Reference to create dataSource - https://docs.splunk.com/Documentation/Splunk/8.2.6/DashStudio/dsOpt   ... View more

@harrysplunk - Sorry, but no idea.  Customization with your JS is very far it seems for dashboard studio. No idea if they have plan to add native supports for tabs or not. ... View more

@harry17preet -  props.conf (HF) [my:api:ce2] TRANSFORMS-extract_instance = extract_instance   transforms.conf (HF) [extract_instance] SOURCE_KEY = MetaData:Source REGEX = \/(.+\/)(?:[^_]+_[^_]+_[^_]+_)(?<instance>[^_]+) WRITE_META = true   fields.conf (SH) [instance] INDEXED = true   Please note you have to deploy props.conf and transforms.conf at HF (indexing level) and fields.conf on SH. Also, not that at index time source value (MetaData:Source) will be prefixed by "source::", but I think your regex will still work, but please confirm on your end. (Reference/Doc - https://docs.splunk.com/Documentation/Splunk/latest/Admin/transformsconf )   I hope this helps!!! Karma/upvote would be appreciated. ... View more

@mihir_hardas - You can set dataSource to your inputs. And add a search as dataSource. "inputs": { "input_RtgCL23i": { "options": { "items": ">frame(label, value) | prepend(formattedStatics) | objects()", "token": "user" }, "title": "Select user", "type": "input.dropdown", "dataSources": { "primary": "ds_eiFyjWZU" }, "context": { "formattedConfig": { "number": { "prefix": "" } }, "formattedStatics": ">statics | formatByType(formattedConfig)", "statics": [ [ "All" ], [ "*" ] ], "label": ">primary | seriesByName(\"user\") | renameSeries(\"label\") | formatByType(formattedConfig)", "value": ">primary | seriesByName(\"user\") | renameSeries(\"value\") | formatByType(formattedConfig)" } }, Examples picked from this page - https://docs.splunk.com/Documentation/Splunk/8.2.6/DashStudio/inputs#Example:_Search-based_cascading_inputs  there are other examples also there.   I hope this helps!! ... View more

@harry17preet -  EXTRACT is a search-time parameter. You need to add on the Search Head and not on HF. ... View more

@glpadilla_sol - Try searching like this: index=bar foo="*hello*" | where foo="hello" (added wildcard(*) in the search command.)   I hope this helps!!!   ... View more

@splunker1993 - You need to add a server certificate into your Splunk instance and set the path of the certificate file as described here. Alternatively, you can disable the certificate check but that will communicate over an unencrypted channel. Both options describe here in the doc: https://splunkbase.splunk.com/app/2689/#/details    I hope this helps!!! ... View more

@mbasharat - I've tested in regex101. Please check here to see if you are getting what you need - https://regex101.com/r/DoWz5Q/1   Of course, I'm not gonna test in a live environment because my environment will not have this data. Generally, the preferred practice is that you test all configuration changes in a staging environment.   I hope this helps!!!! ... View more

@beginner1 - To pass the token from the right panel you need to make use of the URL.  Ex. /en-US/app/<my-app>/second_dashboard?my_token=$my_token$form.my_token=$my_token$ (please take care of URL encodings as require) - I would suggest setting both form.<token-name> and just <token-name>. (for safer side)   It cannot be synced the other way around. (from right side to left side panel) because of security restrictions of the HTML iframe component. ... View more

@beginner1 - You can try the below solution. I personally have not tried it. But this sounds interesting.  You can use an HTML iframe. Something like this in your dashboard XML code. <row> <panel> ... panel in which you are having links to dashboards ... ... when user clicks a link set a token (tkn_dashboard_url) with the URL in the value ... ... use relative URL, don't put search head IP in it so it can be reused ... </panel> <panel> <html> <iframe src="$tkn_dashboard_url$" title="Iframe for the dashboard on the right."></iframe> </html> </panel> <row>   I've no idea how this will go but give it a try, logically I think it should work.   Hope this helps!!! Karma/upvote would be appreciated!!! ... View more

@harrysplunk - Currently it's not possible in Dashboard studio. Also, with simple XML alone I think you cannot do that, you need to use Javascript to achieve that. In dashboard studio, you cannot include a JS file currently.   I hope this helps!! Karma/upvote would be appreciated!!! ... View more

@Judeumeh - Do you mean you are seeing "[failed] splunkd is already running error" while running "splunk start" command? * That basically means your Splunk is already running. * Maybe you are just not able to access Splunk UI. * Check firewall rules to see if Splunk web port (default 8000) is accessible outside the machine if you are not using the browser locally on the machine.   I hope this helps!!! ... View more

@ang3loliveira - You have two options: You have a report/alert already scheduled and running and you want to export the results of last execution. Use the REST API solution as provided by @aasabatini  You have report but not schedule and running.  Use Python SDK to run and get results and then use few lines in python script to send data to where you want to. https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/howtousesplunkpython/howtorunsearchespython/ Note that you can do first REST API call also with Python-Splunk-SDK.   I hope this helps!!! Karma/upvote would be appreciated!!! ... View more

@mbasharat - Try this regex: [\r\n]+(?<_KEY_1>[^\n:]+):(?<_VAL_1>[^\r\n]+)   I hope this helps!!!! ... View more

@Santosh2 - You can take some predefined steps in case of data input issues: Check if you have inputs.conf entry for these files Have you specified the right index? Have you created that index on the Indexer? Make sure you are not filtering the data with transforms.conf config check for queue=null line in transforms.conf  If you see any, make sure it's not related to your data Make sure you are receiving other data from that host. index=_internal host=<hostname-that-has-inputs.conf>  Make sure you have permission to read the index data and also make sure no other restriction being applied. You can check with Splunk Admin.   I hope this helps!!! Upvote/karma would be appreciated!! ... View more

@utk123 - You can use a regular bar chart available in Splunk (though as mentioned by @gcusello  you also have the option to use custom visualization/charts from Splunkbase) You can use the timechart command to generate the results. It's difficult to form an exact Splunk query without looking at data formats.   I hope this helps!! ... View more