Hi all, I am trying to set up a small Splunk distributed deployment in my Local System. with 3 Indexers Master 1 Search Head License Master ( Enterprise Trial 60 days License ) When I was trying to add the slaves to License Master, Its keep on getting this error - Bad Request — In handler 'localslave': editTracker failed, reason='Unable to connect to license master: Question: Can I create a Distributed Setup using Enterprise Trial License? can I request Splunk support for Trial License which can work with this setup? Thank you ... View more

Hi All I am using custom logic in dashboard XML so that Splunk can choose the filter ( AND , OR ) based on the input given. Here is my dashboard XML which was working fine or giving the right events in these scenarios: Only value of Transaction Id given with Anonymous Account Id left blank. ( splunk going for OR filter ) Only value of Anonymous Account Id given with Transcation Id left Balnk. ( splunk going for OR filter ) Both Transaction Id and Anonymous Account Id given with having both those values existing in the events. ( splunk going for AND filter ) Not working in these scenarios: Both Transaction Id and Anonymous Account Id given with not having both those values in the events. ( splunk going for OR filter ) So, In the above not working scenario the Splunk is going for ( OR ) filter which should be an ( AND ) filter. Thank you in Advance. <form> <label>Test</label> <fieldset submitButton="true" autoRun="true"> <input type="text" token="transactionid" searchWhenChanged="true"> <label>Transaction Id</label> <default></default> </input> <input type="text" token="anonymousaccountid" searchWhenChanged="true"> <label>Anonymous Account Id</label> <default></default> </input> <input type="time" token="time"> <label>Monitoring Time</label> <default> <earliest>-15m</earliest> <latest>now</latest> </default> </input> </fieldset> <search> <query>index=kubernetesservices splunk_server_group=aws_w transactionId="$transactionid$" AnonymousAccountId="$anonymousaccountid$" | head 1</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> <done> <!-- No Results found by performing AND, hence change the filter to OR --> <condition match="$job.resultCount$==0"> <set token="filterType">OR</set> </condition> <!-- Result/s found by performing AND, hence retain the filter to AND --> <condition> <set token="filterType">AND</set> </condition> </done> </search> <row> <panel> <single> <title>Total Event Count for Given Transaction Id / Anonymous Account Id</title> <search> <query>index=kubernetesservices splunk_server_group=aws_w transactionId="$transactionid$" $filterType$ AnonymousAccountId="$anonymousaccountid$" | stats count as Idcount </query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> </single> </panel> </row> <row> <panel> <event> <title>Detailed Events for Given Transaction Id / Anonymous Account Id</title> <search> <query>index=kubernetesservices splunk_server_group=aws_w transactionId="$transactionid$" $filterType$ AnonymousAccountId="$anonymousaccountid$" </query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> </event> </panel> </row> </form> ... View more

Hi Team, I am trying to populate a panel on the dashboard on the basis of two input fields Profileid & Transactionid The search query i have written for panel is index=abc profile=$profileid$ AND transaction=$transactionid$ Now the requirement is if there is a event which exactly matches with condition like profileid=mnp and transactionid=xyz then only that event is shown in the panel. If i use OR in the search query then either of the match result is shown. What i want is, if there is exact match available then AND condition search should run, if there is no exact match then OR condition search should run. How do i build up the logic to dynamically decide if OR/AND search query should give me the result. Thank you ... View more

Hi all I am trying to do the following search. which would result in Top 5 apiname values along with their apitime(avg,min,max) values included but unable to get the list the data. index=cub source=xyz.log |top limit=5 apiName |stats avg(apiTime),min(apiTime),max(apiTime) by apiName Thank you. ... View more