×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
cherrypick
Path Finder
Member since: ‎06-24-2024
‎05-25-2025
Community Statistics
Posts 26
Solutions 1
Karma Given 8
Karma Received 0
Member Since ‎06-24-2024
Activity Feed
Topics I've Started
View All

Re: Setting _time when field is inconsistent in Js...

by SplunkTrust in Getting Data In
‎05-24-2025 03:30 AM
‎05-24-2025 03:30 AM
Neither I have check it with _time field if it have some internal limitations for mv fields or not, but other fields this is needed. ... View more

Re: Can I ingest JSON file into an index

by SplunkTrust in Getting Data In
‎03-11-2025 12:23 AM
2 Karma
‎03-11-2025 12:23 AM
2 Karma
@cherrypick  If this is a one-time ingestion of the missing data, the simplest method is to use the Splunk Web UI to upload the JSON file directly into your index_name.  In the "Input Settings" step, set the Index field to index_name (your existing index). Review the configuration, then click Submit to ingest the file into index_name.       ... View more

Re: How to change table CSS using Classes instead ...

by SplunkTrust in Splunk Search
‎09-10-2024 03:53 AM
1 Karma
‎09-10-2024 03:53 AM
1 Karma
Go back to using ids but adopt a naming convention e.g. all those you want to affect begin with the same word <dashboard version="1.1" theme="light"> <label>Tables</label> <row> <panel> <table id="test_1"> <search> <query>| makeresults | fields - _time | eval random=random() | eval hide="Hide" | rename hide as " "</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> </table> </panel> <panel> <table id="test_2"> <search> <query>| makeresults | fields - _time | eval random=random() | eval hide="Hide" | rename hide as " "</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> </table> </panel> <panel> <table id="nottest_A"> <search> <query>| makeresults | fields - _time | eval random=random() | eval hide="Hide" | rename hide as " "</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> </table> </panel> <panel depends="$alwaysHide$"> <html> <style> div[id^="test_"] th{ color:red !important; border: 1px solid white !important; } </style> </html> </panel> </row> </dashboard> ... View more

Re: Convert nested JSON into a table

by SplunkTrust in Dashboards & Visualizations
‎08-28-2024 04:40 AM
‎08-28-2024 04:40 AM
Yes, change of the data format can cause incompatibilities with earlier data. That's true. The issue with your data in general (possibly not in the presented example) is - as I said - that you have separate arrays which splunk can parse into separate multivalued fields which are not related to one another. If you are absolutely sure that both of those multivalued fields are of the same cardinality and are 1-1 related with one another you can try to do join them using the mvzip() function. Then do mvexpand and split those values back to get corresponding pairs. One caveat though - since the values get merged into a single value, if they contain the delimiter you choose for mvzipping, it's gonna get ugly when you'll be trying to split them again. So it's possible but pretty ugly (and working only with some strong assumptions. ... View more

Re: Create index based on filtering field values

by SplunkTrust in Splunk Search
‎08-20-2024 04:41 AM
‎08-20-2024 04:41 AM
I still don't understand what you mean by those apps. App in Splunk terminology is just a collection of files. The same set of settings can usually be equally well provided by a single app as well as multiple ones (with the possible difference of access to config elements provided by different apps if you differentiate permissions on a role/app basis). Performance improvement when doing summary indexing happens not just because you use the collect command but because summary indexing assumes just that - doing some _summary_ on your data before indexing it. So - for example - you calculate some aggregated sums for every 15 minutes and store that value using collect command in an index so that later you don't have to summarize your raw data each time but just use that already calculated sum. That's what summary indexing is. Simply copying events from index to index is not summary indexing. ... View more

Re: How to include arguments in search macros with...

by in Splunk Search
‎08-15-2024 08:07 PM
‎08-15-2024 08:07 PM
Amazing! Thank you. Yes I misunderstood macros. ... View more

Re: How to export to CSV when fields have commas

by in Splunk Search
‎07-30-2024 10:52 PM
‎07-30-2024 10:52 PM
Oh, apologies hahaha 😅 Yeah, I tried using dev tools to see which REST endpoint WebUI uses. Not for exporting to CSV but for exporting to pdf (uses pdfgen endpoint). But can't find Splunk documentation on it anywhere and other forums don't seem to have a working solution. Anyways thanks for recommendation. Will raise a case with support for now.    ... View more

Is it possible to export entire dashboard panel co...

by in Splunk Search
‎06-27-2024 05:57 PM
‎06-27-2024 05:57 PM
As the title suggests I have a dashboard with various panels and wondering if it's possible to export a single panel and all its contents (including token values) XML to JavaScript.   ... View more

Re: How to export a popup panel on dashboard to pd...

by in Splunk Search
‎06-24-2024 10:16 PM
‎06-24-2024 10:16 PM
So the dashboard has 2 visible panels A and C which are shown. Panel B is hidden. So, when I use the default export to pdf it will only show panels A and C which works as intended. Panel B itself is a modal dialog box on top of the underlying dashboard that is also hidden by depends="$token$".  So ideally I want to adjust the export to pdf functionality to export panel B and not the whole dashboard.  ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎05-25-2025 11:44 PM
Karma given to