Issue still persists in Splunk enterprise. I don't know why Splunk din't fix the issue yet. However, the answer is still valid.  ... View more

This answer helped me out a lot super clean and simple and useful when you're stuck in a situation where you have to do other searches first to drive your data. Thank you!!!! ... View more

As not all instances allow for CLI access, such as Splunk Cloud, you may also query the captain from the Search GUI. | rest /services/shcluster/status splunk_server=local | fields captain.label ... View more

I just created this Splunk Idea, if everyone would please vote on it! https://ideas.splunk.com/ideas/CONNID-I-22 ... View more

You can do it like this: |rest/services/data/ui/panels | search eai:appName="Your App Here" AND panel.title="Your Panel Title Here" AND title="Your title here" | regex eai:data = "\<query\>" | rex field=eai:data max_match=0 "\<query\>(?<query>.*?)\<\/query\>" | eval query=mvindex(query, <some number here>) | map search="search $query$" ... View more

It appears you can use tokens in prebuilt panels, but not pass specific parameters. Example prebuilt panel XML <panel> <table> <search> <query>index=_internal source=*splunkd.log data_host=$host_pattern$* data_sourcetype=$source_type_pattern$ ... View more

In Splunk 7.*: Settings -> Searches, reports, and alerts -> Edit -> Advanced Edit -> alert.expires ... View more

The only supported Identity Providers prior to 6.5 were: Ping Identity Okta Azure AD ADFS http://docs.splunk.com/Documentation/Splunk/6.4.6/Security/HowSAMLSSOworks 6.5.x introduced support for SAML 2.0. Any IdP (Identity Provider) that can generate a SAML 2.0 compliant SAML response can now be used with Splunk, and we'll be glad to assist. http://docs.splunk.com/Documentation/Splunk/6.5.0/Security/HowSAMLSSOworks ... View more

I had great success with the following: Service service = getSplunkService(); String dashboardName = "rest_dashboard"; String dashboardXml = "<dashboard>\n" + " <label>temp</label>\n" + " <row>\n" + " <panel>\n" + " <chart>\n" + " <search>\n" + " <query>index=_internal\n" + " | timechart count</query>\n" + " <earliest>-1h@h</earliest>\n" + " <latest>now</latest>\n" + " <sampleRatio>1</sampleRatio>\n" + " </search>\n" + " </chart>\n" + " </panel>\n" + " </row>\n" + "</dashboard>"; JobArgs jobargs = new JobArgs(); jobargs.put("name", dashboardName); jobargs.put("eai:type", "views"); jobargs.put("eai:data", dashboardXml); String endpoint = String.format("/servicesNS/rest_user/app_name/data/ui/views/%s", dashboardName); service.post(endpoint, jobargs); ... View more

I am a Splunk Cloud customer who can not make configuration changes directly. I was able to work around this by adding the backend collection via REST: curl -k -u <username>:<password> -d name=<collections_name> https://<youraccountname>.splunkcloud.com:8089/servicesNS/nobody/<app-name>/storage/collections/config ... View more

How about this? .... | search version="10" version="12" version="13" ... View more

Please see the Splunk Documentation for "Generate PDFs of your reports and dashboards". http://docs.splunk.com/Documentation/Splunk/7.0.3/Report/GeneratePDFsofyourreportsanddashboards Excerpt from documentation: limits.conf In the [pdf] stanza you can set the max_rows_per_table to set the maximum number of table rows that Splunk software will print out for simple results tables in a PDF. The default is 1000. Note: This can lead to multi-page reports if your tables have lots and lots of rows. Reduce this number if you want to limit the number of pages that a table can generate for a PDF version of a dashboard. ... View more

Yes, you may use a REST call to delete. See DELETE for the "saved/searches/{name}" endpoint. https://docs.splunk.com/Documentation/Splunk/6.5.1612/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D Please keep in mind that the Splunk Search interface command line provides a 'rest' command, but this is read only, and is not a true REST client. Please use your favorite common purpose REST client. (curl, Postman, any HTTP library) ... View more

My solution, which works for environments up to medium size, is to create multple alerts,for example switch alerts - all switch alerts - ignore esxi ports swtich alerts - ignore firewall ports switch alerts - ignore hsm ports Normally, 'switch alerts - all' is enabled, but when maintenance is going occur on esxi hosts, we disabled 'switch alerts - all' and enable 'switch alerts - ignore esxi ports'. This allows a bit of control without writing a script to query your ticket tracking system, and using that data to query your cabling database, and then using that data to update a generic 'link state' alert because in my opinion, telling a NOC to ignore alerts is the worst thing you can do. ... View more