It's hard to provide a solution without a good level of detail. What fields are available? Can you post a redacted if necessary screen shot of your data, because the detail is important. ... View more

In your earlier post when you said you are using  | sort -time if that is exactly what you used then unless you have a field called time (as opposed to Splunk's _time)  then you are not sorting anything. You may also be better to use | transaction ID startswith="message=Faulted" endswith="message=Completed" if message is the field containing what you are basing the transaction on. Hhowever, transaction is not always the best command to use as it can give wrong or no results, depending on your data size. This is particularly important when not using maxspan to limit what data you are searching and the number of events you have. Also note that you should use  | sort 0 _time otherwise it will truncate data.   ... View more

@mvannini Following on from my previous comment about misplacement of your depends="$token$" pattern. Your entire dashboard is broken from this point of view. If you create fields in section 1-4 after you fill the last field the new entry is written to the lookup, because the button SALVA E INVIA CAB is ONLY affecting the display of the table. You will see if you run | inputlookup cab_requests_lookup on its own the new row is written before you click the button. If you then change a single field, a new CAB is written. Every time you want to control changes to the lookup, you have to make the <search> dependent on the token and NOT the table.   ... View more

One thing that stands out is your deduplication of the CAB table.  In this search (line 462) <table depends="$run_dedup$"> <search> <query>| inputlookup cab_requests_lookup | dedup cab_id | outputlookup cab_requests_lookup</query> <done> <unset token="run_dedup"></unset> </done> </search> </table> your <table> has a depends statement, but that will NOT stop the search from running, so the first thing that happens when you load the dashboard, is that you totally rewrite the KV store and this happens while the other searches are running, so there is a concurrency issue going on in the KV store reading the data in your base search as well as re-writing it in the above. You should make the <search> dependent on the token, i.e. <search depends="$run_dedup$"> or you could do it this way <table depends="$never_show$"> <search> <query>| inputlookup cab_requests_lookup | ``` $run_dedup$ ``` dedup cab_id | outputlookup cab_requests_lookup</query> <done> <unset token="run_dedup"></unset> </done> </search> </table> which embeds the token in a comment in the SPL itself, which will then cause the search to run each time the token is set and it never shows the table. I believe that is what you want given the input at 7A. At the moment, you see nothing when the table loads, but the kv is rewritten, then if you select the clean option in 7A, you will see the table appear then disappear when the search runs again. I only tested this with a CSV, not KV store, but can't reproduce the duplicate searches seen by @ITWhisperer  That may play into why the searches are running more than once, I am not sure how the KV store handles concurrent read/write on the lookup, but change that and see how that affects things.   ... View more

@mvannini Can you paste the XML? There are so many reasons why a dashboard can be slow, so without knowing where to start, it's hard to diagnose. Are you using base searches. What is the data size you are searching. If you look at the job inspector for a slow search what does it tell you The volume of tokens is not necessarily a problem, I have some dashboards that use a large number and they perform perfectly ok (>300). Paste the XML using the code block so we can try to help. ... View more

Rich's search is good, you can add | rex field=provenance "UI:[Dd]ashboard:(?<dashboard_name>.*") to get the dashboard name from the provenance field. Note that XML dashboards have capital D for dashboard, whereas Studio dashboards have lower case d. Note that you will have an audit trail entry for every search run by that dashboard. ... View more

That's interesting, and as @PickleRick says, not good for the reasons stated. There is a cost of ingesting _raw data, which if you are licenced on ingest volume, you would see if you populate the _raw with all the data, but at the moment, you are incurring storage costs with extra indexed fields. You have lost flexibility with the current approach, and I don't quite get the OTEL engineer's comments. If the lack of _raw is a problem, you could rebuild it to some extent, but the best solution would be to ensure the body has what you need. ... View more

I may have misunderstood your requirement, if I read it again, then you can still do it like this index=id [ | inputlookup id.csv | eval earliest=strptime(time, "%d.%m.%Y") | rename id as ID_index | fields ID_index earliest ``` This subsearch creates the search string ((ID_index="1111" earliest=time_1) OR (ID_index="2222" earliest=time_2)) ``` ] ``` Calculate the counts ``` | stats count by ID_index ``` Now fetch the limit ``` | lookup id.csv id as ID_index OUTPUT limit ``` And determine if threshold exceeded ``` | eval msg=if(count>limit, "limit exceeded", "under limit") Same principle as the other comment, but using the fixed index and field comparison. ... View more

You can do with with a subsearch like this [ | inputlookup id.csv | eval earliest=strptime(time, "%d.%m.%Y") | rename id as index | fields index earliest ] | stats count by index | lookup id.csv id as index OUTPUT limit | eval msg=if(count>limit, "limit exceeded", "under limit") The subsearch creates the search string which will look something like this ( ( index="1111" earliest=time) OR ( index="2222" earliest=time) ) and then you can do a stats count/lookup and produce the table. If the time interval is always the same for each index you could use tstats which would be faster, but it doesn't support multiple time ranges.   ... View more

I'm not sure I fully understand what you mean when you describe the event has having no "meaningful" _raw, but which has fields. That would imply that the _raw has been redacted during ingestion but fields have perhaps then been indexed, perhaps using INGEST EVAL. I was going to suggest using TERM(my_term) to search for terms you want, i.e.  index=bla TERM(term) but that's effectively searching _raw which you say you don't have. Do you know how this data is being ingested? If someone has done some optimisation to remove _raw in the process of ingestion and you need it back, perhaps you need to discuss with your admins. Otherwise, if there is no _raw, you can't easily search for terms efficiently anywhere. You could do index=bla ``` Loop through every field doing a per field match against search_regex ``` | foreach * [ eval match=max(match, if(match('<<FIELD>>', "search_regex"), 1, 0)) ] | where match=1 but this, like using fieldsummary, will be pretty inefficient, as you're getting all events from the index and then filtering. If your set of fields is static, you could create a macro, e.g.  `search_all_fields(term)` and then in the macro expand out the field list so you have field1=$term$ OR field2=$term$ OR field3=$term$... and if you do actually have indexed fields, you could use the index field notation as field1::$term$ If you do index=bla on its own, what do you see? Can you look at the source for that - i.e. don't use table just look at the events and in the Event Actions dropdown for the event, select show source.   ... View more

Are you confusing "processes" with "files". I assume you meant count the "files" not "processes" in this post... Counting all the values from /proc/pid/fd will not translate to "files" as it is again about descriptors, so will include all sockets and other descriptor types. Your Splunk query would seem to calculate the same metric, however, as the log event is a point in time count, you should not sum the values, rather you only want a single event, so maybe this would give you a more practical result index=_introspection sourcetype=splunk_resource_usage component=PerProcess host=* | bin _time span=1m | stats latest(data.fd_used) AS total_open_files_by_FD by _time data.process | timechart span=1m sum(total_open_files_by_FD) as total_open_files_by_FD Which calculates the latest count of fds per process and then adds those all together to get the sum ... View more

And another small, but significant issue is that you will "miss" consecutive errors that occur on your search boundary, e.g. your search runs at 0, 5, 10... and searches 53-58, 58-03, 03-08... But as you're requiring a count of 2 or more, you're only actually looking at 4 possible minutes. So, if you have errors at 03 and 04, you will never see that as 2 consecutive errors. So, you want your search window to be -8 to -2, so there is a 1 minute overlap, so you're using a full 5 minute window for >1 error count. ... View more

What exactly are you trying to measure, an 'fd' is a file descriptor, not a file, and it applies to many things other than "files", e.g. a socket connections also has an 'fd'. Also, each introspection log records a point in time state of a process, so the same process may log many events, so just summing the fds will not point to a total count of files used. Can you give a better explanation of what you're trying to replicate. ... View more

I think your logic is flawed. If there are gaps with minutes with no error, then they will not be "consecutive" minutes, just adjacent, so if you have errors at 8:01 and 8:03, you will get a count of 2 consecutive errors, which I assume is not what you want. You would be better off using timechart, as that will give you populated values for each time interval - see this example using timechart and a changed streamstats - run this example with a time range of last 60 minutes and you can see the effect. Comment out the last line to see how the count is calculated | makeresults count=20 | eval _time=now() - ((random() % 30) * 60) | timechart span=1m count as error_count | streamstats window=2 current=t count(eval(error_count>0)) as consecutive_error_minutes | where consecutive_error_minutes >= 2 This will return you a list of minutes where the consecutive error count was >=2. Note that this will remove the first of the minutes when the error first occurred, as streamstats will record that as a 1 error count, so the results will not include the first minute of the error. Again, is this what you want? Hopefully this helps, but add any extra detail if this does not get you to where you want to get to.     ... View more

I don't believe you can set the default for SAML users. I went through this recently with a bunch of South Australian users and it caused no end of problems for the non technical users as time by default was UTC. It ended up being an education / onboarding to Splunk process for those users. ... View more

@hawkeyesc72 Simple observation for this latest issue of not getting any data is that your search syntax is wrong. Using a comma to separate search criteria is not valid - you are effectively saying you want the P1Sender value and Recipient names to be anything ending in a comma. Remove the commas, or better still, remove the search command and just table the values. As others have said, it's most likely your Send events are not the same as the recipient events, so you will probably need to find a correlation value to connect those two events, this would be the Message-Id value for a message, which will be the same. If you run these two searches and post a sanitised version of the JSON values you are getting for a sender event and a recipient event, masking out sensitive data, we could provide a solution.  index=office365 P1Sender=* | head 1 index=office365 Item.RecipientsCount=* | head 1   ... View more

That saved search Audit - Sourcetype readiness - Lookup gen is part of Enterprise Security app (SA-Utils) so unless you have it, you'll get the Not Found as you have If you run that on one of your saved searched and add | transpose 0 with and without appContext=true You will see the count of fields returned. If I run that in a ES site, I get 248 fields without appContext and 32 with appContext=true   ... View more

If you can do a restart, I would recommend that - I found that after updating an app recently, all worked ok, but the new config UI page for the visualisation was not visible, it showed the old one. A restart was needed. It's interesting that you can see the old js via the direct url though.   ... View more

@ITWhisperer MV from stats values() has no limit, but stats list() does have the 100 limit... Have you ever seen values get truncated? ... View more

When you add the submit button, the change event will not fire I believe because it has not "changed" until the submit occurs. @ITWhisperer 's solution is the generally accepted one for this multiselect reset, despite the docs saying that change is not supported, it does work and has been working for a long time.   ... View more

This is what is should look like (I made is use odd colours for up/down just to show it's possible) I know that Maps+ is a bit odd in that you need to refresh the browser tab to get some changes recognised, but what version of Maps+ are you - this is the latest 4.6.2 in SplunkCloud     ... View more

As others have said, give us an example of what your XML is looking like and how/where you are setting the id, what your CSS looks like and precisely what your goal is. CSS styling needs to be set precisely so the problem is most likely how you have defined your CSS.   ... View more

If you are having an issue with single marker clustering, then @tscroggins shows the solution for that, however, both your original clusterGroupColors setting and this post should work This example shows random dynamic changes to foreground and background colours. <row> <panel> <viz type="leaflet_maps_app.maps-plus"> <search> <query>| makeresults format=csv data="latitude,longitude -33.7688,150.9063 -32.2773,115.7316 -27.4698,153.0251 -34.727,138.6689 -19.259,146.8169 -33.8688,151.2093 -37.9145,145.1195 -31.7467,115.7677 -33.7688,150.9063" | eval bgp_state=mvindex(split("Down,Up",","), random() % 2) | eval state=lower(bgp_state) | eval clusterGroup=case(state="down","red",state="up","green",bgp_state="null","green") | streamstats c | eval setBg=if(state="up", "green,blue", "red,orange") | eval setFg=if(state="up", "white,yellow", "black,grey") | eval clusterBgColor=mvindex(split(setBg, ","), random() % 2) | eval clusterFgColor=mvindex(split(setFg, ","), random() % 2) | eval description=printf("&lt;b&gt;Item %d - %s&lt;/b&gt;", c, bgp_state), tooltip=description</query> <earliest>-15m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="drilldown">none</option> <option name="leaflet_maps_app.maps-plus.cluster">1</option> <option name="leaflet_maps_app.maps-plus.singleMarkerMode">1</option> <option name="refresh.display">progressbar</option> </viz> </panel> </row>   ... View more