Thank you for the follow-up. This then is likely an issue with the robust security settings created by my employer. We run a bit strict -- of which I am OK, rather be overtly so than less so and get 'hit'.  😎 ... View more

I am getting certificate errors on the links to  conference schedule and  20+ talks. Would be great to have this resolved. Having had family and friends hacked going to similar sites, this is a dead stop for me. ... View more

Yes and it was a combination of things.  First was using the correct port and selecting the correct connection type (Oracle Service). The DBA also had to make a change on the DB side to allow DB Connect to open a connection. Specifically what was done I do not have available. Your local DBA can likely figure that out. I believe a change was needed for the Listener service. ... View more

prithivip, Sorry to hear that did not resolve the issue for you. This is over 18 months old and I have long left behind the exact details to this. if you have not already done so, read over all of the responses and actions taken as there may actually be a combination of things that got us to the working result. My time, unfortunately, needs spent on my current activities. Best wishes, Rick ... View more

This setting is available in the Splunk Web UI by clicking on your ID in the menu bar and selecting "Preferences". ... View more

I too had this issue. I first tried downloading and engaging the ojdcb7.jar but that did not resolve the issue. So I tried changing to the Default Time Zone setting and BINGO! it works perfectly again. Thank you to @tmeader for the tip that worked. Now to try v3.1.3. Woo-hoo! ... View more

@ niketnilay Good points. Thank you for sharing them. I followed up with my co-worker to see how the Time field was being used beyond the macro and he indicated that it being used for other than display/reporting purposes that it is also used to do some grouping. I suggested he consider the native _time field for that as it might be more effective. He is looking into that. ... View more

Good point @ddrillic. For the specific purpose of what my co-worker is wanting to accomplish, the best solution is to simply create the Time field since it does not exist before hand. Thank you for sharing your thoughts, you provide an excellent alternative. ... View more

Thank you for your quick reply Elliot, I appreciate it. I get what you are saying and agree completely. It also makes perfect sense this is how it would work. I suggested to my co-worker that since the Time field does not exist before hand that he simply code it to create it: | eval Time=strftime(_time,"%m/%d/%Y %H:%M:%S %Z") Your suggestion would work as well but I tend to lean toward the simplest answers. He wants a Time field so just create it. (8-D) ... View more

I suggest that you consider opening a new question and make a reference to the one which you have a similar need. It is likely that the only people that will see your question added to the old question are those like me who got here from the results of a search looking for this type of information. Using our own, new question will help assure that it is presented to the group and more likely get the attention it deserves. To answer your question, the changed indicated above by @dwaddle go into the Indexer (or Heavy Forwarder) props.conf file in the stanza setup for your sourcetype. ... View more

@niketnilay, you have hit it straight on and you have enlightened me in the distinction of getting a value of zero for a return and no results being returned. This is where I was not making the connection. I now see where the "$job.resultCount$" token is returning how many events are returned from the search and not the result field "count" value. This is now working as wanted. Thank you for sticking with me on this and providing the clarity needed for this and future work like this. ... View more

Thank you @niketnilay for your response. I do find it odd to reverse the testing as you indicate and I see how it will work but it does not in my situation. The problem is not in how I have this coded but in how the code itself works. It is in that aspect that I think the failure is occurring. It seems that the condition match code looks at the Base search and not at the results of a Post-Process search. There may be something else going on as well as I changed one of my dashboard panels to use an embedded search and it stills shows the row when the end result of the search has a single value of zero. Here is my embedded search: tag=database tag=query action=failure | `find_NULL_fields` | stats count by _time, event_time, event_id, severity, src_ip, os_user, src_app, dest_ip, dest_host, db_name, db_schema, db_user, sql_command, object_type, error_code, action, query | bin _time span=24h | stats count by _time, db_user | where count > 14 | stats count as Violations The idea is to collect the core events, bundle them into 24hr buckets and count the # events, then keep only those totals where the total is 15 or more then count how many of those are found. If I narrow my search to a specific time frame I will get 11 "core" events which does not provide sufficient total to provide a count over 14 so the end result for my single-value panel is zero. But there are 11 events returned so the $job.resultsCount$ parameter is not zero and the row displays. I tried using the $result.count$ parameter which is supposed to allow me to use a value from the results set but that does not work at all and the $row1_show$ token is not generated. I get the same results if I use $result.Violations$ or $result.'Violations'$. This further deepens my suspicion that the condition match does not quite work as I am expecting. Thank you again for your suggestion/ideas, although it doesn't solve the problem it does provide insight in looking at the problem in a different way. I appreciate that. ... View more

For additional clarity on this -- the base search run within the macro produce data when it is available and the post-process search will also, went it is available. I am trying to hide rows when the post-process search filters out all of the results from the base search. It appears that the job properties and "result.{field}" options use information only from the base search. Can I at least get confirmation on this? ... View more