To configure NetScaler to pass the source IP, you'll need to enable the Use Source IP (USIP) mode. Here are the steps to do this: Log in to NetScaler: Open your NetScaler management interface. Navigate to Load Balancing: Go to Traffic Management > Load Balancing > Services. Open a Service: Select the service you want to configure. Enable USIP Mode: In the Advanced Settings, find the Service Settings section and select Use Source IP Address. This will ensure that NetScaler uses the client's IP address for communication with the backend servers. Would you like more detailed instructions or help with another aspect of your setup? ... View more

  Format your chart as stacked | rename myApp as up | eval down=1-up   ... View more

Yes, I was looking for that where statement.  My mistake, I tried using |search which didn't work.  Thanks! ... View more

Before delving into regex details, could you explain what "badness" in the sample data that you are trying to rectify?  What are the expected results? (Also, please use code section that auto wraps.)  In the output of your sample code, the "good" entry is exactly unchanged from the original entry. (By the way, the alternative value in if function cannot be new.  It should be old_field.) To be clear, your sample code is not to replace non-alphanumeric characters at all, but to executes an extremely complex purpose-built matches.  If the sole goal is to replace non-alphanumeric characters globally, replace(old_field, "\W", "__non_alphanumeric__") suffices.  Here is a simple example to do this when old_field is the only field of interest. | makeresults | fields - _time | eval old_field = mvappend("{\"bundle\": \"com.servicenow.blackberry.ful\", \"name\": \"ServiceNow Agent\\u00ae - BlackBerry\", \"name_version\": \"ServiceNow Agent\\u00ae - BlackBerry-17.2.0\", \"sw_uid\": \"faa5c810a2bd2d5da418d72hd\", \"version\": \"17.2.0\", \"version_raw\": \"0000000170000000200000000\"}", "{\"bundle\": \"com.penlink.pen\", \"name\": \"PenPoint\", \"name_version\": \"PenPoint-1.0.1\", \"sw_uid\": \"cba7d3601855e050d8new0f34\", \"version\": \"1.0.1\", \"version_raw\": \"0000000010000000000000001\"}") | eval sourcetype="custom:data" ``` data emulation above ``` | mvexpand old_field | spath input=old_field | fields - old_field | foreach version * [eval <<FIELD>> = if(sourcetype == "custom:data", replace(<<FIELD>>, "\W", "__non_alphanumeric__"), <<FIELD>>)] | tojson output_field=new | stats values(new) as new The result is a two-value field {"bundle":"com__non_alphanumeric__penlink__non_alphanumeric__pen","name":"PenPoint","name_version":"PenPoint__non_alphanumeric__1__non_alphanumeric__0__non_alphanumeric__1","sourcetype":"custom__non_alphanumeric__data","sw_uid":"cba7d3601855e050d8new0f34","version":"1__non_alphanumeric__0__non_alphanumeric__1","version_raw":"0000000010000000000000001"} {"bundle":"com__non_alphanumeric__servicenow__non_alphanumeric__blackberry__non_alphanumeric__ful","name":"ServiceNow__non_alphanumeric__Agent__non_alphanumeric____non_alphanumeric____non_alphanumeric____non_alphanumeric__BlackBerry","name_version":"ServiceNow__non_alphanumeric__Agent__non_alphanumeric____non_alphanumeric____non_alphanumeric____non_alphanumeric__BlackBerry__non_alphanumeric__17__non_alphanumeric__2__non_alphanumeric__0","sourcetype":"custom__non_alphanumeric__data","sw_uid":"faa5c810a2bd2d5da418d72hd","version":"17__non_alphanumeric__2__non_alphanumeric__0","version_raw":"0000000170000000200000000"} Are you trying to replace, say "." with one alphanumeric string (e.g., "dot"), ":" with a different alphanumeric string (e.g., "colon") and so on and so forth?  If so, what are the rules? Simply put: Forget about regex at all.  Could you explain the logic between sample data and desired results?  Also, is the end goal to form a JSON field, or do you expect to extract JSON nodes into fields? ... View more

The body part was to bold the body of the table. The other CSS that @ITWhisperer was suggesting was also targeting the body of the table and not the head. ... View more

Essentially, yes. As I understand it, splunk will sometimes break things up by punctuation so 1.1.1.1 it treated as up to 4 separate strings. ... View more

@somesoni2 you've helped me many times over the years.  Thank you for being a part of this community.  The answer worked like a charm.   I'm going to keep that eval trick in my pocket! ... View more

Hi nice to hear that you solve your problem. As you said, the one must test all scripts with splunk cmd your script or splunk cmd python your script to ensure that those are working also when they are calling inside splunk! It’s not unusual that e.g. python scripts works in cmd line and fail when testing first time with splunk.  Happy splunking ! r. Ismo ... View more

Ahh okay, putting <p/> before the <style> fixed it!  Thank you.  Maybe edit your answer to use that for the affected versions of splunk? ... View more

@robinsonalex88 - both the 7d and 30d non-base search panels are able to list the correct 20.  I'm curious why the base search wouldn't be able to.  Either way, 7d has 40k events, 30d has 100k.  When I click (open in search) on the panel using the base search, it will run the search and its values will be correct (differing from what it displays on the dashboard panel). ... View more

@DEADBEEF the reason why hardcoded | eval threshold=512000 works after timechart is that it creates a new threshold field using eval expression. Based on your query, if you want something similar in effect you would need to place an eval for aggregating max of current_size field before the timechart command (not max_size field as it does not exist as per your SPL). This is because timechart command drops fields not used in aggregation or split. index=_internal host=hf_1 group=queue name=tcpout_foo | fillnull value=0 ingest_pipe | eval threshold=max(current_size) | timechart max(threshold) as threshold avg(current_size) by ingest_pipe However as per your question seems like you are trying to calculate average size by each ingestion pipeline and then draw the maximum of average of each pipeline as threshold for corresponding average. Which should use the following SPL:   index=_internal host=* group=queue name=* | fillnull value=0 ingest_pipe | timechart avg(current_size) by ingest_pipe useother=f usenull=f limit=0 | eventstats max(*) as max_*   ... View more