_sed = user_name | rex field=user_name_sed mode=sed "s/\\\\{4}/\\\\/" ``` Using rex to create a domain field, and user field, then combining them ``` | rex field=user_name "^(?<domain>[^\\\\]+)\\\\+(?<user>.+)$" | eval user_name_regex = domain . "\\" . user ``` output the results ``` | table user_name, user_name_replace,user_name_sed, user_name_regex That results in : Cheers, Daniel ... View more

Hi @DaDave , Here's a way to get the labels and values tokens in a multiselect. We will encode the key/values into the value field, and use conditional tags to extract the keys for the keys token and the values for the values token. Here's the dashboard code: <form version="1.1"> <label>Test</label> <fieldset submitButton="false" autoRun="true"> <input type="multiselect" token="input" searchWhenChanged="true"> <choice value="A|1">1</choice> <choice value="B|2">2</choice> <choice value="C|3">3</choice> <change> <condition match="isnull($input$)"> <unset token="selectedLabel"></unset> <unset token="selectedValue"></unset> </condition> <condition> <eval token="selectedLabel">replace($input$,"[a-zA-Z][|]","")</eval> <eval token="selectedValue">replace($input$,"[|][0-9]","")</eval> </condition> </change> </input> <input type="radio" searchWhenChanged="true"> <label>$selectedLabel$</label> </input> <input type="radio" searchWhenChanged="true"> <label>$selectedValue$</label> </input> </fieldset> <row><html> <table border="1"><tr><th>Value</th><th>Label</th></tr> <tr><td>$selectedValue$</td><td>$selectedLabel$</td></tr></table> </html><   I've updated the values in the multiselect to be in the format: value|key Then when the multiselect changes we extract everything before the | for the value, and everything after the | for the key. The replace regex will be a bit more complicated when you use actual data - but the general solution should work.   Cheers Spav ... View more