thank you 🙂 ... View more

Since you are already aware of the xml charting colour options , I assume you have added the relevant color codes in the dashboard xml. Now, I had a similar issue , not with pie charts but with a column line graph with multiple overlays. For some reason if you use charting.seriesColors , stuff will get disruptive. My colors on applying this (even though the number of fields charted was constant and 7 in number)but when i changed it to option 2 , charting.fieldColors then things became correct. That being said, you have a pie chart here and the number of 'slices' in the pie chart is important. if the number of slices are constant and you apply charting.fieldColors with the slices mentioned things should work out ... View more

@kdimaria, adding on the the point by @kmaron, Splunk adds following three classes to table data timestamp , string and numeric . While timestamp and string columns are left aligned, numeric columns are right aligned. And the behavior is same for both Table Header as Well Table Body (i.e. Data Rows). You can use CSS to apply your own style override for numeric class to be aligned left . Following code can be added to Simple XML Dashboard to align both Header and Body text to left for numeric fields (where table id is tableWithCSSToAlignHeaderText 😞 <row depends="$alwaysHideCSSPanel$"> <panel> <html> <style> #tableWithCSSToAlignHeaderText table thead th.numeric,#tableWithCSSToAlignHeaderText table tbody tr td.numeric{ text-align:left !important; } </style> </html> </panel> </row> Following is a run anywhere dashboard example in Simple XML based on Splunk's _internal index. <dashboard> <label>Table Column Header Alignment</label> <row depends="$alwaysHideCSSPanel$"> <panel> <html> <style> #tableWithCSSToAlignHeaderText table thead th.numeric,#tableWithCSSToAlignHeaderText table tbody tr td.numeric{ text-align:left !important; } </style> </html> </panel> </row> <row> <panel> <title>Table with CSS to Align Header Text</title> <table id="tableWithCSSToAlignHeaderText"> <title>Splunk _internal Last 10 Errors</title> <search> <query>index=_internal sourcetype=splunkd log_level!=INFO | bin _time span=1h | stats count by _time component log_level | head 10</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">true</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </dashboard> Alternative to above approach you can also move the following CSS code to a static CSS file and refer the same in your dashboard, after uploading to appserver/static folder. As stated earlier the table ID used in the following example is tableWithCSSToAlignHeaderText : #tableWithCSSToAlignHeaderText table thead th.numeric,#tableWithCSSToAlignHeaderText table tbody tr td.numeric{ text-align:left !important; } ... View more

Thank you so much for your time and effort! This works! ... View more

Correct. The wizard has a page specifically for configuring authentication. It accepts a URL for the login page since it may not be the same page you want to monitor. ... View more

Glad to hear that. You're welcome 🙂 I changed my original comment to an answer. ... View more

Hello there, many answers in this portal, here are couple: https://answers.splunk.com/answers/4279/timezone-and-timestamp-modification-at-search-report-time.html https://answers.splunk.com/answers/58027/change-timezone-of-logs.html also in docs: https://docs.splunk.com/Documentation/Splunk/7.0.3/Data/Applytimezoneoffsetstotimestamps https://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Commontimeformatvariables if it only apply to you as a user, you can change your user default time zone to EST and you supposed to see timestanps as EST hope it helps ... View more

Since both your searches return single row, you can also do these: index=a sourcetype=a | stats count as queue | eval Name="PA" | table Name queue count | appendcols [ search index=b sourcetype=b | stats count as count] OR index=a sourcetype=a | stats count as queue | eval Name="PA" | table Name queue count | eval count=[ search index=b sourcetype=b | stats count as search] As @adonio suggested, these merging both queries into one would be optimal solution, as compared to all of the above solution with subsearches. ... View more

Thank you again! I have everything I need now. Have a nice day! 🙂 ... View more

Hi kdimaria, Usually Splunk dashboards are in XML, but in the above way it's possible to insert in XML a css element without modifying css. Using Javascripts, it's possible to modify panels width not column width, to modify column width the only way is css. Bye. Giuseppe ... View more

@kdimaria, Glad it worked. If your entire team specializes in HTML dashboard then it is great. You will open up your dashboard to all the possibilities you can imagine 🙂 ... View more

I figured this out but can't delete the question. I forgot to add the visualization with mvc. it fixed the problem. ... View more

Simple XML will get you out of most of complicated situations through CSS Extension, JavaScript Extension and Splunk JS Stack. Once you switch to HTML you have complete control of your dashboard and virtually you open up Splunk Dashboard for full fledged web development. However, you have to be really get used to the "extra line of code" (which were abstract in Simple XML). With that trade off in mind. Code as much as possible in Simple XML and switch to HTML only if unavoidable or when dashboard is stable and almost final. ... View more

Hi Experts, Kindly answer my below scenario. I have search query it displays five columns(c1,c2,c3,c4,c5).If i click on C3 column any record pop dashboard should display and C3 column value should pass as input to that dashboard. Thanks in adavance ... View more

@kdimaria, I am not sure if it fits but have you tried Table Row Expansion example on Splunk Dashboard Examples App ? ... View more

Hi, Yes, I get what you mean - high(pred) and low(pred) ae missing. However, try this : timechart span=5min avg(p) as Act |predict Act AS pred algorithm=LLP5 upper95=high lower95=low holdback=30 future_timespan=70 | eval pred=if(isnull(Act),pred,Act) |rename high(pred) AS X|fields _time,Act,X,pred You will get X plotted as the high limit values.///apply same and rename low(pred) to Y . Choose X and Y names as something like hmmm maybe - "High / Low Limit" I use he MLTK app like @niketnilay is saying.... ... View more

Thank you I think this is what I was looking for. ... View more

Thank you! I think I understand now. the period was just very confusing. ... View more

Then you can add this: | eval Message1=mvindex(message, 0) | eval Message2=mvindex(message, 1) | eval Message3=mvindex(message, 2) | eval Message4=mvindex(message, 3) | eval Message5=mvindex(message, 4) ... View more

Thank you this worked 🙂 ... View more

Have you checked that the fields are spelled correctly and capitalized properly and the field value is also correctly spelled/capped? I know it’s silly but it’s critical. The fields and values need to exist and need to be exact. Do you have example data? ... View more

@lianlim So what I was trying to do was have a table with an "Alert" column so that people could add alerts to a specific part in the table. Each row was an application that was being monitored then we wanted people to be able to add alerts to applications if needed. So I used a Jquery Dialog to create the prompt to get information to add to the alert column but a Javascript prompt also works: element1.on("click", function(e) { e.preventDefault(); if(e.field == "Alert"){ e.preventDefault(); var appname = e.data["row.App"]; var type = "User"; var dialog = $('<p>Enter an alert note for <b>' + appname + '</b> or clear the previous alert note. </p>').dialog({ position: myPos, buttons: { "Enter Alert Note": function(){ var note = prompt("Enter alert note for '" + appname + "'",""); var username = prompt("Enter Your Name: ", ""); if(note && username){ notesearch.settings.attributes.search = "| makeresults | eval Notes=\"" + note + "\" | eval application=\"" + appname + "\" | eval type=\"" + type + "\" | eval name=\"" + username + "\" | collect index=splunk-test source=app_alerts"; notesearch.startSearch(); setTimeout(function(){search1.startSearch();},2000); $(this).dialog("close"); } $(this).dialog("close"); }, "Clear Previous Note": function(){ notesearch.settings.attributes.search = "| makeresults | eval application=\"" + appname + "\" | eval type=\"" + type + "\" | collect index=splunk-test source=app_alerts"; notesearch.startSearch(); setTimeout(function(){search1.startSearch();},2000); $(this).dialog("close"); } }, width:350 }).css("font-size", "15px"); } So I added a click event for the table and when the user clicked on the "Alert" field they would be prompted to enter an alert note for the application (row) that they clicked on. I used makeresults to set all the values I needed from the variables gathered from the dialog and the collect command to save my alerts in a certain index and source so that when the search for the table runs again it will pick up the alert. I just created a blank searchelement called notesearch and changed it to run the search i needed. So my main table search does a join on application and retrieves the latest alert from the app_alerts source so that it is displayed on the table after refreshing. Hope this helps. ... View more