Our dashboard is basically html to begin with. The whole thing is a bunch of token filled tables over an SVG, and it has css in-line, which a Splunk update broke back in 7.2 something iirc. The XML used to render just fine before then. ... View more

Does this mean you solved your issue? I just upgraded from 7.3.3 to 8.0.5 and have a dashboard I can no longer convert to HTML. ... View more

I think you want to look at should_linemerge or creating a specific line_breaker options in props.conf https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#Line_breaking ... View more

Correct, it would change the local instance to an indexer member. It does not allow you to perform remote administration of other peers. If you aren't running Splunk web on your indexers then you'll need to use one of the other methods listed in the docs. Directly edit the peer's   server.conf   file. See   "Configure peer nodes with server.conf"   for details. Use the CLI   edit cluster-config   command. See   "Configure peer nodes with the CLI"   for details. ... View more

Metadata search should be faster, and capture hosts without recent events. Otherwise you may need to use a lookup to define your list of hosts. | metadata type=hosts index=abc* | search host=efg* | eval warn=relative_time(now(), "-15m") | eval crit=relative_time(now(), "-30m") | eval status=case(recentTime >= warn, "Normal", recentTime < warn AND recentTime >= crit, "Warning", recentTime < crit, "Critical", 1==1, "Undefined") | table host recentTime status totalCount | eval recentTime=strftime(recentTime, "%c") ] ... View more

Try setting Content-Type 'application/json' in the headers. This is an example I'm doing using Python requests module. requests.post("https://hec-server:8088/services/collector", headers={'Authorization': 'Splunk xxxxxxxxxxxxxxxx','Content-Type': 'application/json'}, data=json.dumps({'event': dictVar}), verify="False") ... View more

If you are seeing that page it means you have the node configured as a Search head. Click on Edit > Node Type There you will be able to configure it as a Peer node ... View more

Body paint. Rinse and repeat daily is highly recommended. ... View more

Are you trying to get triggered alerts, or just ALL configured/enabled? You can get some of that info from a REST endpoint. | rest /services/configs/conf-savedsearches | search action.email=1 disabled=0 | table action.email.to alert.severity search splunk_server title ... View more

I assume you're wanting to create a custom table and not the Inline Table. The Splunk sendemail.py script will escape any html you write in the Message form, so it will all appear as text in the email body. There have been threads on this topic before, but I don't remember ever seeing a simple solution. ... View more

For advanced evaluation like that you will probably need to do it within the search itself. You can use time functions to evaluate the current hour, and then add temporary fields to evaluate and further filter the search against. This may not be the most elegant solution, but I think it works. The important lines being the creation of the "smallHand" hour field; using it to set the filter field; and then applying the where filter. | makeresults | eval smallHand=strftime(now(), "%H"), field1="abc;def;ghi", field2="Lorem ipsum dolor sit amet" | makemv field1 delim=";" | mvexpand field1 | eval smallHand=if(field1="def" OR field1="ghi", "10", smallHand) | eval filter=if(smallHand>=9 AND smallHand<11 AND field1="def", "True", "False") | where filter!="True" | fields - filter, smallHand ... View more

It looks like you are using colon as your key:value delimiter. In that case you can send the logs in the exiting format to Splunk and configure delimiter extraction. See https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Exampleconfigurationsusingfieldtransforms#Configure_delimiter-based_field_extractions ... View more

Are you possibly hitting the limit of max searches per the user role setting? ... View more