It looks like this particular example (Table with Data Bars) does not work for me. Is there anything particular I should check ? Is it a bug ? I'm using Splunk 8.2.1 and the latest Dashboard Examples app (8.2.2) ... View more

Our company policy requires an SSL private key to be encrypted. Unfortunately, my script is using the requests library which doesn't support this, as written in its documentation (feature request : https://github.com/psf/requests/issues/1573) There seems to be a workaround by using a custom adapater (https://github.com/m-click/requests_pkcs12) which is using pkcs12 package files (which contain both the certificate and the key  and can be encrypted). I've installed this adapter under "lib" in my app directory (and I added the line of code to my script to append this path to the library path). But this adapter is requiring the pyopenssl library (shipped with Splunk, installed in the python default library path) but this one, in turns, requires ndg.httpsclient.ssl_peer_verification (not shipped with Splunk!). So the adapter fails to load. So in the end 2 questions: 1) Is anybody having to use client-side SSL authentication to query an API and is using an encrypted key ? How to make it work ? 2) Is there a clean way to add ndg.httpsclient.ssl_peer_verification to the libraries available to splunk so that pyopenssl can be loaded ? I've tried to add it to my app's "lib" directory but it seems that pyopenssl can not find it (maybe it expects to find it in the "default" directory ?) ... View more

I'm building an app where Splunk is receiving a large number of IDs and a property that I will need to sum over time.  Let's take for instance a simple example: _time id amount 00:00 A 1 00:01 C 8 01:01 B 2 01:02 A 4   At 01:03, a user asks "What is the sum of amount per id, for each id you've seen in the last 15 minutes" ? Take into account this is a very limited example, but you will have millions of unique ids and a big event rate (hundreds of events per second). The expected answer is: A 5 B 2   The first reflex is something like this: "stats sum(amount) earliest=0 by id [ |search id ]" over the last hour. But it's not really scable since, over time, the first part of the query will need to sum a lot of events. Then the second thought was to add an intermediary summary index which is doing the sum(amount) over a small period of time (15 min) and keep the result. Yes, it's accelarating but after a year or so, I will still have performance / scalability issues. In the end, then only thing I need is to keep the last value "sum(amount)" per id and continue counting based on this value every time you receive a new event. That's why I'm wondering if we could use the kvstore to keep counting, everytime we see a record, we simply update the records with : key = id value = value(id) + amount Anyone having a similar experience with KV Store or having a similar issue ? ... View more