Hi, I'm trying to migrate my Splunk instance from an AWS VM to a GCP VM. I copied over this file splunk-6.5.0-59c8927def0f-Linux-x86_64.tgz to my new GCP instance and ran the following commands sudo tar xvzf splunk-6.5.0-59c8927def0f-Linux-x86_64.tgz -C /opt sudo useradd splunk -d /opt/splunkforwarder sudo passwd splunk sudo chown -R splunk:splunk $SPLUNK_HOME ./splunk start The install goes fine except I get this message "Your license is expired. Please login as an administrator to update the license." I'm not sure what license this is referring to. During the installation I wasn't prompted to create a Splunk user so I have no log in for the Web UI. I tried using this to add a user but I got blocked because there's no Splunk username to use $ ./splunk edit user admin -password mooredna Splunk username: admin Password: Login failed $ exit Can someone point out what I'm doing wrong? ... View more

Hi, I'm trying to plot a dataset over time. Here is my query: index=gpm AND (ExperimentStart OR runtimedatatransferstartimpl) | eval run_name=exp | eval transfer_start=case(_raw LIKE "%RuntimeDataTransferStartImpl%", _time) | eval experiment_start=case(_raw LIKE "%ExperimentStart%", _time) | eventstats min(transfer_start) AS xfer_start, min(experiment_start) AS exp_start by run_name | eval time_to_setup=(xfer_start-exp_start)/60 | eval Time = strftime(_time, "%m/%d %H:%M") | search time_to_setup < 500 | chart values(time_to_setup) AS "Time to setup (Min)" by Time This allows me to plot a trendline of time_to_setup over the course of a day. The issue is that there are so many x values that no labels show up on x-axis. Looking at the chart you can see the trend over time but there's no way to see when during the day the events occurred without hovering over the chart. This report is distributed as a pdf in an email so it's not viable to have users go onto the dashboard itself to see this. I was wondering if there was a way to simply have a marker for every two hours (12 markers across a day) so that at face value the relative time of day that the event occurred can be determined. ... View more

Hi, What I mean is that I want to parse all the error messages in my logs into one field called Errors but the regular expressions are different. Examples: Error: exceed max iterations, iter 120, count_trial 120 ERROR setup_acap_venv.sh failed. ERROR [ac_analysis.tools.merge_annotations:327] They don't quite all match up so one field extraction won't encompass all of them. Is there a way to have multiple regex that go into one field? Or is there a way to handle this when indexing the data instead of creating a field extraction? ... View more

I was wondering if there is a way to embed an entire dashboard (not a single report) using iframe? ... View more

Hi all, Our machines run through various processes (each one is given a unique run_id), each process can be broken down into different steps. What I want to do is to create a stacked line chart (or area chart) where the duration of each step can be shown for each run_id and a sum of all the steps given. I've created two different queries to get the data to what I want but I'm not sure how to convert either into a readable line chart. Sample table from query 1: run_id duration sum x 4 20 5 6 5 y 10 50 Duration is a multivalue field in this case and the sum is just a single sum of all the steps. Sample table from query 2 run_id step duration cumulative sum x 1 4 4 x 2 5 9 x 3 6 15 x 4 5 20 y 1 10 10 This table shows the step name and the sum is a cumulative sum (using streamstats). I need to use the run_id (run_ids are essentially a marker of when the process occurred) on the y-axis. I know that a stacked column chart would be a much better way to visualize the duration/sum of the steps but we go through nearly a hundred runs a day and it's not feasible to produce that many columns. Does anyone have any advice on how to turn either of these tables into a readable line chart? ... View more