I have a dashboard/form that has a label and a description. I would like to display a token value in the description. Example: <form> <label>Metric Dashboard</label> <description>Data displayed here is current as of $as_of_Time$ on $as_of_Date$</description> ... ... </form> But currently this does not work and only displays the exact text I put in the XML. I have successfully created the global search and defined the tokens, and they work as expected if I call them from inside a panel. I am wondering if this is a limitation specifically against the top level label and description tags. Thanks, ... View more

Currently it seems that when using the timeline visualization it only supports displaying the timeline dynamically based on the _time values in your results. If my first _time value is 07:00:00 and the latest is 07:05:00, the timeline chart visualization only displays from 07:00:00 to 07:05:00. Is it possible to force the timeline to display the full range of my search, or manually set the time range? I want the timechart to always display 00:00:00 - 23:59:59 despite the _time values of my results. I can kind of fake it by manipulating the results to include extra events with _time set to the start and end of the window I want displayed, but this has other consequences that are not desirable. Any advice and assistance is appreciated. Thanks, ... View more

I have an "interesting event," how can I find an event meeting specific criteria that happened before my interesting event, and an event meeting different specific criteria that happened after? Here is an example: I have a log that tells me a user visited a specific website. I consider this my interesting event. I also have logs that tell me when the user logged in and logged out, these are the other two events I am looking for. I want to detect anytime a user visits this website, and then put it all together and know when they logged in, visited the site, and logged out. All events have a field that identifies their Type (Login, Interesting Event, or Logout) and obviously include _time, all three types share the username, and the Login and Logout events also include a "SessionID" field that match the opposing event. Meaning SessionID can be used to find the specific Logout event that corresponds with each Login, and vice versa. With the critical gap being that the Interesting Events do NOT include a SessionID. Ultimately the goal is to add the SessionID to the interesting event because the visualization I am trying to use (timeline) requires them to share a unique value. I dont think this by itself would be particularly difficult, as it seems a well designed streamstats command would get the job done. The problem I run into is that users can have multiple sessions that overlap. This means that my logs will not always go in the perfect sequential order of Login --> Interesting Event --> Logout. A user could visit the website multiple times during the same session: Login --> Interesting Event --> Interesting Event --> Interesting Event --> Logout. A user could create a second session: Login_1 --> Login_2 --> Logout_2 --> Interesting Event --> Logout_1 A user can "chain" sessions together: Login_1 --> Login_2 --> Logout_1 --> Interesting Event --> Logout_2 And then the issue of having two active sessions when the interesting event occurs, and not really being able to identify in which session it occurred. For my purpose, this does not bother me as long as the interesting event is "assigned" to one of the active sessions. To continue piling on, it is obviously possible that there is no logout event yet. And unfortunately (and despite logic...) it is possible to not find a login event also. So we need the solution to accommodate the situation where we don't find one of the "book end" events. Here are some example events: 03/12/2019:18:58:45 TYPE:login USER:DoeJ SESSIONID: 121292 03/12/2019:19:02:25 TYPE:interesting_event USER:DoeJ 03/12/2019:19:28:27 TYPE:login USER:DoeJ SESSIONID: 121484 03/12/2019:19:31:05 TYPE:interesting_event USER:DoeJ 03/12/2019:19:44:12 TYPE:logout USER:DoeJ SESSIONID: 121292 03/12/2019:18:46:41 TYPE:login USER:DoeJ SESSIONID: 122677 03/12/2019:18:47:33 TYPE:logout USER:DoeJ SESSIONID: 122677 03/12/2019:19:48:09 TYPE:interesting_event USER:DoeJ 03/12/2019:20:04:33 TYPE:interesting_event USER:DoeJ 03/12/2019:20:11:54 TYPE:logout USER:DoeJ SESSIONID: 121484 And the goal is to end up with the following information, ultimately to be piped into a table of some sort: 03/12/2019:18:58:45 TYPE:login USER:DoeJ SESSIONID: 121292 03/12/2019:19:02:25 TYPE:interesting_event USER:DoeJ ***SESSIONID: 121292*** 03/12/2019:19:28:27 TYPE:login USER:DoeJ SESSIONID: 121484 03/12/2019:19:31:05 TYPE:interesting_event USER:DoeJ ***SESSIONID: 121484*** 03/12/2019:19:44:12 TYPE:logout USER:DoeJ SESSIONID: 121292 03/12/2019:18:46:41 TYPE:login USER:DoeJ SESSIONID: 122677 03/12/2019:18:47:33 TYPE:logout USER:DoeJ SESSIONID: 122677 03/12/2019:19:48:09 TYPE:interesting_event USER:DoeJ ***SESSIONID: 121484*** 03/12/2019:20:04:33 TYPE:interesting_event USER:DoeJ ***SESSIONID: 121484*** 03/12/2019:20:11:54 TYPE:logout USER:DoeJ SESSIONID: 121484 Another way to ask my question is: Anytime I have Event_B happen, how can I find the previous Event_A that does not have a matching Event_C? (Anytime I see my Interesting Event, how can I find the previous Login that doesnt already have a Logout) I have struggled with this task in one form or another multiple times. I know it is not going to be simple, but even steps in the right direction would be greatly appreciated. Thanks in advance. ... View more

I have a Splunk environment that is simple enough to be managed by a single deployment server. Currently, when installing a forwarder, we script in the creation of two deploymentclient.conf files. One file is in etc\system\local and identifies the clientName. The second deploymentclient.conf file is in etc\app\OurDeploymentApp and defines the targetUri to point to our deployment server. The system comes up, uses the two deploymentclient.conf files to reach out to the deployment server and identify itself. The deployment server does its thing... and pushes the appropriate deployment apps to the system. One of the deployment apps that is pulled down is "OurDeploymentApp" which contains a the same deploymentclient.conf file defining the targetUri. This allows us to move our deployment server if needed by updating just the deployment app. I know the conf priority is higher for apps. Is it possible to put a back up targetUri setting in etc/system/local in case something happens to the deployment app file? This will have no impact in a "standard" situation of both files being present, but add a layer of redundancy if the app version of file were removed. Is there a problem with two files specifically defining deploymentclient.conf's targetUri? Thanks, ... View more

Hello fellow splunkers, A few static files are generated within my environment, and when they do they are collected by Splunk. The date and time the files are generated are not consistent, but I know I will get 4 per month. Some details on my data management in case it is useful, the files are from the same host, have the same sourcetype, but different source, and obviously different _time. My question is how to automatically recognize when all 4 files have been indexed, and perform the desired actions. Specifically I am trying to run some reports and update some dashboard panels. I need my reports to run once Splunk has indexed all 4 files and not before. I also don't need the reports to run immediately, it would be fine if they ran "the next day" after all 4 files have been indexed. The reports use table formatted results (so all fields should still be available within the results). The dashboard panels need to be designed to always use the most recent complete set of data. (4 files from the same month, not "the last 4 files") I should mention that it is possible for a file to be accurately generated, and be empty. This would prevent running the search and counting the number of source values that show up. In this case the file is still generated and indexed, it just wont contain relevant data. I only want the report to run once per month as soon as possible after all 4 files are indexed. I can't just wait till the last day of the month for everything to happen. Any assistance or ideas on how to accomplish this would be appreciated. Thanks, ... View more