About eholz1

eholz1 · ‎08-12-2025

To all that responded to my post, "Thank you So Much" It has been a while since I have looked into using Dashboard Studio (like 3+ years!) and the solutions posted here are excellent and very helpful to me. Thanks Again, eholz1 - a little smarter now!

eholz1 · ‎07-28-2025

Hello PickleRick, I now know what you mean, the demo link using "| makeresults" fails. Lucky for me the html I use seems OK, and I do get the display of the table and the data iin the html code/file, thanks for the TIP. @eholz1

Abass42 · ‎02-07-2025

This is exactly what I was looking for. Really nice doc linked. Thanks

Seawheels51 · ‎12-13-2024

Thank you, it worked for me

eholz1 · ‎06-12-2024

Hello deepakc, Thank you very much for this information. This forum is great. Kudos to you for helping me understanding the "internals" of Splunk, eholz1

vr2312 · ‎06-10-2024

So this apps works with the conjunction of the saved Search. Risk Factors - Lookup Gen -check if the search is running as expected and see if the lookup contents are being populated. Also, for the visualizations to be populated, you would need to install the following 2 apps * Treemap: https://splunkbase.splunk.com/app/3118 * SanKey: https://splunkbase.splunk.com/app/3112

eholz1 · ‎06-10-2024

Hello and Thanks, It looks like this app, desires to store data in some sort of "cloud" based storage. Is this correct? The data I have cannot be anywhere but on a private LAN. I am not sure how to use this app, is there a posting or source of instructions on how to use this SplukBase app? Thanks for the reply, ewholz

eholz1 · ‎05-16-2024

Hello, Thanks for the reply. It works, sort of... The "dark" theme truns everything dark. It was my hope to have just the Apps panel be dark. I will guess the new version of Splunk over-writes a css file for the web interface. I have an older version of Splunk running, I will see if I can find the css file. Thanks again for the reply. Eric W.

eholz1 · ‎01-16-2024

Hello There, I have installed Splunk DB Connect and all its requirements on ver 9.0 This works pretty well for queries either in Search or in SQL Exploereer. I want to use a stored procedure to return data using DB Connect. The procedure works fine in SQL Exploereer, and from the MySQL commang line. If I try to call the procedure from Splunk Search - I get no results I am using this format: dbxquery connection=myconn procedure="{call my_nice_proc(@val);}" this should return a text string, or a table of results if the query/procedure retuns 1 or more rows.. Any ideas on what I am missing? thanks, eholz1

dtburrows3 · ‎12-20-2023

Oh okay I just assumed it was a Splunk lookup. So if you are indexing the data from a CSV then you can probably do something like this (assuming field extractions are in place) index=<index> sourcetype=<sourcetype> | table [ | makeresults | fields - _time | eval ID=[ | search index=<index> sourcetype=<sourcetype> | stats latest(ID) as ID | return $ID ], field_list_id_zero="NAME,STATUS,DATE,ACTION", field_list_id_positive="DATE-Changed,ID,NAME,DATE_DOWN,ACTION", final_field_list=if( 'ID'==0, 'field_list_id_zero', 'field_list_id_positive' ) | fields + final_field_list | return $final_field_list ] where <index> and <sourcetype> is where your CSV is being indexed.

eholz1 · ‎12-20-2023

Hello Members and richgallowy, Thanks for the tip. It has been a while since I have needed to apply my limited "Splunk" skills, I appreciate this suggestion, and will try it out;. Regards, EWHolz

eholz1 · ‎12-05-2023

Hello Members, I would like to import/show data in a splunk dashboard. This data is results from a mysql query run by php to create an html page with the results in an html table. Most likely the easiest way to do this would be to write the data to a csv file, and use splunk forwarder to send the data to splunk. The data needs to be checked once a day. I was wondering if there is a way to build a dashboard from the data via the splunk REST api, or import/forward the html page that get created from the mysql query. The query is run on a remote server. I looked at the splunk-sdk-python but its implementation is not user friendly - it requires docker, which I cannot get running for some reason. I am open to any and all suggestions. thanks eholz

eholz1 · ‎09-06-2023

Hello All, I am using maps+ with some success. I have one question, is there a way to zoom back to a set zoom point (like 3 or 4) after a default zoom in on a cluster? I am using maps+ to show up or down network devices. The cluster shows, say 2 devices at a given lat/log, zooms in quite a lot. I am using a map of the US, more or less centered in the window., but after the zoom-in, I have to backout using the "-" icon. It would be nice if maps+ had the zoom bck feature of the legacy map using geostats, etc. Thanks eholz1

eholz1 · ‎08-31-2023

Hello All, I am hoping for some guidance here. I am using Maps+. It seems to be a decent application. There are two things I want to do, ans so far no joy. 1. I want to be able to change the color of the cluster circle. 2. I want to be able to "un-zoom" back to initial state after clicking on a cluster circle. My map show routers and switches, by lat/long that are UP or DOWN. I have no issues with markerType or color or icon style. I would like to change the cluster circle color for devices that are "down". Can I do this? or do I have to use a legacy map type. thanks so much, eholz

eholz1 · ‎08-28-2023

Hello All, I have seen this post (which is helpful) "How to get the on click marker gauge redirect to a dashboard?" I would like to run a search instead of setting a variable on a panel. Is this possible? The javascript writes the value to a $toke$ variable on a second panel. I would like to run a search - the filler gauge does not have an option for a drilldown. Yes - the easy way is to just click the search magnify glass. Thanks, eholz1

eholz1 · ‎08-10-2023

Hello All, I have created a filler gauge for a count of events. I would like to not see the scale on the right side of the gauge, or change the major units to show just 100s. Is this possible - see image below: I have searched to see if I can change this, but have not yet found the answer, thanks as always, eholz1

eholz1 · ‎08-04-2023

Hello richgalloway, Thanks for the reply. At least I know my "logic" is correct! Thanks for the reply, and even answers to my previous posts. I will try your suggested search. The community is a valuable resource. eholz1

eholz1 · ‎08-01-2023

Hello All, This post is interesting. I am trying to get a count and/or a list of users currently logged on on an ASA. I see that the time range is critical. I see where message 113004 is logins, and messages 113019,716002, and 722023 are logouts of some sort. I thought (this now seems not correct) that if I subtract the logouts from the log ins - say for the last 24 hours, I would get current users. No dice. So I must be missing something. If I enable the Splunk TA plugin for Cisco ASA, will I be able to get a count or listing or both of users logged in? Thanks for a great source of information, eholz1 -Spunk and ASA user

eholz1 · ‎07-28-2023

Hello, and Thank you This is what I need. Again I thank you for the information. Eholz1

danspav · ‎06-05-2023

Hi @eholz1, You can try the small/medium/large trellis sizing to see if they give you enough white space between the blocks. If not, you can try tweaking the CSS: <row depends="$CSS_ONLY$"> <html><style> div.viz-facet-size-medium{border:1px solid blue;margin-right: 65px;margin-bottom:65px;} </style></html> </row> The above makes my medium panels look like this: The blue outline is just to help visualize how big the gaps are. Tweaking the margin to 5px gives: The different CSS classes to tweak are: div.viz-facet-size-small{margin: 0px 15px 15px 0px;} div.viz-facet-size-medium{margin: 0px 15px 15px 0px;} div.viz-facet-size-large{margin: 0px 15px 15px 0px;} Cheers, Daniel

eholz1 · ‎04-01-2023

got it at last, from another post, use <a href tags, thanks all, eholz1

eholz1 · ‎03-17-2023

Wow, Thanks again for the input. I appreciate it. I will review, and figure out what would be nice to use. thanks for taking the time to do this. eholz1

eholz1 · ‎03-08-2023

Hello Members, This is a great source of information and help. I am using the Splunk Add on for Squid Proxy. I am getting data from the squid access log in the recommended splunk format. The dashboard that comes with the install is find. I am creating another dashboard based on that dashboard. I am monitoring bytes_in, bytes_out, and bytes. It seems that the Splunk search for bytes is the total of bytes_in and bytes_out. I am using a search that returns the sum of bytes_out using | status sum(bytes_out) for all src_ips. like this: index=squid | stats sum(bytes_out) as TotalBytes | eval gigabytes=TotalBytes/1024/1024/1024 | table gigabytes I do the same thing for "bytes" Is there some way I can create a visualization, using a single value viz, so I can show bytes per time? Like x bytes / hour, maybe even one of those gauges? I would like to use a time picker with this as well - or a selectable span, etc Would the "timechart" allow me to do this? Thanks so much, eholz1

eholz1 · ‎03-06-2023

This is excellent, thanks so much. Great forum!!

eholz1 · ‎03-01-2023

Thanks for the reply, I see there is quite a lot of things that can be searched. I also see time is a factor as well. I would like to be able to check, for a specific src_ip, assuming the user is doing a download - to sum the process, bytes_in, I would guess, and TCP breaks the total download into smaller pieces, etc. So I should be able to get the time of the download, and the total amount of bytes downloaded. Does that make sense, Thanks again, eholz1

Posts	157
Solutions	2
Karma Given	59
Karma Received	6
Member Since	‎03-25-2019

Online Status	Offline
Date Last Visited	‎08-12-2025 08:23 AM

Set color in table header with dashboard

Display received html file on dashboard

Splunk Enterprise - how does it detect IOWAIT warn...

Configure and Use Enterprise Security Configuratio...

IOWAIT Mystery - What is it? Is it important?

KVStore process will not start

Apps panel, left side of window - Splunk ver 9.2.1

Stored procedure fails to run Splunk DB connect

Change table columns based on field value

Challenge with splunk forwarder and csv file

Re: Set color in table header with dashboard

Re: Display received html file on dashboard

Re: In dashboard studio, how do I change time form...

Re: Why is KV Store certificate renewal not workin...

Re: Splunk Enterprise - how does it detect IOWAIT ...

Re: Configure and Use Enterprise Security Configur...

Re: IOWAIT Mystery - What is it? Is it important?

Re: Apps panel, left side of window - Splunk ver 9...

Stored procedure fails to run Splunk DB connect

Re: Change table columns based on field value

Re: Challenge with splunk forwarder and csv file

Suggestions Please: REST Api, csv,html

Zoom back or out using maps+

Using Splunkbase Maps+

How to run a search from a filler gauge on-click e...

How to hide or change scale values on right side o...

Re: Searching Cisco ASA sourcetype in Splunk

Re: Cisco ASA Anyconnect Login stats

Re: Create splunk chart from seach with totals ove...

Re: How to Add padding between trellis single valu...

Re: Navigate from dashboard in one app to another ...

Re: Single Value, trellis, and search

Is there a way to create a Squid proxy visualizati...

Re: Use css or html style tags in splunk status in...

Re: Squid Proxy bytes_in,bytes_out, and bytes- Can...

Join the Conversation