Have a look at http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro#About_token_replacement_in_custom_alert_actions ... View more

I think that is not possible with Eventgen. Here is what I did to generate events like they would appear in reality: created a CSV file containing real events (e.g. by searching for events already in Splunk, reordering and then exporting to CSV) with colums "_time", "_raw", "host", "index", "sourcetype" created a modular input like described here: http://dev.splunk.com/view/python-sdk/SP-CAAAER3 at the bottom you find the implementation of my replay script configured an input of that modular input and point it to the CSV file you created The script replays / regenerates events like they appeared in time before by making sure the time span between events is the same but the time of each generated event is set to "now". import sys import os import csv import datetime import time from splunklib.modularinput import * class Replay(Script): def get_scheme(self): scheme = Scheme("CSV Replay") scheme.description = "Replay events in CSV file using the current timestamp" scheme.use_external_validation = True scheme.use_single_instance = False path_argument = Argument("path") path_argument.data_type = Argument.data_type_string path_argument.description = "Path to the file containing the samples." path_argument.required_on_create = True scheme.add_argument(path_argument) return scheme def validate_input(self, validation_definition): path = validation_definition.parameters["path"] if not os.path.isfile(path): raise ValueError("File at path '%s' does not exist."%path) def stream_events(self, inputs, ew): for input_name, input_item in inputs.inputs.iteritems(): path = input_item["path"] last_summary_time = time.time() generated_events_since_last_summary = 0 ew.log("INFO","start generating events") while True: ew.log("INFO","begin reading from file %s" % path) with open(path, 'r') as f: reader = csv.DictReader(f) last_event_time = None last_event_yield_time = None for row in reader: # 2014-05-01 08:00:00.000 CEST event_time = datetime.datetime.strptime(row["_time"], "%Y-%m-%d %H:%M:%S.%f %Z") if last_event_time is None: last_event_time = event_time event_time_difference = (event_time - last_event_time).total_seconds() now = time.time() if last_event_yield_time is None: last_event_yield_time = now event_yield_time = last_event_yield_time + event_time_difference yield_time_difference = max(event_yield_time - now,0.0) #ew.log("INFO","event_time_difference=%.3f event_time=%s yield_time_difference=%.3f" % (event_time_difference,event_time,yield_time_difference)) time.sleep(yield_time_difference) last_event_yield_time = now = time.time() last_event_time = event_time event = Event() event.stanza = input_name event.data = row["_raw"].strip() event.time = "%.3f" % now event.host = row["host"] event.index = row["index"] event.source = "data_replay" #row["source"] event.sourceType = row["sourcetype"] ew.write_event(event) generated_events_since_last_summary = generated_events_since_last_summary + 1 seconds_since_last_summery = now - last_summary_time if seconds_since_last_summery >= 60: ew.log("INFO","generated %s events since %s seconds" % (generated_events_since_last_summary, seconds_since_last_summery)) last_summary_time = now generated_events_since_last_summary = 0 ew.log("INFO","reached end of file %s" % (path)) if __name__ == "__main__": sys.exit(Replay().run(sys.argv)) ... View more

Hi TheProudDevil, Initially misunderstood your question. Here is my answer. It's not possible to change the mouse hover behaviour, with with the standard/build-in Splunk features. However, you can write a JavaScript file that changes the mouse hover behaviour and reference the script using the "script" attribute of "dashboard" xml tag: <dashboard script="myJavaScript.js"> Have a look at the following doc pages: http://docs.splunk.com/Documentation/Splunk/6.3.2/Viz/CustomizeSimpleXML http://docs.splunk.com/Documentation/Splunk/6.3.2/Viz/PanelreferenceforSimplifiedXML#dashboard Unfortunately creating such a script requires JavaScript skills. Hope that helps! ... View more

May you provide the content of default.xml? ... View more

May you capture a screenshot which explains exactly where you click? And also a screenshot showing how the result looks like? ... View more

Thanks for posting the search string! Could you also describe the result you get and also the result you expected to get? ... View more

Assuming you don't specify an absolute time range but using relative time range settings like earliest=-10m and latest=now. Then you run two searches (regardless if REST API first and then Splunk UI or the other way round), there is no guaranty that the searches are executed at the same time within the Splunk server. Because of that, the relative time ranges result into different absolute time ranges. If new events come in, within the delta time of the two absolute time ranges, that may cause the different results. ... View more

Could you post your source code, describe what results you get back and also describe what results you expect to get back? ... View more

I just created a new version which I'll send to you via email. I added some extra error handling to show a more detailed error message. After installing this new version, may you please again delete the igraph package, run the examples page and go back to the packages page to add the igraph package again? Which error message appears? ... View more

When you use R, you're always using it within a R environment. There is the default environment which is used when just invoking R. But the Splunk R Project does uses it's own environment. So whatever you've already installed within the default environment is not used when using R within Splunk. That's why you need to (re)install the igraph package again. I just uploaded a new version of the app. After knowing about the error message, I think the original problem is, that setting up / configuring the app didn't work because of a bug in the setup page. This bug is fixed now, so could you please try to open the setup page again and just hit Save? After that, open the Packages page, remove the igraph package, and then reinstall it. Robert ... View more

Hi xiangtaner, I just tried to install the igraph package on my installation. It worked without any problems: entered the name "igraph" as a package name and hit "Add Package" button the package should appeared in the list of packages (state="Not Installed") hit the "Install Now" button state changed to "Installing" and spinning wheel appeared state changed to "Installing Dependencies" and spinning wheel still visible state changed to "Installed" and spinning wheel disappeared I never refreshed browser page manually! On your screenshot, I cannot see the spinning wheel. This indicated that you have manually reloaded the browser page. Please try the following: hit the "Delete" button for the igraph on the package list Open the "Examples" page (this triggers the R engine and makes sure everything that is already installed related to the igraph package is cleaned up) Make sure the examples are not leading into error messages and results are shown Go pack to the "Packages" page Try installation of igraph package again (but without reloading the page) If installation failes, a error message should pop up Thanks, Robert ... View more

Is there any error message? Why exactly happens? ... View more

Maybe try inserting \n at the end of each line. Just an idea... ... View more

To upload (or update previously uploaded) scripts, the user needs to be assigned to the default admin role. I can understand there are use cases where that is not satisfying. I'm thinking of also allowing users assigned to the power role to upload scripts. ... View more

I just created a new version of the R app that uses stringsAsFactors=FALSE for the read.csv call. Plus, I updated the app's setup page allowing you to customize the read.csv and write.csv function call options. I haven't uploaded the new version to apps.aplunk.con yet, because I want you to test it first. I uploaded the package here. ... View more

The R installation needs to be done at OS level. Just go to http://cran.r-project.org/ and download R. Then install the "R Project" Splunk App (https://apps.splunk.com/app/1735/) and specify the path to the R binary in app's Setup screen. As far as I know there is no RPM package for R. ... View more

That sounds bad. If you want we can do a WebEx session. If you are interested, let's schedule a time by email (rfujara@splunk.com). ... View more

Correct, just upload all of the packages: forecast plus the other 7 packages I mentioned above. Then click on the "Samples" page to trigger installation of each of them. ... View more

I just tried installing the forecast without internet access from the Splunk server. To do that, I installed the latest version of the R app which allows "uploading" packages (downloaded from CRAN). So I downloaded the forecast package from CRAN an uploaded it to the R app and triggered installing all not yet installed packages using the R search command from within the search app. That gave me an error message saying it's missing another package. After uploading that, it said it missing another package and so on ... at the end it found out that the forecast package depends on the following packages: zoo timeDate tseries quadprog fracdiff Rcpp colorspace After downloading each of them from CRAN and uploading each to the R app, the installation of the forecast package worked (without having internet access from the Splunk server). ... View more

Nice conversion functions! But the reason for showing the time in seconds since epoch and not in ISO-8601 is the name of the field. So if the name is "_time" (and not X_time), then it's shown in ISO-8601 (internally, the representation is still in seconds since epoch). As a result, your workaround shows a nice time format, but for some of Splunk's functionality it's key to have the "_time" field in seconds since epoch. ... View more