Yep, foreach is the way to solve this. Thank you. ... View more

Splunk solved this problem in v 8.1.1 by implementing polkit along with Systemd.  ./splunk enable boot-start -systemd-managed 1 -create-polkit-rules 1 -user <username> Depends on Polkit and systemd version available on your system, Splunk will give granular access to the user mentioned in above command.  Polkit  helps to not hand out  {{sudo}}  access to the user, so its a helpful feature for systemd. https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/RunSplunkassystemdservice#:~:text=file%20naming%20considerations.-,Install%20polkit%20rules%20to%20elevate%20user%20permissions,-In%20version%208.1.1   ... View more

This is the solution from Splunk as well:   https://splunkcommunities.force.com/customers/apex/ArticleDetailPage?URLName=Scheduled-Search-Alert-not-Triggering-Emails     ... View more

Awesome! I had tried something similar before but couldn't figure out how to get the size of a whole row. Didn't think about going through each field separately. Quite resource intensive, though, as you mention in the code itself. Doesn't work well for me when using the REST endpoint |rest/services/data/lookup-table-files splunk_server=local This one works better for me: |rest /servicesNS/$env:user$/$env:app$/data/lookup-table-files splunk_server=local And all the $TOTAL_FIELD_VALUE$ cause problems in my dashboard as I use a form, replacing it with #TOTAL_FIELD_VALUE# works fine. Still, awesome! ... View more

Hi @usd0872, no, you have to migrate indexers one by one following documentation at https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Moveanindex . Ciao. Giuseppe ... View more

Check out sideview utils : http://sideviewapps.com/apps/sideview-utils/ This has a multiplexer module that can create panels from a search (as can ITSI, if you'd like to go that route). Perhaps @sideview would care to elaborate. ... View more

Try something like this inputs.conf [WinEventLog://Application] disabled = false blacklist = 33205 index = index1 props.conf (on Indexer/Heavy forwarder) [WinEventLog:Application] TRANSFORMS-idx_assign = assign_idx transforms.conf (on Indexer/Heavy forwarder) [assign_idx] DEST_KEY = _MetaData:Index REGEX=(?m)EventCode\s*=\s*PUT_YOUR_SPECIFIC_EVENTCODE_HERE.* FORMAT = index2 ... View more

Just a note if somebody runs into the same problem we did: ... -d value="groupA;groupB;groupC" everything after the first semicolon is cut and ignored, even though properly quoted in the command line. We could get around that by using the hex code representation for the semicolon: ... -d value="groupA%3bgroupB&3bgroupC" ... View more

That starts to make sense. It appears I was mixing the two approaches documented at http://docs.splunk.com/Documentation/Splunk/5.0.4/Viz/Exampleform#Use_the_same_search_in_multiple_panels in an incompatible way. With <searchTemplate> using $resolution$ multiple times seems to work, but not with <searchPostProcess> . Thanks for explaining. ... View more

I second that for splunk 6.3.3 with DB Connect 1.1.7. Disable the input; change the file; enable the input. Works fine. ... View more