Hello - Curious if you ever found a solution for writing spunk results to snowflake?  Did you end up using DB Connect? Thx! ... View more

Thanks, a lot... Its working  🙂 🙂  ... View more

Your stats command is counting the events in the pipeline and creating stats events - try counting these stats events with the same by clause index = abc Environment = "PROD" ProcessName = "*" LogType = "*" TaskName = "*Main*" (LogLevel=ERROR OR LogLevel=FATAL) | bucket _time span=2h |stats count by _time TaskName |stats count by _time TaskName ... View more

This should work: | rex "(?<_raw>\"LogDate[^\}]*)" | rex field=_raw mode=sed "s/(\"|\\\\n)//g" | extract pairdelim="," kvdelim=":" ... View more

Karma and given, one more question from my end which can earn you more  https://community.splunk.com/t5/Splunk-Search/Help-with-extracting-JSON-fields/m-p/614290#M213452 ... View more

Hello, did you mange to fix this problem? I'm having the same problem. ... View more

hi, you can try to verify using license usage: index=_internal source="/opt/splunk/var/log/splunk/license_usage.log" sourcetype=splunkd earliest=-7d@d latest=-6d@d | stats sum(b) as lic_7d | append [ search index=_internal source="/opt/splunk/var/log/splunk/license_usage.log" sourcetype=splunkd earliest=-1d@d latest=-0d@d | stats sum(b) as lic_yesterday ] | stats values(*) as * | eval pct=round((lic_yesterday/lic_7d)*100)   license usage is also a good indicator for ingest - could be just misleading if you are doing a lot of metric conversion..  ... View more

Set the format to zeroes   ... View more

Yes, but not through the GUI. Edit the source and in the "drilldown" section add this:   <set token="SHOWSPLIT">SHOWSPLIT</set> <unset token="UNSHOWSPLIT"></unset> <unset token="form.UNSHOWSPLIT"></unset>   Then have your drilldown panel like this:   <panel depends="$SHOWSPLIT$">   Also have a control at the top to rehide it like this:   <input type="checkbox" token="UNSHOWSPLIT"> <label>Hide Drilldown Panel</label> <choice value="set">Hide it?</choice> <change> <condition value="set"> <unset token="SHOWSPLIT"></unset> </condition> </change> </input>     ... View more

Hi @SanjayReddy I tried it but it's not working as expected; When I gave depends it is showing the panel even if the output is zero and similarly when I use rejects panel/row is hiding even if the panel has values.   But in depends case its not coming up while processing the results but panels are showing up once the search is completed  Is it something related to drill down tokens ? that is breaking this functionality  OR  query should have Stats for sure to work on these post-processing search results    <row depends="$panel_show5$"> <panel> <single> <search> <query>| makeresults |eval bot="FARollforward Adhoc"|table bot</query> <earliest>$time_second_dashboard.earliest$</earliest> <latest>$time_second_dashboard.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </single> </panel> <panel> <single> <title>Total Runs</title> <search> <query>QUERY|table tot_count</query> <earliest>$time_second_dashboard.earliest$</earliest> <latest>$time_second_dashboard.latest$</latest> <progress> <condition match=" 'job.resultCount' == 0"> <unset token="panel_show5"></unset> </condition> <condition> <set token="panel_show5">true</set> </condition> </progress> </search> <option name="colorMode">none</option> <option name="drilldown">none</option> </single> </panel> <panel> <single> <title>Process completed Successfully</title> <search> <query>QUERY |table tot_count</query> <earliest>$time_second_dashboard.earliest$</earliest> <latest>$time_second_dashboard.latest$</latest> </search> <option name="useColors">1</option> </single> </panel> </row> </form>     ... View more

It's working can you also help me with the code to hide the entire row in a dashboard if a certain panel has zero results found. Thanks ... View more

If you have access to the rest query searches, you can run against the alert title and the runduration. Or look at the _audit index (Provides the same information) - https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rest  - https://community.splunk.com/t5/Splunk-Search/How-to-create-a-scheduled-job-time-to-find-the-run-time-of-each/m-p/454236  | rest /services/search/jobs | search title="Alert Name" | eval alert = if(runDuration>=300, "TRIGGER", "Normal") | search alert=TRIGGER ... View more

Hi @Herman, You can change it via GUI; Settings | Server settings  » General settings ... View more

Here is the fixed version which works on both single instance and multisite cluster with shc. | rest /services/authentication/users splunk_server=* | search title!=admin | table title roles | rename title as user | rename roles as title | search user=<YOUR USER ACCOUNT HERE / $env:user$ if run from dashboard> | mvexpand title | join type=left max=0 title [| rest /services/authorization/roles splunk_server=* | table title srchInd* | eval indexes=mvappend(srchIndexesAllowed,srchIndexesDefault) | table title indexes | mvexpand indexes | dedup title indexes | eval indexes_orig=indexes | join indexes max=0 type=left [| rest /services/data/indexes splunk_server=* | stats count by title | table title | eval indexes=if(match(title,"^_"),"_*","*") | rename title as indexes_new] | eval indexes=if(indexes_orig!=indexes_new,indexes_new, indexes_orig) | table title indexes | join indexes max=0 type=inner [| rest splunk_server=* /services/data/indexes-extended | fields title frozenTimePeriodInSecs | rename title as indexes]] | rename user as Username title as Role indexes as Index | dedup Index | eval retentionInDays=frozenTimePeriodInSecs/86400 | table Username Role Index retentionInDays If needed you could try to optimise with those splunk_server parts so that auth+user+role stuff will get from your SH side and indexes from your indexer sides. r. Ismo ... View more

Go to settings/server settings/server logging/  type in the search bar cachemanager  click on cachmanager and change your logging level to debug.  Search index=_internal component=cachemanager   This only works on the server that you just implemented it on. You can also change it in your $Splunk_Home/etc folder.  ... View more

Splunk obfuscates their dashboard code so I believe you'll not be able to "tweak" default.xml successfully. ... View more

Have you seen https://docs.splunk.com/Documentation/Splunk/8.0.6/Indexer/Migratenon-clusteredindexerstoaclusteredenvironment ? ... View more

I don’t think so. If user has the write/modify capability then they can also delete. ... View more

@kranthimutyala Yes this should be Solved using Splunk's REST API and based on logged in User. Following is an old answer of mine on similar lines. https://community.splunk.com/t5/Dashboards-Visualizations/How-to-pass-a-dashboard-as-value-in-dropdown-of-another/td-p/327727 ... View more

Hi @kranthimutyala, are there fields in the eventtypes? if you run the search contained in eventtypes forcing the Verbose Mode, do you have results? maybe it's a Mode problem. if in Verbose Mode the search has results, move the fields contained in the eventtypes and the field MESSAGE_CLASS from Interesting Fileds in selected Fields and then run the same search in Smart Mode. If you have results, your dashboard should run. Ciao. Giuseppe ... View more