I had a similar thing happen. Mine was closed and I was told to post on Splunk Ideas. Here's the post in case anyone wants to upvote it: https://ideas.splunk.com/ideas/EID-I-854 Seems based on one reply that is was supposedly "under investigation" but that was 2 years ago and still seems to be an issue in 9.0.4. I'm the team member responsible for managing this type of thing for all of the teams who use our enterprise wide Splunk environment but do not have the access/permissions to use a lot of the solutions people are suggesting on this thread so it's still a bit frustrating that we have objects owned by users who left the company 4 years ago. ... View more

UPDATE: I have actually noticed that Data Models can't be reassigned either as they also don't show up here ... View more

The fix they recommended to me was to use the REST method. Our team does not want to use this since that is not ideal in a clustered environment. I can update this thread if anything comes from the bug investigation that was submitted.  Fingers crossed it gets updated in a future version because the UI method is so much more convenient 🤞 ... View more

That actually isn't true.... I can re-assign all other "non-search" objects from the "All configurations" page: props-extract (except for source based or ones with sourcetypes with colons.... see examples below) transforms-extract views transforms-lookup macros eventtypes fvtags fieldaliases workflow-actions The only thing missing completely is calculated fields which I cannot reassign from this UI which doesn't seem to make sense when we can reassign all other objects from the UI. I can reassign all other extracted fields and field transformations from the UI. The only ones that I cannot reassign are the ones that are source-based or are sourcetype based with a colon in the sourcetype name. Sourcetype example: Sourcetype: wineventlog:taskscheduler Name: WinEventLogTaskScheduler-EventCode103Message Regex: Task Scheduler failed to launch action \"(?P<FailedAction>[^\"]+)\" in instance \"\{(?P<FailedInstance>[^\"]+)\}\" of task \"(?P<Task>[^\"]+)\"\. Additional Data\: Error Value\: (?P<ErrorValue>[^\.]+)\.  Field Extraction Name: wineventlog:taskscheduler : EXTRACT-WinEventLogTaskScheduler-EventCode103Message ***Please note the colon in the sourcetype name Source example: ***I don't have a good source example that I would be able to post on here but for a fake example: Source: this/is/a/pretend/source.log Name: Destination Regex: ^\w+\s\d+\s\d{2}:\d{2}:\d{2}\s(?<dest>\S+) Field Extraction Name: source::this/is/a/pretend/source.log : EXTRACT-Destination ***Note that splunk adds the "source::" before the source.... I think the colons may be conflicting I don't know for sure that the colon is the issue since I don't know how Splunk does the reassignment behind the scenes but based on some extensive testing I've done in my own environment (running on 8.1.3) this seems to be a common denominator.... I do have a bug investigation open with support to look into this issue. ... View more

Hi yes, sorry I had put that in the question title but probably was not clear enough in my description. The problem I'm having with this is that I only really need this solution because some of these searches return "no results found" sometimes. Per the tenants request we would like to find a way to keep the dashboard uniform so that there is a table of 0's for example when there are no errors for the last 7 days for example.  I'd like it to show all 0's when there are no events but everything I've read leads me to believe there is no clean way to do this, especially with a timechart search. It seems the only way for there to be a table/visualization is if the search returns at least 1 result but that's exactly the issue I'm trying to solve if that helps explain what I'm trying to get at. ... View more

This didn't seem to work how I was expecting. I was hoping to get an empty timechart that uses the time range of the search to determine the dates. For this solution it seems you would have to hard code the dates. ... View more

@richgallowayThat was very helpful. I was able to find the element by going in to the developer tools, narrowing down to just one of the panels and then once I got down to the subtitle I clicked on it and it actually ends up displaying the exact syntax I can just copy and paste into the XML to override. Example answer for anyone who needs this: .dashboard-row .dashboard-panel .panel-head h3{ font-size: 20px !important; } Thank you so much!   ... View more

A little late to this but you could also try using the following for each table: <format type="color"> <colorPalette type="map">{"0":#DC4E41,"1":#53A051}</colorPalette> </format> Taking the "field=" specification off seems to apply it to the entire row by default. Hope this helps! ... View more