Hi @divyagiri, @SloshBurch is absolutely correct. The best place to begin would be to work through the Splunk Search Tutorial: https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial. It sounds like you're not the one creating the searches that back the visualizations on an existing dashboard? Otherwise, you would see the direct results of your search, called "events" populated in a table before choosing a visualization that represents that data, and then creating a dashboard. The fields that are extracted which group these events are listed to the left of the statistics table. Once you see the results of your data, you can choose a visualization if you've used a command that results in a statistics table. You'll see this option in a tab above the results table. The Splunk Search tutorial is an excellent place to start, but so is the Splunk Dashboards and Visualizations Manual https://docs.splunk.com/Documentation/Splunk/latest/Viz/Aboutthismanual And, yes, if someone has shared a dashboard with you and you have the correct permissions or they've set up the option, you can hover over the visualization to "Open in Search" and see the raw data for yourself. Best, Eve ... View more

I promise you all — it's high, high priority. We’re investing in the new dashboards framework beta, including content export there. Please feel free to contact the team with specific requests for enhancement - they closely monitor the inbox: dashboards-beta@splunk.com. When we get Content Export working better, it'll be in a future version of this app: https://splunkbase.splunk.com/app/4710/ ... View more

Just don't use the Drake equation...you'll be seriously depressed. https://www.maa.org/news/math-news/drake-equation-adapted-to-estimate-soulmate-search-odds ... View more

I was wrong. I didn't notice the error message 😞 emailed you back. Hopefully we'll address the inability to add time tokens in emails for jobs and search results in our new Content Export re-factor. ... View more

After using @efavreau 's answer, it looks like you're getting the UNIX timestamp, rather than the format you want. Take a look at this: https://answers.splunk.com/answers/601344/date-formatted-fine-in-dashboard-but-incorrectly-i.html @mlevsh - I'll follow up via email regarding the feedback you left in the docs. I just found this site: https://www.epochconverter.com/ when I copy your timestamp into it I get 1/24/2020 7:18:58 PM. So, yeah. UNIX. Best, Eve ... View more

It is and it will! As for the rest of your comment, you'd have to talk with the engineers for that info. I'm just the tech writer 🙂 Here's the email alias for the Splunk Dashboard App (beta) only: dashboards-beta@splunk.com. ... View more

Please see my post on page two of this thread. Eve ... View more

Please see my comment — it got moved to page 2. Eve ... View more

Keep an eye on The Dashboards App: http://splunkbase.splunk.com/app/4710/ . Currently it must be installed using the CLI, but the next version, v 0.3.2, which will be coming out soon, will be installed like any other app. New and enhanced versions of the dashboard and visualization experience will be added with each release, and though we don't yet have content export, it's at the top of the list for an upcoming release. This is a total re-work of the Dashboard Framework and totally worth checking out. If your existing Simple XML dashboards have features supported by the version of the App you have installed, you can convert them to the new framework, which features a really cool visual editor and JSON source code. If you can't convert your dash, than you can always create a new one within the app. Finally, I can't stress enough. This is a beta app - so your feedback and suggestions will really influence its direction. You can find the email for the beta app team to leave feedback in the docs: https://docs.splunk.com/Documentation/DashApp/latest/DashApp/IntroApp ;) Cheers, Eve ... View more

Hi Folks, We're working on an exciting new Dashboard Framework. It's currently in beta in Splunkbase here: https://splunkbase.splunk.com/app/4710/ The documentation is here: https://docs.splunk.com/Documentation/DashApp/0.2.0/DashApp/IntroApp Trellis is not yet a feature in this beta version, but we're working on it, and when it's added, we'll fix the sort problems in the new app. I can't give you a timeline, but keep an eye out for beta version updates that will happen often. I suggest checking out the app, the visual editor is completely re-imagined and really new. As we add features, it'll become very powerful. You can even convert most existing Simple XML dashboards (the new source code is JSON) to the new framework (as long as the features are supported). Please check it out and give us some feedback. We think you'll be pleasantly surprised. ... View more

Hi folks, This issue will be fixed in our next release. Thank you for your patience. -Eve Meelan ... View more

We are still working on this issue and it is considered a priority. I can't give you an exact timeline, but I can tell you that export to PNG (which will solve many of the problems you all are encountering) is a part of a larger project that will be going into our partner beta program very soon. I hope this helps, and I wish I could be more specific, but I don't have a firm timeline. Cheers, Eve ... View more

Hi Vinoth, I am a technical writer here at Splunk, and I received your docs feedback question via email, but when I tried to respond, Outlook said there was a problem sending the message. Perhaps an email typo? I think the suggestion of using the Splunkbase app is a good one. Otherwise, our export to PDF feature is currently being worked on to make the experience much more helpful and accurate. Cheers, Eve ... View more

Hi @rormond, Only the y-axis can be made independent for the trellis layout. I'm not sure what kind of data your x-axis represents, but if you consider a transforming command like timechart it would be very difficult to find a way to automate a data scaling function because timechart is dependent upon the time interval you choose when you ran the initial search, while the y-axis intervals are what are returned. The returned values are easier to parse and scale independently. Trellis isn't designed for the kind of functionality you desire. Suggestion: You can use the zoom feature to zoom in on an x-axis section on the individual trellis panels. i.e. once you create your trellis layout and save it as dashboard panel, you and other users that you've shared the dashboard with can click and drag to select a section of any of the trellis panels to zoom in on the areas along the x-axis in panels where the data is scrunched up in order to spread it out. the obvious limitation is that you can't save the dashboard in the "zoomed" state. I hope this helps, I'm sorry my answer wasn't exactly what you were looking for. Cheers, Eve ... View more

Hi folks, The answer above is correct for default alert actions, but you can use HTML tags defined in scripts that you can write for custom alert actions. You can view an example of a custom alert action that uses HTML tags here: http://docs.splunk.com/Documentation/SplunkCloud/7.0.0/AdvancedDev/ModAlertsAdvancedExample#HTML_file_for_the_custom_alert_action_form To learn how to create a custom alert action, you can start here: http://docs.splunk.com/Documentation/SplunkCloud/7.0.0/AdvancedDev/ModAlertsIntro And finally, if you want to learn how to use the Splunk add-on builder to create an alert action, this blog is a great start: http://blogs.splunk.com/2016/10/24/creating-mcafee-epo-alert-and-arf-actions-with-add-on-builder/ ... View more

We are currently working on solving these PDF issues, as well as allowing users to export reports and other views as PNGs. Stay tuned! ... View more

Hi folks, Strive's comment is correct. In order for Custom log alert events to be set up in a distributed environment, you must define the index on the search head. We are looking at this as a bug, but Strive's work-around is valid. For reference, the bug number is SPL-146802 ... View more

I think you might find the answer to your problem here: https://answers.splunk.com/answers/40435/error-unable-to-stop-splunk-helpers.html let me know if this helps! ... View more

The Search ID (SID) is a string of characters that uniquely identifies a job. They are the same thing, but the correct term is search ID or SID. Hope this helps! Best, Eve ... View more

My assumption is that you want to run a search in the UI then grab the results through our API; is that correct? There are two ways to find the search ID (SID) of a job. One is to go to the search in the Splunk UI, click Job > Inspect Job. The Search job inspector will show you the SID in parenthesis. You can also return the SID of various search jobs via API by using the POST command with the following call: https://host:mPort/services/search/jobs . The "host" and "mport" fields are place holders for your personal info. You can view more info here: http://docs.splunk.com/Documentation/Splunk/6.6.3/RESTREF/RESTsearch#search.2Fjobs for this endpoint. If you expand the POST window, you can view all of the parameters available, but you shouldn’t need any of them unless you want to limit the number of searches, the timeframe, etc… Note, however, that if you choose not to use any parameters, I think all searches are returned, and that might take a really long time. At the bottom of the expanded window, you can view various API calls that make use of the SID returned by the endpoint above. For example, to view the status of a job, you would call: search/jobs/{search_id} Where {search_id} is the SID returned by your original call (or copied from the Search job inspector in the UI). I hope this answers your question. Thanks, Eve ... View more

Hi Splunkers, Thanks for the question (and answers). You can also find information about the configuration differences for Windows and *NIX machines here: http://docs.splunk.com/Documentation/Splunk/6.6.2/Admin/DifferencesbetweenunixandwindowsinSplunkoperations Cheers, Eve Eve Meelan Technical Writer Splunk > emeelan@splunk.com ... View more