I have a bar chart and the value in the horizontal bars comes at the top of the bar. What XML changes should be made to ensure the values come in the bottom of the bar? If you see my attachment values 1189, 1170 19, 655 and 646 are coming at top of the bar and I need those bottom of the chart in a slanting way. ... View more

We recently migrated from one search head to another. Copied over all the apps etc. Everything seems good. But the only problem for now is REST calls and METADATA not throwing any outputs on few apps where these calls are made. Anything specific to configure in new Searchead for ensuring it can run |metadata and |rest calls and throw us the results in Splunk Query? ... View more

I have a scenario wherein each heavy forwarder has syslog listeners running. I need an alert or something in the dashboard to show that a particular heavy forwarder has the following listener down. I did the following and was able to list the Splunk heavy forwarder, listener and its associated PID: index=operatingsys host=hf1 OR host=hf2 or host=hf3 source="/var/run/syslog/*" | rex .......... | table host listenername PID o/p was as follows host listenername PID hf1 ciscolistener 123 hf1 winlistener 567 hf2 ciscolistener 345 hf2 winlistener 789 hf3 ciscolistener 654 hf3 winlistener 523 hf3 whitecoat 231 Now , I can share an input CSV list as below which is static host listenername hf1 ciscolistener hf1 winlistener hf1 whitecoat hf2 ciscolistener hf2 winlistener hf2 whitecoat hf3 ciscolistener hf3 whitecoat hf3 winlistener As you see in my search output, hf2 and hf3 have whitecoat missing (meaning whitecoat listener status is down, and technically, it will not have PID assigned as it is down). I need to show that the listeners on the heavies are down in a dashboard/report, and for an alert to be generated whenever any listener is down on one of our heavy forwarders. Open to discussion on using any different approach, if possible to wrap this up ... View more