I don't think you can do this in a column chart. The tooltip HTML is created from a single series using the point value (X,Y) under the mouse pointer. Are you open to custom solutions, or are you restricted to pure SimpleXML? ... View more

You raise a good point about data models. I've purposefully modified the event types to 1) constrain the data models to a specific index and 2) allow users with varying default indexes to search by event type independent of the data model. ... View more

Can you provide more context? The search contains no tokens, and as written, the search will fail with an unbalanced parentheses parsing error. ... View more

Can you clarify your question? "Totips" isn't a field in your search. If you want to display e.g. "Totips: 19" in place of "C: 19" in the tooltip, then simply replace C with Totips in your search: sourcetype="securitycenter" asset=AMER_MS_SRV OR asset=EMEA_MS_SRV OR asset=APAC_MS_SRV | rex field=asset "(?.)_MS_SRV|" |chart eval(round(latest(crit),0)) as **Totips* by name |eval pos = case(name=="AMER","1",name=="EMEA","2",name=="APAC","3",name==name,"4") | sort pos| eval target=1 | table name, Totips, target ... View more

Create a simple lookup file, e.g. sourcetype_ghi_lookup.csv, with two fields, sourcetype and ghi. E.g. For sourcetype=1 and sourcetype=2: sourcetype,ghi 1,"some ghi value" 2,"another ghi value" | lookup sourcetype_ghi_lookup.csv sourcetype output ghi You can use the file in both a lookup and automatic lookup definition to omit the lookup command in searches and populate the ghi field automatically. ... View more

The Palo Alto add-on and app also assume the index is in your default index list for search. If you're not using main or if the index is not in your default index list, you'll need to copy and modify all event types in both apps in addition to enabling data model acceleration, e.g.: SplunkforPaloAltoNetworks/local/eventtypes.conf: [pan_wildfire_report] search = index=your_index (sourcetype=pan_wildfire_report OR sourcetype=pan:wildfire_report) Splunk_TA_paloalto/local/eventtypes.conf: [pan] search = index=your_index (sourcetype=pan_* OR sourcetype=pan:*) Replace "your_index" with your actual index. These are just examples. There are more event types in both apps. ... View more

Try adding MAX_TIMESTAMP_LOOKAHEAD to your props stanza: MAX_TIMESTAMP_LOOKAHEAD = 320 if the content length varies, use a value appropriate for the variance: MAX_TIMESTAMP_LOOKAHEAD = 512 I use multiples of 64 on x86-64 "just in case" Splunk allocates this as a separate buffer. Different architectures have different cache line sizes. ... View more

If Splunk won't detect the source type for *.log, try sourcetype = log4j in inputs.conf. The *.json files may work automatically as _json, but if not, you can use a custom source type with either INDEXED_EXTRACTIONS = json or KV_MODE = json In props.conf. ... View more

(Edit: Removed note about limit option. It's only applicable to split-by groups.) If your goal is to display 86400 points, you'll need a browser viewport at least 86400 pixels wide plus chart overhead. On smaller displays, the chart will show a subset of evenly distributed values across the timeline. Depending on your desired chart width, you may want to optimize how data is aggregated in the timechart command rather than letting the chart drawing code handle it. ... View more

What sort of problem are you having? If you don't have access to Splunk support or if the zip installation doesn't work as expected, folks here can help with Windows issues, too. ... View more

I've been under the impression that both the = and IN operators require that a field be defined. If you want to include events where username is not defined, i.e. null is valid but not in your value set, add the following to your search: NOT username IN (Johndoe Mikesomeone Jennifersomeoneelse) OR NOT username=* The search optimizer itself may treat =, IN and !=, NOT IN as equivalent and expand IN to = internally irrespective of the search bar formatter. Perhaps a Splunk employee can confirm. ... View more

If your switches support the feature and you have the capacity, yes, you should be able to use RSPAN to send traffic to a monitor port on the core switch. You can install Stream as a standalone Stream forwarder (no local instance of Splunk necessary), as an add-on on a Universal Forwarder, or as an add-on on a full instance of Splunk Enterprise (a heavy forwarder). Where and how you install Stream depends on your requirements. If you install the app and add-on on a single instance of Splunk Enterprise, you can manage everything locally and forward to indexers as needed. Whether or not this will meet your performance requirements depends on the volume and type of traffic you need to analyze. Since you're planning to install Stream on a virtual machine, the amount data you can process depends largely on whether you dedicate a physical interface--which is not always possible in converged environments--and pin CPU and memory resources. ... View more

Compatibility with Splunk Enterprise 7.2 was documented with the release of Splunk Stream 7.1.3 in April. ... View more

It depends on your topology or what you intend to capture. In the most basic configuration, you would define a monitor session (SPAN) destination interface on each switch and physically connect those interfaces to your VMware host hardware. If you have trunk interfaces between your switches, you can define an RSPAN VLAN to forward traffic to an interface on one switch and connect that interface to your VMware host hardware. You would couple either solution with an appropriate virtual switch configuration to bring the physical traffic to your virtual machine. With RSPAN, you can also forward traffic between virtual switches on multiple VMware hosts, which is desirable if you want to see VM-to-VM traffic. All of this comes at a cost, of course. You're increasing utilization of your switches, both physical and virtual, by mirroring or copying frames. Your switches will prefer live frames over monitored frames, so you'll likely see drops on your monitor interfaces. You also can't exceed the capacity of your monitor interfaces. I.e. It's not possible to monitor two fully utilized 1 Gbps interfaces over a single 1 Gbps monitor interface. I haven't used ERSPAN, but if your switches support it, the tunnel may mitigate drops during periods of increased activity. ... View more