Thank you for the follow-up. This then is likely an issue with the robust security settings created by my employer. We run a bit strict -- of which I am OK, rather be overtly so than less so and get 'hit'.  😎 ... View more

I am getting certificate errors on the links to  conference schedule and  20+ talks. Would be great to have this resolved. Having had family and friends hacked going to similar sites, this is a dead stop for me. ... View more

Yes and it was a combination of things.  First was using the correct port and selecting the correct connection type (Oracle Service). The DBA also had to make a change on the DB side to allow DB Connect to open a connection. Specifically what was done I do not have available. Your local DBA can likely figure that out. I believe a change was needed for the Listener service. ... View more

prithivip, Sorry to hear that did not resolve the issue for you. This is over 18 months old and I have long left behind the exact details to this. if you have not already done so, read over all of the responses and actions taken as there may actually be a combination of things that got us to the working result. My time, unfortunately, needs spent on my current activities. Best wishes, Rick ... View more

This setting is available in the Splunk Web UI by clicking on your ID in the menu bar and selecting "Preferences". ... View more

I too had this issue. I first tried downloading and engaging the ojdcb7.jar but that did not resolve the issue. So I tried changing to the Default Time Zone setting and BINGO! it works perfectly again. Thank you to @tmeader for the tip that worked. Now to try v3.1.3. Woo-hoo! ... View more

@ niketnilay Good points. Thank you for sharing them. I followed up with my co-worker to see how the Time field was being used beyond the macro and he indicated that it being used for other than display/reporting purposes that it is also used to do some grouping. I suggested he consider the native _time field for that as it might be more effective. He is looking into that. ... View more

Good point @ddrillic. For the specific purpose of what my co-worker is wanting to accomplish, the best solution is to simply create the Time field since it does not exist before hand. Thank you for sharing your thoughts, you provide an excellent alternative. ... View more

Thank you for your quick reply Elliot, I appreciate it. I get what you are saying and agree completely. It also makes perfect sense this is how it would work. I suggested to my co-worker that since the Time field does not exist before hand that he simply code it to create it: | eval Time=strftime(_time,"%m/%d/%Y %H:%M:%S %Z") Your suggestion would work as well but I tend to lean toward the simplest answers. He wants a Time field so just create it. (8-D) ... View more

I suggest that you consider opening a new question and make a reference to the one which you have a similar need. It is likely that the only people that will see your question added to the old question are those like me who got here from the results of a search looking for this type of information. Using our own, new question will help assure that it is presented to the group and more likely get the attention it deserves. To answer your question, the changed indicated above by @dwaddle go into the Indexer (or Heavy Forwarder) props.conf file in the stanza setup for your sourcetype. ... View more

@niketnilay, you have hit it straight on and you have enlightened me in the distinction of getting a value of zero for a return and no results being returned. This is where I was not making the connection. I now see where the "$job.resultCount$" token is returning how many events are returned from the search and not the result field "count" value. This is now working as wanted. Thank you for sticking with me on this and providing the clarity needed for this and future work like this. ... View more

Thank you @niketnilay for your response. I do find it odd to reverse the testing as you indicate and I see how it will work but it does not in my situation. The problem is not in how I have this coded but in how the code itself works. It is in that aspect that I think the failure is occurring. It seems that the condition match code looks at the Base search and not at the results of a Post-Process search. There may be something else going on as well as I changed one of my dashboard panels to use an embedded search and it stills shows the row when the end result of the search has a single value of zero. Here is my embedded search: tag=database tag=query action=failure | `find_NULL_fields` | stats count by _time, event_time, event_id, severity, src_ip, os_user, src_app, dest_ip, dest_host, db_name, db_schema, db_user, sql_command, object_type, error_code, action, query | bin _time span=24h | stats count by _time, db_user | where count > 14 | stats count as Violations The idea is to collect the core events, bundle them into 24hr buckets and count the # events, then keep only those totals where the total is 15 or more then count how many of those are found. If I narrow my search to a specific time frame I will get 11 "core" events which does not provide sufficient total to provide a count over 14 so the end result for my single-value panel is zero. But there are 11 events returned so the $job.resultsCount$ parameter is not zero and the row displays. I tried using the $result.count$ parameter which is supposed to allow me to use a value from the results set but that does not work at all and the $row1_show$ token is not generated. I get the same results if I use $result.Violations$ or $result.'Violations'$. This further deepens my suspicion that the condition match does not quite work as I am expecting. Thank you again for your suggestion/ideas, although it doesn't solve the problem it does provide insight in looking at the problem in a different way. I appreciate that. ... View more

For additional clarity on this -- the base search run within the macro produce data when it is available and the post-process search will also, went it is available. I am trying to hide rows when the post-process search filters out all of the results from the base search. It appears that the job properties and "result.{field}" options use information only from the base search. Can I at least get confirmation on this? ... View more

The Base Search code did not paste correctly, here is another attempt at getting the actual code included: <search id="access_violations"> <query>`access_failures` | `transform_query_to_stats_v2`</query> <earliest>$search_timerange.earliest$</earliest> <latest>$search_timerange.latest$</latest> </search> ... View more

The error I get when I try to save the dashboard with the above code is: 400 Bad Request Return to Splunk home page XML Syntax Error: No JSON object could be decoded View more information about your request (request ID = 588b5131127f7380173c50) in Search This is followed by a link that takes me back to the dashboard XML editor. The link associated with the error message and request ID does not provide any results. ... View more

I am using Splunk 6.4.4. The dashboard is a form and I am editing the source in the dashboard XML editor. Here is code snippets showing how I am creating and using the tokens: <input type="dropdown" token="" searchWhenChanged="true"> <label>Data Display Detail:</label> <choice value="1">Level 1</choice> <choice value="2">Level 2</choice> <choice value="3">Level 3</choice> <default>1</default> <initialValue>1</initialValue> <change> <condition value="1"> <set token="token_search">bin _time span=24h | stats count as "Failures" list(event_time), list(sql_command), list(object_type), list(query) by _time, db_user | where 'Failures'&gt; 14 | stats count as "Violations" list(Failures), list(list(event_time)), list(list(sql_command)), list(list(object_type)), list(list(query)) by _time, db_user</set> <set token="token_level">1</set> <set token="token_fields"></set> </condition> <condition value="2"> <set token="token_search">bin _time span=24h | stats count as "Failures" list(event_time), list(sql_command), list(object_type), list(query) by _time, dest_ip, dest_host, db_name, db_user | where 'Failures'&gt; 14 | stats count as "Violations" list(Failures), list(list(event_time)), list(list(sql_command)), list(list(object_type)), list(list(query)) by _time, dest_ip, dest_host, db_name, db_user</set> <set token="token_level">2</set> <set token="token_fields">"Destination IP Address", "Destination Server Name", "Database Name",</set> </condition> <condition value="3"> <set token="token_search">bin _time span=24h | stats count as "Failures" list(event_time), list(sql_command), list(object_type), list(query) by _time, src_ip, os_user, src_app, dest_ip, dest_host, db_name, db_user | where 'Failures'&gt; 14 | stats count as "Violations" list(Failures), list(list(event_time)), list(list(sql_command)), list(list(object_type)), list(list(query)) by _time, src_ip, os_user, src_app, dest_ip, dest_host, db_name, db_user</set> <set token="token_level">3</set> <set token="token_fields">"Source IP Address", "OS User", "Source App", "Destination IP Address", "Destination Server Name", "Database Name",</set> </condition> </change> </input> <table> <search base="access_violations"> <query>search $severity_tok$ $src_ip_tok$ $src_app_tok$ $os_user_tok$ $dest_ip_tok$ $db_name_tok$ $db_user_tok$ $include_user_type$ $exclude_user_type$ | $token_search$</search> <option name="wrap">true</option> <option name="rowNumbers">false</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="count">10</option> <drilldown> <set token="showDetails">true</set> <set token="event_time">$row.Event Time$</set> <set token="source_ip">$row.Source IP$</set> <set token="os_user">$row.OS User$</set> <set token="src_app">$row.Source Application$</set> <set token="dest_ip">$row.Destination IP$</set> <set token="dest_host">$row.Destination Hostname$</set> <set token="db_name">$row.Database Name$</set> <set token="sql_command">$row.SQL Command$</set> <set token="object_type">$row.Object Type$</set> </drilldown> <fields>[ "_time", $token_fields$ "Database User", "Violations", "Failures"]</fields> </table> NOTE: The tokens in the first part of the post-processing search are created by single-selection listboxes at the top of the dashboard form. The search works perfectly for what we want to report. The current iteration of the code lists all of the desired fields for the panel to display so when a lower level of detail is selected, the panel has not data for the unused columns. We are wanting to display only those columns that will contain data. We are using the "fields" clause/module to limit what data to display but also allowing all of the search result fields to be available should the user decide to "Open in search" so they will not need to alter the search once it runs to remove the fields command to get all of the data. ... View more

I thought of that and am holding it as my 'fall back' option, but that will mean that I have three searches that run versus only one. I am trying to make this as efficient as I can while still meeting the user's expectations. ... View more