If you are seeing Invalid key in stanza (on start up) then check for typos [indexer_discovery:master] pass4SymmKey = ... Refer to https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf#outputs.conf.spec ... View more

The page has moved. Recommend you google it. Today it's found here https://www.splunk.com/en_us/resources/personalized-dev-test-licenses.html?301=/dev-test&locale=en_us ... View more

Yep works. Set your id= <input type="link" token="unused" id="resized_input" searchWhenChanged="true"> Then style it <row depends="$HIDE_ALWAYS$"> <panel> <title>Hidden panel for a horizontal linked list</title> <html> <style> #resized_input { width: 350px; } </style> </html> </panel> </row>   ... View more

Bumping this thread. I'd like a solution to this post too. Below is Simple XML code I have used. <table> <search></search> <format type="color" field="Health"> <colorPalette type="map">{"Critical":#6A5C9E, "Abnormal":#6A5C9E, "Normal":#65A637}</colorPalette> </format> </table> See output, image below. (Dashboard left, PDF right.) Splunk Cloud Version 9.0.2303.201 Experience: Classic Links to Splunk Cloud docs https://docs.splunk.com/Documentation/SplunkCloud/latest/Viz/TableFormatsXML  https://docs.splunk.com/Documentation/SplunkCloud/latest/Viz/DashboardPDFs ... View more

h/t Nick I have iterated on your idea. It stripped the decimals nicely but kept the dot when "6556.000" so I added \d. | rex field=alert_value "^(?<myfield>[\s\S]*\.\d[\s\S]*?)0*$" In my case, my field also contains integers: | rex field=alert_value "^(?<keep>[^\.]+)(?<keepdot>\.{0,1})(?<keepdotdecimal>\d*?)0*$" | eval human_value = keep . if(len(keepdotdecimal)!=0, "." . keepdotdecimal, "") It caters for "6556" and "6,556" ... View more

This question is answered here. h/t @manu_giriyapp host=forms.host_tok   ... View more

Depending on your version,  https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/DashStudio/searchTokens#Example_of_setting_a_token_from_search_results "ds_m45g5mF6": { "type": "ds.search", "options": { "query": "index=_internal \n| stats count by sourcetype", "enableSmartSources": true }, "name": "Activity by Sourcetype"   ... View more

Thanks for your tip how we can use /count. Try this technique if you want to extract the details of your Correlation Searches: https://community.splunk.com/t5/Splunk-IT-Service-Intelligence/What-is-the-correct-REST-endpoint-to-list-ITSI-correlation/m-p/599005#M2521   ... View more

Hopefully my reply below is useful for anybody who also finds themselves reading this old post. The technique provided by @atsviatkou_splu is useful--and it has guided me how to get a complete result. However it was only returning a subset of my Correlation Searches. I now get them all with the SPL below. 1. Correlation Search count | rest splunk_server=local "/services/event_management_interface/correlation_search/count" report_as=text | spath input=value | fields count 2. Correlation Search details | rest splunk_server=local "/services/event_management_interface/correlation_search" report_as=text | eval as_json=spath(value,"{}") | fields as_json | mvexpand as_json | eval name=spath(as_json, "name") | eval search=spath(as_json, "search") | table name search   ... View more

Hopefully you figured it out long ago. Below to help others who end up here. Use the Service KPI endpoint to retrieve the ad hoc search query. Field name is kpis.search. Example below. | rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/service report_as=text filter="{\"enabled\":1}" fields="_key,title,kpis._key,kpis.title,kpis.base_search_id,kpis.base_search,kpis.alert_period,kpis.unit,kpis.aggregate_statop,kpis.entity_statop,kpis.threshold_field,kpis.entity_breakdown_id_fields,kpis.is_entity_breakdown,kpis.search" API Reference https://docs.splunk.com/Documentation/ITSI/4.12.0/RESTAPI/ITSIRESTAPIschema#Service_KPI ... View more

Let's imagine your data looks something like this: | gentimes start="03/01/2020 0:00:00" end="03/02/2020" increment=15m | streamstats count as id | eval value = if(id<10, random() % 16, 0) | rename starttime as _time | table _time value Then add a running total with streamstats like this: | rename value as downtime_in_min | eval uptime_in_min = 15 - downtime_in_min | streamstats sum(downtime_in_min) as RUNNING_TOTAL_downtime_in_min, sum(uptime_in_min) as RUNNING_TOTAL_uptime_in_min | table _time downtime* uptime* RUNNING_TOTAL* ... View more

Check out this JSON dashboard code, which is populating a dropdown input from a search called search1: https://docs.splunk.com/Documentation/DashApp/0.9.0/DashApp/inputs#Adding_and_configuring_inputs ... View more

I have used below syntax so a panel will stay hidden until 2 or more conditions have been met. Hopefully helps. <panel depends="$isLinux$$isHealthy$"> That panel only shows when both tokens have a <set> value. If any token is <unset> then that panel is hidden. ... View more

You can use match() to scan all of _raw on every event. If you look for "WARN" then it will find "WARNING". If I was doing this I would instead give my sourcetype/search a field called log_level (in case _raw is long). <dashboard> <label>test_conditional_color</label> <row> <panel> <html> <style> #tableRowColorWithoutJS table tbody td div.multivalue-subcell[data-mv-index="1"]{ display: none; } </style> </html> <table id="tableRowColorWithoutJS"> <title>We can color columnA based on whichever Log Level we see in columnB </title> <search> <query> index=_internal log_level!="INFO" | fields index sourcetype host _raw | streamstats count as id | table id a_new_field* * | eval hex_color = case(match(_raw,"ERROR"),"red", match(_raw,"INFO"),"green", true(),"amber") | foreach * hex_color [| eval "&lt;&lt;FIELD&gt;&gt;"='&lt;&lt;FIELD&gt;&gt;'."|".hex_color] | foreach * [| eval "&lt;&lt;FIELD&gt;&gt;"=split('&lt;&lt;FIELD&gt;&gt;',"|")] | fields index sourcetype host _raw </query> <earliest>-1h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <format type="color" field="host"> <colorPalette type="expression">case (match(value,"red"),"#DC4E41", match(value,"green"),"#53a051", true(),"#f4a747")</colorPalette> </format> </table> </panel> </row> </dashboard> ... View more

Try below. Seems simpler. No need for OP's  eval  technique. Had to use initialValue and not default. <input type="checkbox" token="showhide_choice_tok" searchWhenChanged="true">   <label></label>   <choice value="yes">I want panels</choice>   <change>     <condition value="yes">       <set token="show_panels_tok">show</set>     </condition>     <condition>       <unset token="show_panels_tok"></unset>     </condition>   </change>   <delimiter> </delimiter>   <initialValue>yes</initialValue> </input> ... View more

Excuse my super late reply. Below may help those who arrive here after me. Be careful to check that your html is referencing your stanza name - not your app name.  <splunk-search-dropdown name="action.[stanza_name].param.[param_name]"...   Below is how to extend the "logger_app" example in docs to add a dropdown. User's choice is sent to script. logger.html <form class="form-horizontal form-complex"> <p>Write log entries for this action.</p> <splunk-search-dropdown name="action.logger.param.mychoice1" search=" | inputlookup alert_action_dropdown1.csv | stats c by foo1" value-field="foo1" label-field="foo1"/> </form> alert_actions.conf [logger] is_custom = 1 disabled = 0 label = Log alert action description = Custom action for logging fired alerts icon_path = logger_logo.png param.mychoice0=This param is hardcoded. Look, I can use a token: $result.host$ #param.mychoice1=This param comes in from your stanza in savedsearches.conf. #savedsearches.conf: action.logger.param.mychoice1=User picks from the UI. See logger.html Output in test_modalert.log  then looks like: ...</search_name> <configuration> <stanza name="test_alert_action_logger_with_added_dropdown1"> <param name="mychoice0">This param is hardcoded. Look, I can use a token: </param> <param name="mychoice1">splunk2</param> </stanza> </configuration> <result>... ... View more

Seems for Logical AND operation you must use ampersand ("&"). Not a comma (","). Check for your TA version. Refer to https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Configureinputs ... View more

Clever solution. Thank-you. Tiny bug on this line: | foreach * [| eval "<<FIELD>>"='<<FIELD>>'."|".log_level] Should be: | foreach * log_level [| eval "<<FIELD>>"='<<FIELD>>'."|".log_level] Or each field that is being processed after log_level field (alphanumerically) is being given log_level 2 times.   And if you notice a field value is being given a comma (',') instead of a pipe ('|') then rename it before foreach. | rename latest_time as latest_time2   ... View more

Sorry to bump old post. Solution suggested by @niketnlay has solved it. Splunk Enterprise 8.0.5. This is the key concept: <table><format><colorPalette type="expression"> I had no luck with simply putting a token into the code the UI is generating for us:  <colorPalette type="list"><scale type="threshold"> Below example works.   <table> ... <format type="color" field="age_in_mins"> <colorPalette type="expression">if(value >= $threshold_in_mins_tok$,"#DC4E41", "#53A051")</colorPalette> <!--colorPalette type="list">[#53A051,#DC4E41]</colorPalette> <scale type="threshold">$threshold_in_mins_tok2$</scale--> </format> </table>   ... View more

New link is  https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Forwardermanagementcompatibility#List_of_incompatibilities ... View more

SAI 2.1.0+ has replaced collectors.conf with entity_classes.conf Refer to https://docs.splunk.com/Documentation/InfraApp/2.1.0/Install/NewEntitySchema For Windows [perfmon] see https://community.splunk.com/t5/forums/replypage/board-id/apps-add-ons-all/message-id/59094 ... View more

SAI 2.1.0+ has replaced collectors.conf with entity_classes.conf Refer to https://docs.splunk.com/Documentation/InfraApp/2.1.0/Install/NewEntitySchema For Linux [os] see https://community.splunk.com/t5/forums/replypage/board-id/apps-add-ons-all/message-id/59094 ... View more

In later versions, Splunk Enterprise,->Settings->Forwarding and receiving->Configure receiving. e.g. 7.3.5. ... View more