We are using Splunk Enterprise Version: 9.3.1 and we need it for Classic Dashboard  What I managed to put together is this : <html> <style type="text/css"> table tr:nth-child(odd) td{color: red; } table tr:nth-child(even) td{color: green; } </style> </html> It looks like this :       What I actually need is to Select rows Containing  INFO / ERROR / WARNING and color them RED , BLUE , YELLOW ... View more

If you do a (distinct)count of something and there are no matching events, the result is 0. This is expected behavior imho. Actually there's a very important distinction to make here. Suppose I ask you, "How many balls are inside the box in the next room?" Consider two scenarios: You walk into the next room, see the box, look inside, and see nothing.  You walk into the next room and see nothing. No box, no balls; nothing. These are clearly not the same scenario, and so I would expect different behavior imho. Intuitively, a human would likely respond along the lines of "Zero!" "Uhm... there is no box!" The fundamental issue is that any feasible response to a question implicitly validates the premise(s) of the question. In case 2, we need Splunk to return a result indicating our premise is false. Indeed, the "null value" config exists, at least in part, to make this distinction... assuming it works 😉 ... View more

Check out these Splunk answers, which sound like one of them would give you the tools to address this question: https://answers.splunk.com/answers/496890/how-to-use-an-input-typebutton-to-reset-a-token-in.html https://answers.splunk.com/answers/149649/clean-all-filter-inputs-with-a-button.html ... View more

Hey, this worked pretty well! Thanks! ... View more

To generate a token without a panel, you can use a base_search and then an eval token in the change section. Also, you can just hard-code non-search-results based tokens at the top of your XML like this: <init> <!-->For some reason, in drilldown URLs, $APP$, just DOES NOT WORK!<--> <!-->It ought to be that setting 'env_app' to a value of '$APP$' works, but it does NOT!<--> <set token="env_app">MyHardCodedAppNameHere</set> </init> ... View more

Thank you! This worked perfectly ... View more

Cron schedules can be very useful. They look confusing at first, but are really nice to use. Select cron schedule, select the time range you want to search, and then the cron expression is how often you search. For example, */3 * * * * says you want the search to run every 3 minutes, */15 * * * * says you want the search to run every 15 minutes, and so on. ... View more

Cool, thank you. I will look into these! ... View more

I'm not sure how it works either, but it's a great technique for ad hoc searches. That does help with future queries, so thanks! However, I can't seem to get it to work with KPIs, which I am currently using for the Glass Table visualizations... Are you able to get these to work with KPIs? Or just the general searches? Thanks, Logan ... View more

Hi Logan, this sounds like a question of whether a KPI keeps the timestamp of its last update somewhere. And I haven’t seen that. I would guess that we don’t keep it directly, but there might be some trick to infer that from the search job info. The search job has info about when it was dispatched. But to find a search job from a KPI should be pretty hard if possible. ... View more