Assuming I have a dashboard with multiple panels, is there a way to have some visible and some not? <form> <label>dashboard name</label> <fieldset autoRun="true" submitButton="false"> <input type="checkbox" token="sourcetype_token" searchWhenChanged="true"> <choice value="show">show</choice> <choice value="hide">hide</choice> </fieldset> <row> <panel> <chart> ... </chart> </panel> </row> <row> <panel> <chart> ... </chart> </panel> </row> <row> <panel> <chart> ... </chart> </panel> </row> </form> currently this skeleton has the following view check box row1 row2 row3 Is there a way I can do the following: check box row1 row2 show/hide row3 show/hide with row 2 and 3 having the same control to toggle them from visible to hide? I am looking to do this in simple XML. ... View more

I basically have 2 searches that I am combining using appendcols . 1 search is for each element. It looks something like: index=core ... ne=ne1 | stats sum(kpi1) as "kpi1" by ks_countryname | sort - "kpi1" | appendcols [search index=core ... ne=ne2 | stats sum(kpi1) as "kpi1_ne2" by ks_countryname | rename ks_countryname as ks_countryname_ne2| sort - "kpi1_ne2"] the output looks something like below: ks_countryname kpi1 kpi1_ne2 ks_countryname_ne2 ZZ_undefined 1615 2631 ZZ_undefined Australia 1500 1635 China United States 676 1600 Australia China 423 410 United States Vanuatu 295 305 Samoa Switzerland 220 247 Switzerland Germany 165 213 Germany France 157 181 France Samoa 118 62 Vanuatu How do I get column 3 and 4 to line up with column 1 and 2 such that: row 2 of column 1 and 2 Australia 1500 would line up with row 3 of column 3 and 4 1600 Australia Ideally I would still like to sort max to min by kpi1, but I just want the countries aligned also. ... View more

I want to just look at 1 hour for yesterday, but I want it to be relative to today so no matter when I look at it in the future it will always be yesterday. So if I look at it today it will show yesterdays value at 12pm to 1pm And if I look at it next week it will show the day before that day at 12pm to 1pm I am thinking of something like -1d@d for the earliest and @d for the latest but how do i get the hour I want? ... View more

How do lookups work in Splunk? I presume it works like this, lookupA is the value you are looking for and ValueToReplaceLookup is the value that is returned. lookupA,ValueToReplaceLookup A,America B,Beijing C,Columbia But can it also work this way; looking up a value and the value is returned is to the left of it. E.g. lookupA is the value you are looking for and ValueToReplaceLookup is the value that is returned, but ValueToReplaceLookup will be on the left as opposed to the right? ValueToReplaceLookup,lookupA, America,A Beijing,B Columbia,C Just wondering if I should be formatting my data accordingly before uploading it to Splunk for doing lookups. ... View more

This is my skeleton of a dashboard with a fieldset with a sample input, followed by some panels with charts: <form> <label>dashboard name</label> <fieldset autoRun="true" submitButton="false"> <input type="dropdown" token="label_name"> <label>labelNAME:</label> <choice value="label1">label1</choice> <choice value="label2">label2</choice> <default>label1</default> </input> </fieldset> <row> <panel> <chart> ... </chart> </panel> </row> <row> <panel> <chart> ... </chart> </panel> </row> <row> <panel> <chart> ... </chart> </panel> </row> </form> so this looks like: input row with chart row with chart row with chart What I want to do is have something like below, where I want the 2nd input to be in its own row. I do not want it to be in the same panel because this way the chart loses space to make way for the input. input row with chart row with chart input row with chart Below is an example of me putting the input inside the panel, but as I said above, I do not want this. I want a way to have the input in its own row. Can anyone advise how this can be done? &lt;row&gt; <panel> <input type="dropdown" token="label_name"> <label>labelNAME:</label> <choice value="label1">label1</choice> <choice value="label2">label2</choice> <default>label1</default> </input> <chart> ... </chart> </panel> </row> ... View more

Timewrap is reading oldest to newest from right to left. I want it to be the opposite newest to oldest from left to right. The pic below shows that may 7th is the oldest but it is showing on the right and aug 13(yesterday) on the left. <a href="http://tinypic.com?ref=11vk4mr" target="_blank"><img src="http://i58.tinypic.com/11vk4mr.jpg" border="0" alt="Image and video hosting by TinyPic"></a> In case the pic is not showing above here it is again: this gives an idea of my search: index=core ... earliest=-100d@d latest=+d@d | timechart span=d sum(c140509343) as "Incoming downlink user traffic in KB (SGSN/SGW PLMN)" | eval wday = strftime(_time, "%a") | where wday = "Thu" | fields - wday | timewrap d series=exact Is there a way I can somehow reverse this? ... View more

I have a dashboard with numerous panels composed of single values and radial gauges. But sometimes some of them just sit there waiting to load, like below. <a href="http://tinypic.com?ref=3588kfr" target="_blank"><img src="http://i60.tinypic.com/3588kfr.jpg" border="0" alt="Image and video hosting by TinyPic"></a> This is ok with the radial gauges as I can just use the refresh option in the panel. This option is not available in the single value panel. Can I make this option available in the single value panel? Otherwise I have to refresh the whole panel. As an aside there are numerous panels in my dashboard and ideally I would like them all to load completely each time. Is there any general advice on this? I could reduce the number of panels in the dashboard, but I am looking at other ideas at this stage. ... View more

I am working on field extraction in splunk and I have come up with the below regex (spunk regex does not work the same here) ^[^'\n]*'(?P<field1>\d+) which pulls this value out: 79037030601 of the following events: beginTime="2015-07-29T09:00:00+12:00",elementType="MSCServer",userLabel="MSCKPR",measInfoId=83888334,duration="PT3600S",endTime="2015-07-29T10:00:00+12:00",measObjLdn="MSCKPR/ALL HLR:MSCKPR/HLR Number:HLR Number = K'79037030601",c84162779=1,c84162780=1 Now what I am looking at doing is optimizing this regex for time efficiency and searchability in the events. I am trying to use here to help me optimize it. One example i am working on here is this How can i work on this regex and then be able to apply it to splunk? I don't think they are the same or are they? ... View more

my query looks like stats max(KPI1) as "Traffic of Sessions Answered (Erl)" max(KPI2) as "Traffic of Sessions Connected (Erl)" max(c1907466993) as "Traffic of Sessions Seized (Erl)" by SBC_TGN_TGID | where "Traffic of Sessions Answered (Erl)" &gt; 0 but this does not work, get an error, as it does not seem to like this naming format "Traffic of Sessions Answered (Erl)" But if i do it like below it works, i get a table with no Zeron values. stats max(KPI1) as "Traffic" max(KPI2) as "Traffic of Sessions Connected (Erl)" max(KPI3) as "Traffic of Sessions Seized (Erl)" by SBC_TGN_TGID | where Traffic &gt; 0 So it likes this: where Traffic &gt; 0 But it will not like this: where Traffic &gt; 0 It basically does not like names that are inside double quotes. Can someone explain this to me? And is there a way I can keep the name as it is (i.e. with spaces) ... View more