Here's one way: <DB search> | join SerialNumber [<log file search>] | ... ... View more

What issues are you having? Perhaps someone here can help resolve them. ... View more

If that works for you, please accept the answer. ... View more

You could use an HTML table to align the labels with the text boxes. ... View more

I've wondered the same thing and have an idea, but haven't had a chance to try it. Set your transforms.conf file to send lines beginning with '#' to nullQueue. props.conf [<sourcetype>] SHOULD_LINEMERGE = false TRANSFORMS-set = setnull,setparsing transforms.conf [setnull] REGEX = ^#. DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = logit DEST_KEY = queue FORMAT = indexQueue ... View more

Perhaps I misunderstand your objective. Please provide some sample events, your attempted query, and expected output. ... View more

Here's how we did that in Advanced XML: <module name="HTML" layoutPanel="panel_row1_col2" autoRun="True"> <param name="html"><![CDATA[ <table id="resultsTable"> <tr><td>foo</td></tr> </table> <script> var rCount = "$results.resultCount$"; if (rCount == 0) { document.getElementById("resultsTable").innerHTML="<h1>Your text here.</h1>"; } </script> ]]></param> </module> ... View more

Perhaps something like this? <search> earliest=-30d | stats count(Last_Log_In) as Log_In_Counts by date_mday ... View more

The installation process doesn't change. Users still have to accept the agreement the first time Splunk launches. All that changes is where the installer comes from. ... View more

Please accept the answer. ... View more

index=index1 | fields computer | join type=inner computer [search index=index2] | ... This assumes the field computer exists in both indices. If it doesn't add a rename command before the join . ... View more

Download the binary to a local store and have your script fetch it from there. ... View more

There are probably better ways, but I'd do that as three separate searches. sourcetype=access_combined where like(URL,"%/suresh%") | stats avg(RESP_TIME) as rt_suresh | append [search sourcetype=access_combined where like(URL,"%/amaresh%") | stats avg(RESP_TIME) as rt_amaresh] | append [search sourcetype=access_combined where like(URL,"%/ramesh%") | stats avg(RESP_TIME) as rt_ramesh] | table rt_suresh, rt_amaresh, rt_ramesh ... View more

In a nutshell, you need to search both for forwarders and for the hosts. Then you can determine if it's a host problem or a forwarder problem. Here is the dashboard panel I use for this: <module name="HiddenSearch" layoutPanel="panel_row5_col1" autoRun="True"> <!-- Find and report on all Splunk Universal Forwarders and endpoints not running SUF. Skip IPs in the SUFExceptions file. --> <param name="search"><![CDATA[index=_internal source="/opt/splunk/var/log/splunk/metrics.log*" sourcetype="splunkd" fwdType="*" | dedup sourceHost | rename IPAddress AS hostip, sourceHost AS IPAddress, OS AS fOS | fields IPAddress, hostname, fGUID, fOS, fwdType | append [loadjob savedsearch="my:app:HWDetailBase" | rename OS AS hOS | fields IPAddress, ComputerName, hOS] | transaction IPAddress | eval HostName=coalesce(ComputerName, hostname) | eval OS=coalesce(hOS, fOS) | eval "Forwarder State"=if(isnotnull(fwdType),"Running","NOT RUNNING") | search [|inputlookup SUFExceptions.csv append=f| fields IPAddress |format "NOT (" "(" "" ")" "OR" ")"] | sort "Forwarder State" | table IPAddress, HostName, OS, "Forwarder State" ]]></param> <param name="groupLabel">Forwarder Status</param> <module name="JobProgressIndicator"></module> <param name="earliest">-24h</param> <param name="latest">now</param> <module name="PostProcess" layoutPanel="panel_row5_col1"> <param name="search"> | rename "Forwarder State" AS fState | stats count(eval(fState=="NOT RUNNING")) AS nRun</param> <module name="HTML" layoutPanel="panel_row5_col1"> <param name="html"><![CDATA[ <table> <tr><td>Hosts:</td><td width=3></td><td>$results.resultCount$</td><td width=8></td><td>Not running:</td><td width=3></td><td>$results[0].nRun$</td></tr> </table> ]]></param> </module> </module> The SUFExceptions.csv file contains a single field, IPAddress, and is where I put hosts I know aren't running a forwarder. It saves modifying a lengthy where clause every time there's a change to the exception list. The HWDetailBase search is a bit too long to list here, but it essentially combines all of our sources of host information (such as port_scan) and returns IPAddress, ComputerName, and OS fields. ... View more

Putting each checkbox in its own grp will keep them horizontal. You can put the added search/text in the next-higher grp number(s). ... View more

Put your check boxes, etc. in layoutPanel panel_row1_col1_grp1 then put more search/text fields in panel_row1_col1_grp2 . ... View more

When you say "it doesn't work", what error are you seeing? Have you looked at this answer? http://answers.splunk.com/answers/126547/db-connect-epoch-timestamp ... View more

I think it's not enough to join the two sources by IP since the same IP appears at several different times. A simple join should work, however. You can use a transaction if you have distinct events that start and end each transaction. ... View more

You could use earliest=@d latest=@h for Today and earliest=-1d@d latest=-24h@h for Yesterday. Or earliest=@d latest=@m for Today and earliest=-1d@d latest=-1440m@m for Yesterday. ... View more

I assumed all of your results were from a single query. If you can't combine your queries then you may want to experiment with putting an HTML module after each query with all of the HTML writing to the same layoutPanel. With any luck, each HTML module will append its output rather than overwrite what the previous HTML module wrote. ... View more

I'm not sure what "afterlabel" is. You should get results close you those you seek using the following within your Search module: <module name="HTML" layoutPanel="panel_row1_col1" autoRun="True"> <param name="html"><![CDATA[ Today_Count : $results[0].Today_Count$<br/> Yesterday_Count : $results[0].Yesterday_Count$<br/> Error_Count : $results[0].Error_Count$<br/> Day1_count : $results[0].Day1_count$<br/> average Day2_Count : $results[0].Day2_Count$<br/> average ]]></param> </module> ... View more