Hello, I have a scripted input with a CRON set to  50 5-23 * * * so that it "sleeps" between the hours of midnight and 6AM.  I noticed, however, that the script is "sleeping" between the ours of 2AM and 8AM.  After investigating I discovered that the CRON was running with UTC time standard and not my time zone, which is currently CEST. How do I set it to run in line with my timezone instead of the UTC time standard?  With other objects like saved searches the timezone is retrieved from the account that owns the object, but with scripted inputs I don't see this option. Thanks! Andrew ... View more

Hello! I see that a new version of the Splunk Cloud Gateway (https://splunkbase.splunk.com/app/4250) was released on March 4th.  Is it compatible with Python3?  If not, when? Thanks! Andrew ... View more

Hello! This is regarding the Splunk built Timeline viz: https://splunkbase.splunk.com/app/3120/ My question: will it ever be "elevated" to a standard Splunk viz that allows us more customization possibilities?  For example: Moving the legend around (I want it underneath instead of to the right) Drilldown! More flexibility for changing colours Ability to add additional field details to the tooltip It's a great viz, so would be great for it to be just that little bit more powerful! Thanks! Andrew   ... View more

Hello, This is for Splunk Enterprise 7.2.6. I am trying to separate the time presets so that they are divided into columns of my choice.  Here is what I want (on the left what I currently have, on the right what I would like to have): According to times.conf, I should be able to do this by assigning values to "order".  In this case I am assigning 100, 110, 120, and 130 to the first four, and 800, 810, 820, 830, and 840 to the remaining values. I have noticed, though, that when I change the "latest_time" value for one of the values, then it gets moved to a new column.  In my case the "lastest_time" must always be set to "@d". Have I misunderstood something?  Is there any way to get my desired result? Thank you and best regards, Andrew ... View more

Hello,  I am looking for some clarifications when using an INGEST_EVAL to set a timezone during index time. The timezone I am working with is Romania which is +0200 or EET standard time and +0300 or EEST daylight savings time.  No Romanian cities are available in the Splunk timezone list so I am using Beirut which according to this page is on the same timezone year round as Romania. Now for my data I am indexing using an INGEST_EVAL which takes the timestamp from the source where each filename has the following format and reflects local Romanian time: this_is_my_file_2020_10_27_10_55_53.csv Since there is no timezone specified in the filename and since the Splunk system time is set to UTC I need to append the timezone using the INGEST_EVAL: INGEST_EVAL   =   _time = strptime(replace(source, ".*(?=/)/" , "" ). "EET" , "this_is_my_file_%Y_%m_%d_%H_%M_%S.csv%Z" ) Now for my concern.  Since I have hardcoded "EET" in the INGEST_EVAL, will this skew the files that are ingested during the daylight savings period?  In other words, if a filename comes in during EEST, so 2020-10-01 for example, will Splunk understand not to use "EET" and use "EEST" instead even though it is not specified in the INGEST_EVAL? To conclude, I hate timezones 🙂 Any input would be greatly appreciated. Thank you and best regards, Andrew ... View more

Hello, As the title suggests, I have a column chart with x-axis labels that are too long to fit under each column resulting in the text being truncated.  Here is an example of what I mean.  For simplicity I have set the labels for each column to "THIS TEXT IS TOO LONG TO FIT COMFORTABLY AS A LABEL". What I would like to know is whether it is possible to avoid truncating the text and instead, using CSS, have the text wrap and appear on a second line.  I know I can set the label rotation, but this it not what I want to do.  I want the labels to be horizontal and on multiple lines rather than truncated or rotated. Any help would be much appreciated. Best regards, Andrew ... View more

Hello everyone, I am implementing a solution found here: How to pass multivalue tokens to other splunk dashboard URL  This solution uses token play to construct a string using each selected multivalue value and then pass it to another dashboard.  I have managed to set up the framework, but it is not working as expected.  The problem in a nutshell is that the & and = characters in the token string are converted into their HTML encoding, %26 and %3D respectively.  This causes the receiving token to interpret it as a single value which of course is invalid. Here is the code for two connected run anywhere dashboards that demonstrate the issue: Sending side:   <form> <label>Multipass</label> <fieldset submitButton="false"> <input type="multiselect" token="tok_input"> <label>Input</label> <choice value="*">All</choice> <choice value="Value_1">Value_1</choice> <choice value="Value_2">Value_2</choice> <default>*</default> <initialValue>*</initialValue> <delimiter> </delimiter> <change> <set token="tok_input_send" delimiter="&amp;form.tok_input_received=">$value$</set> </change> </input> </fieldset> <row> <panel> <table> <search> <query>| makeresults | eval values="$tok_input_send$" | table values</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <drilldown> <link target="_blank">/app/search/multipass_target?form.tok_input_received=$tok_input_send$</link> </drilldown> </table> </panel> </row> </form>     Receiving side:   <form> <label>Multipass Target</label> <fieldset submitButton="false"> <input type="multiselect" token="tok_input_received"> <label>Input</label> <choice value="*">All</choice> <choice value="Value_1">Value_1</choice> <choice value="Value_2">Value_2</choice> <default>*</default> <initialValue>*</initialValue> <delimiter> </delimiter> </input> </fieldset> <row> <panel> <table> <search> <query>| makeresults | eval values="$tok_input_received$" | table values</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form>   You'll see that sending the following: is interpreted like this: Can somebody help to solve this approach, or propose another? Thanks! Andrew ... View more