Hi All, I would like to pass a drop down filter value to multiselect value. code for dropdown is as : <input type="dropdown" token="entity"> <label>Entity</label> <choice value="*">All</choice> <choice value="_time">Time</choice> <choice value="_status">Status</choice> </input> I would like to pass this to "Token value Suffix" of Multiselect filter. <input type="multiselect" token="servers" searchWhenChanged="true"> <label>Servers</label> <prefix>(</prefix> <valuePrefix>measurementIdentifier=ITSMServerLatency_</valuePrefix> <valueSuffix>-ping**$entity$**</valueSuffix> <delimiter> OR </delimiter> <fieldForLabel>Server</fieldForLabel> <fieldForValue>Server</fieldForValue> <search> <query>index="my_index" application=my_app Type=Network (hostname=*) |rex field=Identifier "ServerToITSMServerLatency_(?<Server>\w+)\-\w+\_(?<entity>\w+)"|dedup Identifier |stats count by Server</query> <earliest>0</earliest> <latest></latest> </search> <choice value="*">All</choice> <default>*</default> <suffix>)</suffix> </input> My concern is that it runs good for the first time, but next time , token variable looses its identity and is replaced be first time or default value of $entity$. Please let me know how can i maintain the token variable in multiselect? ... View more

Hi I have a splunk query(with javascript) which i would like to run multiple times using javascript loop. Please find below code `dupcount1=splunkjs.mvc.Components.get("search8"); dupcount1.data("results").on("data", function(results) { if (DupData == true) { var dupcount = results._data['rows'][0][0]; var i; var batchsize = 10 for (i = 0; i <= dupcount / batchsize; i++) { if (i == 0) { defaultTokenModel.set("head1", batchsize); search4.startSearch(); } else { defaultTokenModel.set("head2", batchsize * (i + 1)); defaultTokenModel.set("tail", batchsize * i); search9.startSearch(); } } return true; } });` based on value of i i am setting token and start search. when (i==0) the search runs fine and everything completes graciously. Issue i am facing is when (i !=0) than only for last loop job is triggered. what i would like is that , if there are 9 loops, 9 searches should be triggered. i am not able to understand why only last search is starting in else loop. Thanks in advance. ... View more

Hi all I have a large data set (20 million) since 2015 which keeps on growing. In my case, I am supposed to use lookup and I found out that KV store is best since records in index are getting updated with _key(ORDER_KEY) remaining constant, hence my lookup will also be updating. Now with this huge set of growing data, will I land in to some sort of performance issue? I thought of using multiple KV Store lookup broken down by month such as events from nov2015 will go to kvlookup_nov2015 and events from dec2015 will go to kvlookup_dec2015 based on ORDER_KEY creation time, all the collection and transforms.conf entries for lookup definitions will be made earlier only, but I am not able to achieve this as run time in search |outputlookup . I tried the macro approach with eval based definition. |outputlookup `filename(ORDER_KEY)`. [filename(1)] args = ORDER_KEY definition =(case(match($ORDER_KEY$, "^201511.*"),"csv_lookup_nov_2015",match($ORDER_KEY$,"^201512.*"),"csv_lookup_dec_2015")) It did not work for me. Please help me out Thanks in advance. ... View more

I am trying to use Splunk DB Connect 2's dbinput feature to index data. All specifications such as connection and preview table all work fine, but data does not get indexed. When I try using DB Connect `, I am able to index data, but since data size is huge, there is some inconsistency and that's the reason I want to use DB Connect 2. Database is Oracle, dump works fine, but there is an issue with the rising column. rising column sample data :2016-04-16 18:30:23(yyy-mm-dd H:M:S) inputs.conf _rcvbuf = 1572864 allowSslCompression = true allowSslRenegotiation = true connection = yanrep dedicatedIoThreads = 2 disabled = 1 enableSSL = 1 host = scompsprdrk1v index = sterlingdb1 input_timestamp_column_name = MODIFYTS interval = 05 * * * * maxSockets = 0 maxThreads = 0 max_rows = 10000000 mode = tail output_timestamp_format = yyyy-MM-dd HH:mm:ss port = 8088 query = select sourcetype = YFS_ORDER_LINE sslVersions = *,-ssl2 tail_follow_only = 1 tail_rising_column_name = MODIFYTS ui_query_catalog = NULL ui_query_mode = advanced useDeploymentServer = 0 source = dbmon1 Thanks in advance ... View more

I am currently experiencing issue in our production environment and wanted to check if any of you have encountered similar issue. I was getting data in index using Splunk DB Connect 1 since 2 days back, but suddenly it stopped indexing data. The following is our DB Connect configuration: We are dumping data from Oracle database to Splunk index. Splunk versions is 6.2.2 DB connect version is 1.1.7 DB input strategy is DB Dump Output format is Multi-Line key Format. When I run a query in the DB Connect query browser, it returns results successfully. There are NO errors in splunkd logs, dbx_debug shows that this dbinput triggered and completed gracefully. Splunk DB Connect app gets data from the database and keeps in SPLUNK_HOME/var/spool/dbmon directory. From where it runs a batch job to write data to index using policy sinkhole, on successful indexing of data, it deletes the temporary file from in SPLUNK_HOME/var/spool/dbmon directory. I have data in SPLUNK_HOME/var/spool/dbmon, but not in the index. I also have some other indexes which are getting the data from same Oracle db using the same DB Connect 1.1.7 and they continue to work fine while only few indexes have stopped working. Kindly suggest appropriate actions. ... View more

Transpose is python custom command shipped with Search app. Transpose has global visibility , which means if you have access to the Search app, you can use Transpose from any app. Is there any way in which a user is able to see charts with the transpose command without having access to search app? ... View more