Those lists aren't in a table, they are gathered from searching your existing indexed data. If you are not ingesting the same sources and source types from the same hosts, the lists will be different. Those three items are simply fields like any other from your data in Splunk. If you want to replicate your entire Splunk ES instance, copy the whole $SPLUNK_HOME folder, then change configs as needed for the new hostname or other items needed. This will copy your existing data and the lookups needed to match your current installation. ... View more

This no longer works with 5.x. ... View more

You can't without re-writing fundamental pieces that would break things for admin users. One could pull data via API/REST and provide a custom UI via another system, but those menus can't be removed otherwise. ... View more

Start with http://docs.splunk.com/Documentation/Splunk/6.4.1/Troubleshooting/Cantfinddata and https://answers.splunk.com/answers/221885/how-to-troubleshoot-why-i-can-see-network-traffic.html just in case something there helps. I would try a combination of the splunkd logs and using strace on the Splunk process. Also, enable debug and sifting through the results may be useful. ... View more

You can adjust this, but the primary calculation is a practical limit on performance. This is controlled in limits.conf. The maximum number of concurrent searches is calculated based on max_searches_per_cpu times the number of CPU cores in the system (as reported by the OS, which means VMs often lie when given multiple vCPUs but are running on a small number of hardware cores thanks to threading and shady hypervisor oversubscription models) + base_max_searches . max_searches_per_cpu defaults to 1 base_max_searches defaults to 6 Therefore, in a reference system with 12 cores, you have 1 x 12 + 6 = 18 . If you need to crank this up, you can linearly scale this by core count using max_searches_per_cpu by setting it to 2 or more. This changes the math to be 2 x 12 + 6 = 30 or 3 x 12 + 6 = 42 . If you just want to tweak it up by a fixed amount, adjust base_max_searches to a higher value. All of the above comes with the caveat that generally these are bad ideas to implement in a production setting unless you have a highly underutilized system performing large numbers of extremely low memory and low CPU usage searches. ... View more

Can you show examples of the source event data? ... View more

mikelanghorst, that prevents you from getting the % 408 codes of the whole. ... View more

Yes, you are setting yourself up for potential performance problems at that ingest rate. ... View more

This worked perfectly! I set it to 20px size to force it a bit bigger but not so it felt overstuffed in the cells (which avoids changing the cell sizes). ... View more

In current implementation, any changes made to the environment will not likely be logged within Splunk, certainly not in _internal et al. If you make changes via config files outside the UI or API, those things actions and changes can't be logged within Splunk. You can ingest the files themselves to compare _raw or even single line values, depending on your parsing preferences. However, it might be useful to have an external tool create hashes of all the files and store a log entry into Splunk with the hash, full path, and other metadata about the files. Then you can more easily report on changes to any of these files, including users. ... View more

You can do this in a variety of ways, but using the REST API is likely your best approach. Read http://docs.splunk.com/Documentation/Splunk/6.2.3/RESTUM/RESTusing#Authentication and http://docs.splunk.com/Documentation/Splunk/6.2.3/RESTTUT/RESTsearches. ... View more

I like your commentary and suggestions about how to use answer vs. comments, as well. It is easy to edit an answer, so why not put multiples together? ... View more

I concur that down votes aren't (or shouldn't be) personal attacks on the poster - ever. Votes should be about quality of content. ... View more

I think up-voting early and often is a good thing. I think this holds true for both good questions (or interesting ones, even if not well-stated) and good answers (again, or interesting ones, even if not well-stated) that provide valid results. Also, I think we all should encourage the acceptance of the most correct answer for a question. If we don't vote things up, they won't get noticed. If we do vote things up, they will get noticed. Also, people asking good or interesting questions or providing good or interesting answers will usually do so more often if they get upvotes. This is due to a complex human response and motivation mechanism similar to why social media "like" hits and similar positive flagging works. These actions key into things wired into us humans for feeling good. The real result of more people voting is not to dilute each vote but to empower each questioner and answerer. If more people do it, we all get more feedback about it and do it more. As for down voting, I think it should be reserved for straight up poor advice or false answers , yet used far more often in general. A down vote will stand out, and it should do so as an example of something that will not provide a functional solution. ... View more

Try this (I just tested it with a similar search): ... | where NOT match(RTG_Call,"Response$") That will remove the events with *Response at the end. If you want to keep those and not the others, remove the NOT . ... View more

In your search, you have RTG_Call="GetDeliverySchedule*" . Does that mean there are two values that match due to the * at the end? Is this why you have 16 items not 8? ... View more

No, my example was a fictitious search to find fields that could be acted upon. ... View more

Hrm. Perhaps place the dedup before timechart. ... View more

No, I didn't have your search string that produced your results, so it was an example of different web calls. Your search should work perfectly fine. To translate, where I was using an arbitrary name of webcallfield you used your real field name of RTG_Call . ... View more

This only works if there are multiple results on the chart, not a single line. In those cases, the colors ARE different. Your method can choose the color set used, but it has nothing to do with the search producing multiple results. ... View more

Try adding: ... | dedup RTG_Call To the end. ... View more

Change your timechart to: ... | timechart avg(duration) AS "Response Time" by RTG_Call ... View more