You can accomplish that by using cascading dropdown boxes. There are examples on how to accomplish this available in the Splunk dashboard examples app available in splunkbase here: https://splunkbase.splunk.com/app/1603/ Also there are multiple answered questions regarding this topic you can have a look: https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-multiple-dependent-dropdowns-on-a-dashboard/td-p/391089 ... View more

Hi, The "Data in SH:" doesn't show much. It's linking to you Splunk local instance. Can you correct that and share an example of what you're seeing? ... View more

Hi! If you want to solve your performance problems you should start by adopting the hardware requirements for Splunk. There are pages dedicated to that in docs. For Azure deployments, there is this tech brief that sheds some light on some good practices and even advice on which is the appropriate set of instances you should use depending on the size of your deployment.  Regarding CIM datamodels, you should enable acceleration only on the datamodels you are actually using and restrict the indexes each datamodel accelerates data from. The CIM app has a macro for each datamodel where you can place the specific indexes to look for tagged data. This will reduce the amount of data the acceleration searches will have to look into, lowering the run time and the chance you'll endup with skipped searches. Regarding the "hour behind", i would make sure all your systems have configured and using the same NTP and the time zone they are set into. I've ran into customers not having NTP configured at all making it impossible to properly correlate data or having diferent time zones setup. ... View more

Can you expand on the issue you are trying to address? What do you mean "the expiry of the services on a Splunk addon" ... View more

Hi Carlos My pdfs are always available for download but via the partner portal. Im not sure that these are available elsewhere for a regular splunk user account. Check with certification@splunk.com maybe they can help you. Regards ... View more

Use this index=nettraffic NOT ((source="a.b.c.d" dest="w.x.y.z") OR (dest="a.b.c.d" source="w.x.y.z")) ... View more

If you have an issue that stops the summary indexing search from working (e.g server load, maintenance, etc) you'll most likely end up with gaps. Its possible to backfill those using a script available in the Splunk installation. But its a pain. Also, like @adonio commented, I don't see a big value on building a datamodel over summer indexes. If you are sensible on the time things take to return results, if your data is related to metrics, then metrics indexes is a way to go. If not I would test using indexed extractions. You'll be trading storage (for the bigger tsidx) for search performance. Much like you do with data models, you can then use |tstats command against you indexed fields. The benefit here is the "acceleration" is kind of done when the data is coming in, removing the 5 min for it to be accelerated in case of DM, but its done on a per source type basis. The advantage of using DM is that you can accelerate data from whatever (multiple indexes, source types, etc.). ... View more

I've built an add-on to parse kaspersky data in splunk but I used LEEF (Qradar) because when I started there was not splunk option. Its available in Splunkbase. In case you want to lend a hand so I can build the CEF part it would be great to have some CEF example data to work with. ... View more

I've been making some improvements in the add-on. Check the version of the add-on I've released in Splunkbase. ... View more