I'm trying to save the results of my search in a token so I can reference it in another visualization.  I've read other post and people are using the <done> tags to solve this issue.   Below is my code     <row> <panel> <single> <search> <query>index = * | stats count as c</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> <done> <set token="results" >$row.c$</set> </done> </search> <option name="drilldown">none</option> </single> </panel> </row>       ideally I would like to reference the "Results" token in other searches. Any help is appreciated.  -Marco  ... View more

I'm trying to make a time chart where it uses the time value specified in my table.  Rather than the default _time value. Currently I'm trying something like this: base search |eval Failures = if(STATUS ="Failed",1,0) | timechart sum(Failures) by TIME DATE TIME  SYSTEM Failures 03/01/2022 12:00 Development 10 03/01/2022 13:00 Development 2 04/01/2022 15:00 Development 3 05/01/2022 18:00 Development 8    Any suggestions help :-).   Thank you, Marco ... View more

After issuing a transpose command on my bar chart visualization I can't configure conditional drilldowns. I tried using the untable command followed by the xyz series command and no luck. this is the query:   search * | eval CATI = if(SEVCAT=="I", 1,0) | eval CATII = if(SEVCAT=="II", 1,0) | eval CATIII = if(SEVCAT=="III", 1,0) | chart sum(CATI) as I sum(CATII) as II sum(CATIII) as III | transpose | sort - "row 1"     The Drilldown XML :   <drilldown> <condition field = "I"> <link target="blank"></link> </condition> <condition field = "II"> <link target="blank"></link> </condition> <condition field = "III"> <link target="blank"></link> </condition> </drilldown>     Any help is appreciated. Thank you,  Marco   ... View more

I am currently using a bar chart visualization but I need to sort the bars by descending order.  I can't use a simple  chart count by EVNTSEVCAT | sort -count  because the SEVCAT field contains multiple values and we only need I,II, and III. below is my query         search * | eval CATI = if(SEVCAT=="I", 1,0) | eval CATII = if(SEVCAT=="II", 1,0) | eval CATIII = if(SEVCAT=="III", 1,0) | chart sum(CATI) sum(CATII) sum(CATIII) | transpose           The visualization:   I need the visualization to be sorted in descending order. Any suggestions help :-).   Thank you, Marco ... View more

Currently I have a field holding a Julian date. I am trying to convert it using strftime but i'm having issues.   Date = 2022.091 Current query:     index = * | eval ConvertedDate = strftime(DATE,"%Y.%j")| table ConvertedDate       Ideally I would like to get an output like 04/03/2022   Thank you, Marco ... View more

Currently, I have a Table that gives me Severity Categories.  Sevcat I Sevcat II Sevcat III 5 10 12   I'm using the following SPL to generate this table:   |eval CATI = if(SEVCAT="I", 1,0) |eval CATII = if(SEVCAT="II", 1,0) |eval CATIII = if(SEVCAT="III", 1,0) |stats sum(CATI) as "Sevcat I" sum(CATII) as "Sevcat II" sum(CATIII) as "Sevcat III" |table "Sevcat I" "Sevcat II" "Sevcat III"   Is there some way to convert this table into a piechart.  Any help is appreciated 🙂 -Marco  ... View more

I am setting up TCP with TLS. Currently I have a Syslog Server sending data to my Splunk Instance but my Message is being rejected:     02-09-2022 11:15:13.039 -0800 ERROR TcpInputProc [3972 FwdDataReceiverThread] - Message rejected. Received unexpected message of size=1009989694 bytes from src=myserver.com:1571 in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.       Below is my Inputs.conf     [script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path] disabled = 0 [splunktcp-ssl:514] sourcetype = syslog [SSL] serverCert = C:\Program Files\Splunk\etc\auth\server.pem sslVersions = tls1.2 cipherSuite = ECDHE-RSA-AES256-GCM-SHA384 sslPassword = PASSWORD       Any help is appreciated Thank you, Marco ... View more