That Titanic meme is great - never seen it before. There is a Camden active in Slack DS who seems reasonably interested in hearing ideas and use cases. I recently sent him an app of blocking stuff we do in XML that does not yet port to DS, primarily around interactivity/tokens. The team have made massive strides with it in the last year or so, but it's still not for me... ... View more

I'm another advocate for XML over DS. It still has a greater ability to style display elements than DS using CSS. Token interaction is better in XML, especially if you plug in a tiny piece of JS into your app, which then allows token management through <button> elements in <html> panels. Although DS does have conditional token handling so can model XML's depends= and rejects= constructs, it doesn't have this flexibility. Sure you can add pretty pictures in DS that make it look appealing, but for any kind of interactive dashboard, XML is probably superior (for the time being).   ... View more

If you get 3 rows and you want to trigger on 100 rows, then just set the trigger condition   ... View more

Are you talking about search execution time when you say "response"? Your comment here does not address the questions asked by others trying to help with your question, so it's difficult to give you meaningful help. If this is page loads, how have you measured this? If this is Splunk search executions, have you compared total server search load between the two environments to see if the upgraded server is performing more searches? Have you looked at individual search jobs to see if the data volume being searched in the upgraded version is comparable with the pre-upgrade? At the moment your question is like asking "why is my new car slower than my old car". Not enough information to make helpful suggestions.  Please give more detail.   ... View more

Note that my assumptions are that you don't already have any field extractions being done automatically. If you already have a field called 'id' then you don't need to do the rex command. ... View more

There are various ways to do this. Firstly if you are running a search every 15 minutes and looking at a 15 minute window in the past, the this simple search will count any occurence of id > 3 within that time period. your base search Event failed validation | rex field=_raw "id=\"(?<id>[^\"]*)" | stats count by id | where count>3 This assumes that the search criteria looks for that message signature and that the field _raw contains the data as shown However if this is about creating an alert, then that search is not helpful for the case when 2 errors occur in minutes 14 and 2 in minutes 16 if the search is searching 0-14 and 15-29. In that case, you can run the alert once per minute and look back at the previous 15 minutes, note that for alerts you would probably want to look a little behind the just the previous 15, i.e.  earliest=-17m@m latest=-2m@m  if the alert is then scheduled to run every 1 minute, you would configure it to fire once per result and to enable throttling and set the field to be id and the interval 15 minutes, so that the same id does not trigger each time the search runs for the next 15 minutes. This example search you can paste into your search to see the effect - it just creates some random messages based on your example and does the search above. | makeresults | eval events=split( "Event failed validation. Errors: Client=users; Message=com.xxx.base.exception.HttpErrorException: retry fails.. check log for more information webhooks | \"Notification Message\"=[ id=\"WH-96D975946M839252X-52N249868M7084734\"; resource_type=\"USER-PROFILE\"; ] Event failed validation. Errors: Client=users; Message=com.xxx.base.exception.HttpErrorException: retry fails.. check log for more information webhooks | \"Notification Message\"=[ id=\"WH-96D975936M839252X-52N249868M7084734\"; resource_type=\"USER-PROFILE\"; ] Event failed validation. Errors: Client=users; Message=com.xxx.base.exception.HttpErrorException: retry fails.. check log for more information webhooks | \"Notification Message\"=[ id=\"WH-96D975926M839252X-52N249868M7084734\"; resource_type=\"USER-PROFILE\"; ] Event failed validation. Errors: Client=users; Message=com.xxx.base.exception.HttpErrorException: retry fails.. check log for more information webhooks | \"Notification Message\"=[ id=\"WH-96D975916M839252X-52N249868M7084734\"; resource_type=\"USER-PROFILE\"; ] Event failed validation. Errors: Client=users; Message=com.xxx.base.exception.HttpErrorException: retry fails.. check log for more information webhooks | \"Notification Message\"=[ id=\"WH-96D975996M839252X-52N249868M7084734\"; resource_type=\"USER-PROFILE\"; ] Event failed validation. Errors: Client=users; Message=com.xxx.base.exception.HttpErrorException: retry fails.. check log for more information webhooks | \"Notification Message\"=[ id=\"WH-96D975986M839252X-52N249868M7084734\"; resource_type=\"USER-PROFILE\"; ] Event failed validation. Errors: Client=users; Message=com.xxx.base.exception.HttpErrorException: retry fails.. check log for more information webhooks | \"Notification Message\"=[ id=\"WH-96D975976M839252X-52N249868M7084734\"; resource_type=\"USER-PROFILE\"; ] Event failed validation. Errors: Client=users; Message=com.xxx.base.exception.HttpErrorException: retry fails.. check log for more information webhooks | \"Notification Message\"=[ id=\"WH-96D975966M839252X-52N249868M7084734\"; resource_type=\"USER-PROFILE\"; ] Event failed validation. Errors: Client=users; Message=com.xxx.base.exception.HttpErrorException: retry fails.. check log for more information webhooks | \"Notification Message\"=[ id=\"WH-96D975956M839252X-52N249868M7084734\"; resource_type=\"USER-PROFILE\"; ] Event failed validation. Errors: Client=users; Message=com.xxx.base.exception.HttpErrorException: retry fails.. check log for more information webhooks | \"Notification Message\"=[ id=\"WH-96D975946M839252X-52N249868M7084734\"; resource_type=\"USER-PROFILE\"; ] Event failed validation. Errors: Client=users; Message=com.xxx.base.exception.HttpErrorException: retry fails.. check log for more information webhooks | \"Notification Message\"=[ id=\"WH-96D975946M839252X-52N249868M7084734\"; resource_type=\"USER-PROFILE\"; ] Event failed validation. Errors: Client=users; Message=com.xxx.base.exception.HttpErrorException: retry fails.. check log for more information webhooks | \"Notification Message\"=[ id=\"WH-96D975936M839252X-52N249868M7084734\"; resource_type=\"USER-PROFILE\"; ] Event failed validation. Errors: Client=users; Message=com.xxx.base.exception.HttpErrorException: retry fails.. check log for more information webhooks | \"Notification Message\"=[ id=\"WH-96D975916M839252X-52N249868M7084734\"; resource_type=\"USER-PROFILE\"; ] Event failed validation. Errors: Client=users; Message=com.xxx.base.exception.HttpErrorException: retry fails.. check log for more information webhooks | \"Notification Message\"=[ id=\"WH-96D975996M839252X-52N249868M7084734\"; resource_type=\"USER-PROFILE\"; ] Event failed validation. Errors: Client=users; Message=com.xxx.base.exception.HttpErrorException: retry fails.. check log for more information webhooks | \"Notification Message\"=[ id=\"WH-96D975986M839252X-52N249868M7084734\"; resource_type=\"USER-PROFILE\"; ] Event failed validation. Errors: Client=users; Message=com.xxx.base.exception.HttpErrorException: retry fails.. check log for more information webhooks | \"Notification Message\"=[ id=\"WH-96D975976M839252X-52N249868M7084734\"; resource_type=\"USER-PROFILE\"; ] Event failed validation. Errors: Client=users; Message=com.xxx.base.exception.HttpErrorException: retry fails.. check log for more information webhooks | \"Notification Message\"=[ id=\"WH-96D975966M839252X-52N249868M7084734\"; resource_type=\"USER-PROFILE\"; ] Event failed validation. Errors: Client=users; Message=com.xxx.base.exception.HttpErrorException: retry fails.. check log for more information webhooks | \"Notification Message\"=[ id=\"WH-96D975956M839252X-52N249868M7084734\"; resource_type=\"USER-PROFILE\"; ] Event failed validation. Errors: Client=users; Message=com.xxx.base.exception.HttpErrorException: retry fails.. check log for more information webhooks | \"Notification Message\"=[ id=\"WH-96D975946M839252X-52N249868M7084734\"; resource_type=\"USER-PROFILE\"; ] Event failed validation. Errors: Client=users; Message=com.xxx.base.exception.HttpErrorException: retry fails.. check log for more information webhooks | \"Notification Message\"=[ id=\"WH-96D975936M839252X-52N249868M7084734\"; resource_type=\"USER-PROFILE\"; ] Event failed validation. Errors: Client=users; Message=com.xxx.base.exception.HttpErrorException: retry fails.. check log for more information webhooks | \"Notification Message\"=[ id=\"WH-96D975926M839252X-52N249868M7084734\"; resource_type=\"USER-PROFILE\"; ] Event failed validation. Errors: Client=users; Message=com.xxx.base.exception.HttpErrorException: retry fails.. check log for more information webhooks | \"Notification Message\"=[ id=\"WH-96D975916M839252X-52N249868M7084734\"; resource_type=\"USER-PROFILE\"; ] Event failed validation. Errors: Client=users; Message=com.xxx.base.exception.HttpErrorException: retry fails.. check log for more information webhooks | \"Notification Message\"=[ id=\"WH-96D975996M839252X-52N249868M7084734\"; resource_type=\"USER-PROFILE\"; ] Event failed validation. Errors: Client=users; Message=com.xxx.base.exception.HttpErrorException: retry fails.. check log for more information webhooks | \"Notification Message\"=[ id=\"WH-96D975986M839252X-52N249868M7084734\"; resource_type=\"USER-PROFILE\"; ] Event failed validation. Errors: Client=users; Message=com.xxx.base.exception.HttpErrorException: retry fails.. check log for more information webhooks | \"Notification Message\"=[ id=\"WH-96D975976M839252X-52N249868M7084734\"; resource_type=\"USER-PROFILE\"; ] Event failed validation. Errors: Client=users; Message=com.xxx.base.exception.HttpErrorException: retry fails.. check log for more information webhooks | \"Notification Message\"=[ id=\"WH-96D975966M839252X-52N249868M7084734\"; resource_type=\"USER-PROFILE\"; ] Event failed validation. Errors: Client=users; Message=com.xxx.base.exception.HttpErrorException: retry fails.. check log for more information webhooks | \"Notification Message\"=[ id=\"WH-96D975956M839252X-52N249868M7084734\"; resource_type=\"USER-PROFILE\"; ]", " ") | mvexpand events | rename events as _raw | streamstats c | eval _time=now() - (c * 30) | fields _time _raw ``` Test data is created above ``` | rex field=_raw "id=\"(?<id>[^\"]*)" | stats count by id | where count>3    ... View more

It's hard to provide a solution without a good level of detail. What fields are available? Can you post a redacted if necessary screen shot of your data, because the detail is important. ... View more

In your earlier post when you said you are using  | sort -time if that is exactly what you used then unless you have a field called time (as opposed to Splunk's _time)  then you are not sorting anything. You may also be better to use | transaction ID startswith="message=Faulted" endswith="message=Completed" if message is the field containing what you are basing the transaction on. Hhowever, transaction is not always the best command to use as it can give wrong or no results, depending on your data size. This is particularly important when not using maxspan to limit what data you are searching and the number of events you have. Also note that you should use  | sort 0 _time otherwise it will truncate data.   ... View more

@mvannini Following on from my previous comment about misplacement of your depends="$token$" pattern. Your entire dashboard is broken from this point of view. If you create fields in section 1-4 after you fill the last field the new entry is written to the lookup, because the button SALVA E INVIA CAB is ONLY affecting the display of the table. You will see if you run | inputlookup cab_requests_lookup on its own the new row is written before you click the button. If you then change a single field, a new CAB is written. Every time you want to control changes to the lookup, you have to make the <search> dependent on the token and NOT the table.   ... View more

One thing that stands out is your deduplication of the CAB table.  In this search (line 462) <table depends="$run_dedup$"> <search> <query>| inputlookup cab_requests_lookup | dedup cab_id | outputlookup cab_requests_lookup</query> <done> <unset token="run_dedup"></unset> </done> </search> </table> your <table> has a depends statement, but that will NOT stop the search from running, so the first thing that happens when you load the dashboard, is that you totally rewrite the KV store and this happens while the other searches are running, so there is a concurrency issue going on in the KV store reading the data in your base search as well as re-writing it in the above. You should make the <search> dependent on the token, i.e. <search depends="$run_dedup$"> or you could do it this way <table depends="$never_show$"> <search> <query>| inputlookup cab_requests_lookup | ``` $run_dedup$ ``` dedup cab_id | outputlookup cab_requests_lookup</query> <done> <unset token="run_dedup"></unset> </done> </search> </table> which embeds the token in a comment in the SPL itself, which will then cause the search to run each time the token is set and it never shows the table. I believe that is what you want given the input at 7A. At the moment, you see nothing when the table loads, but the kv is rewritten, then if you select the clean option in 7A, you will see the table appear then disappear when the search runs again. I only tested this with a CSV, not KV store, but can't reproduce the duplicate searches seen by @ITWhisperer  That may play into why the searches are running more than once, I am not sure how the KV store handles concurrent read/write on the lookup, but change that and see how that affects things.   ... View more

@mvannini Can you paste the XML? There are so many reasons why a dashboard can be slow, so without knowing where to start, it's hard to diagnose. Are you using base searches. What is the data size you are searching. If you look at the job inspector for a slow search what does it tell you The volume of tokens is not necessarily a problem, I have some dashboards that use a large number and they perform perfectly ok (>300). Paste the XML using the code block so we can try to help. ... View more

Rich's search is good, you can add | rex field=provenance "UI:[Dd]ashboard:(?<dashboard_name>.*") to get the dashboard name from the provenance field. Note that XML dashboards have capital D for dashboard, whereas Studio dashboards have lower case d. Note that you will have an audit trail entry for every search run by that dashboard. ... View more

That's interesting, and as @PickleRick says, not good for the reasons stated. There is a cost of ingesting _raw data, which if you are licenced on ingest volume, you would see if you populate the _raw with all the data, but at the moment, you are incurring storage costs with extra indexed fields. You have lost flexibility with the current approach, and I don't quite get the OTEL engineer's comments. If the lack of _raw is a problem, you could rebuild it to some extent, but the best solution would be to ensure the body has what you need. ... View more

I may have misunderstood your requirement, if I read it again, then you can still do it like this index=id [ | inputlookup id.csv | eval earliest=strptime(time, "%d.%m.%Y") | rename id as ID_index | fields ID_index earliest ``` This subsearch creates the search string ((ID_index="1111" earliest=time_1) OR (ID_index="2222" earliest=time_2)) ``` ] ``` Calculate the counts ``` | stats count by ID_index ``` Now fetch the limit ``` | lookup id.csv id as ID_index OUTPUT limit ``` And determine if threshold exceeded ``` | eval msg=if(count>limit, "limit exceeded", "under limit") Same principle as the other comment, but using the fixed index and field comparison. ... View more

You can do with with a subsearch like this [ | inputlookup id.csv | eval earliest=strptime(time, "%d.%m.%Y") | rename id as index | fields index earliest ] | stats count by index | lookup id.csv id as index OUTPUT limit | eval msg=if(count>limit, "limit exceeded", "under limit") The subsearch creates the search string which will look something like this ( ( index="1111" earliest=time) OR ( index="2222" earliest=time) ) and then you can do a stats count/lookup and produce the table. If the time interval is always the same for each index you could use tstats which would be faster, but it doesn't support multiple time ranges.   ... View more

I'm not sure I fully understand what you mean when you describe the event has having no "meaningful" _raw, but which has fields. That would imply that the _raw has been redacted during ingestion but fields have perhaps then been indexed, perhaps using INGEST EVAL. I was going to suggest using TERM(my_term) to search for terms you want, i.e.  index=bla TERM(term) but that's effectively searching _raw which you say you don't have. Do you know how this data is being ingested? If someone has done some optimisation to remove _raw in the process of ingestion and you need it back, perhaps you need to discuss with your admins. Otherwise, if there is no _raw, you can't easily search for terms efficiently anywhere. You could do index=bla ``` Loop through every field doing a per field match against search_regex ``` | foreach * [ eval match=max(match, if(match('<<FIELD>>', "search_regex"), 1, 0)) ] | where match=1 but this, like using fieldsummary, will be pretty inefficient, as you're getting all events from the index and then filtering. If your set of fields is static, you could create a macro, e.g.  `search_all_fields(term)` and then in the macro expand out the field list so you have field1=$term$ OR field2=$term$ OR field3=$term$... and if you do actually have indexed fields, you could use the index field notation as field1::$term$ If you do index=bla on its own, what do you see? Can you look at the source for that - i.e. don't use table just look at the events and in the Event Actions dropdown for the event, select show source.   ... View more

Are you confusing "processes" with "files". I assume you meant count the "files" not "processes" in this post... Counting all the values from /proc/pid/fd will not translate to "files" as it is again about descriptors, so will include all sockets and other descriptor types. Your Splunk query would seem to calculate the same metric, however, as the log event is a point in time count, you should not sum the values, rather you only want a single event, so maybe this would give you a more practical result index=_introspection sourcetype=splunk_resource_usage component=PerProcess host=* | bin _time span=1m | stats latest(data.fd_used) AS total_open_files_by_FD by _time data.process | timechart span=1m sum(total_open_files_by_FD) as total_open_files_by_FD Which calculates the latest count of fds per process and then adds those all together to get the sum ... View more

And another small, but significant issue is that you will "miss" consecutive errors that occur on your search boundary, e.g. your search runs at 0, 5, 10... and searches 53-58, 58-03, 03-08... But as you're requiring a count of 2 or more, you're only actually looking at 4 possible minutes. So, if you have errors at 03 and 04, you will never see that as 2 consecutive errors. So, you want your search window to be -8 to -2, so there is a 1 minute overlap, so you're using a full 5 minute window for >1 error count. ... View more

What exactly are you trying to measure, an 'fd' is a file descriptor, not a file, and it applies to many things other than "files", e.g. a socket connections also has an 'fd'. Also, each introspection log records a point in time state of a process, so the same process may log many events, so just summing the fds will not point to a total count of files used. Can you give a better explanation of what you're trying to replicate. ... View more

I think your logic is flawed. If there are gaps with minutes with no error, then they will not be "consecutive" minutes, just adjacent, so if you have errors at 8:01 and 8:03, you will get a count of 2 consecutive errors, which I assume is not what you want. You would be better off using timechart, as that will give you populated values for each time interval - see this example using timechart and a changed streamstats - run this example with a time range of last 60 minutes and you can see the effect. Comment out the last line to see how the count is calculated | makeresults count=20 | eval _time=now() - ((random() % 30) * 60) | timechart span=1m count as error_count | streamstats window=2 current=t count(eval(error_count>0)) as consecutive_error_minutes | where consecutive_error_minutes >= 2 This will return you a list of minutes where the consecutive error count was >=2. Note that this will remove the first of the minutes when the error first occurred, as streamstats will record that as a 1 error count, so the results will not include the first minute of the error. Again, is this what you want? Hopefully this helps, but add any extra detail if this does not get you to where you want to get to.     ... View more

I don't believe you can set the default for SAML users. I went through this recently with a bunch of South Australian users and it caused no end of problems for the non technical users as time by default was UTC. It ended up being an education / onboarding to Splunk process for those users. ... View more

@hawkeyesc72 Simple observation for this latest issue of not getting any data is that your search syntax is wrong. Using a comma to separate search criteria is not valid - you are effectively saying you want the P1Sender value and Recipient names to be anything ending in a comma. Remove the commas, or better still, remove the search command and just table the values. As others have said, it's most likely your Send events are not the same as the recipient events, so you will probably need to find a correlation value to connect those two events, this would be the Message-Id value for a message, which will be the same. If you run these two searches and post a sanitised version of the JSON values you are getting for a sender event and a recipient event, masking out sensitive data, we could provide a solution.  index=office365 P1Sender=* | head 1 index=office365 Item.RecipientsCount=* | head 1   ... View more

That saved search Audit - Sourcetype readiness - Lookup gen is part of Enterprise Security app (SA-Utils) so unless you have it, you'll get the Not Found as you have If you run that on one of your saved searched and add | transpose 0 with and without appContext=true You will see the count of fields returned. If I run that in a ES site, I get 248 fields without appContext and 32 with appContext=true   ... View more