Hi,one of my user complained that dashboard data is coming as zero  suddenly from last 3-4 days( earlier he was) where as his collegue is able to see them .. both are having same access and permission ( same Security grp as well).. any thoughts how to resolve ?   ... View more

Hi, I was trying to add 2 rows in to a single row . After combining,I am getting results for 1st column .but not for 2nd result .Something wrong here ? host=t-fus* ("SRCreateRequest" OR "SRPublishRequest" OR "SRUpdateRequest" OR "JNPRCreateSRPublish" OR "JNPRPostSRUpdate" OR "JNPRUpdateSRPublish") (Publisher: Completed OR fallacy ) | rename JNPRCreateSRPublish as SRCreateRequest | rename JNPRPostSRUpdate as SRPublishRequest | rename JNPRUpdateSRPublish as SRUpdateRequest | rex "(?<API> SRCreateRequest | SRPublishRequest | SRUpdateRequest )" | rex "(?<status>Completed| fallacy)" | where isnotnull(status) | append [| makeresults | eval API=split(" SRCreateRequest | SRPublishRequest | SRUpdateRequest ", "|") | mvexpand API] | chart count as count1 by API,status | table API, Completed, Error | fillnull value=0 Error, Completed   ... View more

Hi, I was trying to add 2 searches       | multisearch [search host=p-css* SRCreateRequest 400 | stats count as CreateSR | appendcols [search host=p-css* SRUpdateRequest 400 | stats count as UpdateSR] | appendcols [search host=p-css* SREscalateRequest 400 | stats count as EscalateSR] | appendcols [search host=p-css* SRCloseRequest 400 | stats count as CloseSR] | eval type="400"] [appendcols search host=p-css* SRCreateRequest Publisher: Completed | stats count as CreateSR | appendcols [search host=p-css* SRUpdateRequest Publisher: Completed | stats count as UpdateSR] | appendcols [search host=p-css* SREscalateRequest Publisher: Completed | stats count as EscalateSR] | appendcols [search host=p-css* SRCloseRequest Publisher: Completed | stats count as CloseSR] | eval type="Completed"] | chart count(Name) over 400 by Completed       Getting error "Error in 'multisearch' command: Multisearch subsearches might only contain purely streaming operations (subsearch 1 contains a non-streaming command)."   My expected output  will be having a table format: giving some example here API 400 Completed CreateSR 30 50 UpdateSR 5 25 CloseSR 24 30 ... View more

Hi, Here is my query: | search SRCreateRequest Completed | stats count as CreateSR | appendcols [search SRUpdateRequest Completed | stats count as UpdateSR] | appendcols [search SRPublishRequest Completed | stats count as PublishSR] | transpose header_field=a | appendcols [search SRCreateRequest ERROR | stats count as Failure] | append [search SRUpdateRequest ERROR | stats count as Failure] | append [search RPublishRequest ERROR | stats count as Failure] | appendcols [search SRCreateRequest response | stats count as Response] | append [search SRUpdateRequest response | stats count as Response] | append [search RPublishRequest response | stats count as Response] | rename "column" as "API", "row 1" as "Success" | table API,Success,Failure,Response     Output is not coming in to proper table.. any suggestion   ... View more

Hi,I do have 100+ servers where splunk forwarders' version is older one and needs to upgrade . I don't have access to these servers. Without effecting configuration,how do I upgrade those by remotely ? ... View more

Hi, How to check technology inventories like new asset added,new software added,storage total attached ,memory of each hosts for last 30 days.. ? Also, how to get Splunk volume usage and Top 10 apps for every month/quarter ?   ... View more

Hi, I have uploaded customized app ,but App origin is showing as "Uploaded" ,we suppose to have "Splunk"   How to change this ?   ... View more

Hi, Logs are going to _internal index instead of customized index. host = xxxx index = _internal source = C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log sourcetype = splunkd inputs.conf and props.conf are set properly in deployment server.Also verified in the SplunkForwarder "Windows"  server.  Still getting above one , not going to customized index. What could be the reason ? ... View more

Hi,   I was trying to run 'reload deploy server' .. /opt/splunk/bin/splunk reload deploy-server Your session is invalid. Please login. Splunk username: admin Password: An authentication error occurred: Client is not authenticated.   What went wrong ? ... View more