I have this dashboard and some of the dropdowns, but here in the last dropdown `hostname`, i have a "ALL" field value which is like host=*  and when putting into the search it works like this , index=perfmon host=*. But the caveat here is , i want ALL(*) to be only the servers which are resulting from all the below dropdowns and not just host=* .   <input type="multiselect" token="name" searchWhenChanged="true"> <label>Hostname</label> <fieldForLabel>Hostname</fieldForLabel> <fieldForValue>name</fieldForValue> <search> <query>| inputlookup ec2_unix_linux_instances.csv | append [| inputlookup ec2_windows_instances.csv ] | search CLUSTER_TYPE=$cluster$ AND ACC_SHORT_NAME=$asn$ AND ACC_FULL_NAME="$afn$" AND ENVIRONMENT=$env$ BUSINESS_UNIT=$bu$ | rename HOST_NAME as name | join type=left name [| inputlookup splunk_total_agents.csv | table name Agent ] | join type=left name [| inputlookup splunk_total_unix_linux_agents.csv | table name Agent ] | dedup name | search Agent="Splunk" | fields name</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <valuePrefix>host="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter> OR </delimiter> <choice value="*">ALL</choice> </input>   Above is the code for my dropdown ( host) and here value=* just takes all the servers, whereas i want it to only consider the servers which are the results of all the filters.   ... View more

Hello, I have two dashboards linked to each other, and i am passing the parameters for the linked dashboard in the drilldown url. The values passed for one of the drop downs is having a dynamic values option, coming through a search. My question is how to actually pass that parameter in the URL. ... View more

Hi, I have the following search to calculate the average response time on a field for which data is coming from 10 hosts. The intention to use the data model is to accelerate the search to load the searches faster on a dashboard. Currently, I am using summary indexing to do this but I was thinking if we can avoid the summary indexing- if data model accelaration provides the results much faster and more real-time. index=root sourcetype=iisservice_logs Message!=REQ AND Message!=RQSAVE Detail.MSec=* | stats perc95(Detail.MSec) as percnf avg(Detail.MSec) as average | eval ecosystem=Application | eval percnf=round(percnf,2) | eval average=round(average,2) | eval health=case(average>=500,"RED",average>=200,"YELLOW",1=1,"GREEN") | eval kpi_type="Application Response time" | eval kpi_key1="Application Response Time(95th)" | eval kpi_value1=percnf | eval kpi_key2="Application Response Time(Average)" | eval kpi_value2=average | eval name="N/A" | eval _time = now() | table _time name kpi_type kpi_key1 kpi_value1 kpi_key2 kpi_value2 health I am a total newbie on Data model and acceleration. Looking for some basic help on creating one and using that in the dashboarding. ... View more

Hi Experts, i have a script which is supposed to install forwarder on the remote machines . The script does quite good job of installing it but its showing errors at two places. Below is the script and the errors it is throwing. ######## UF_install.sh Script ############## #!/bin/sh #### forwarderlist.txt contains the IP address of the forwarder to SSH into HOSTS_FILE="/opt/splunk/bin/scripts/forwarderlist.txt" ### Download the latest version of the installer from splunk site WGET_CMD="wget -O splunkforwarder-7.2.5.1-962d9a8e1586-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.5.1&product=universalforwarder&filename=splunkforwarder-7.2.5.1-962d9a8e1586-Linux-x86_64.tgz&wget=true'" INSTALL_FILE="splunkforwarder-7.2.5.1-962d9a8e1586-Linux-x86_64.tgz" DEPLOY_SERVER="10.0.1.39" PASSWORD="ExpertInsight" ### installation steps REMOTE_SCRIPT=" cd /opt yum install wget yum install vim sudo $WGET_CMD sudo tar -xzf $INSTALL_FILE sudo useradd -m -r splunk sudo chown -R splunk:splunk /opt/splunkforwarder ### /opt/splunkforwarder/bin/splunk enable boot-start -user splunk sudo -u splunk /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --auto-ports --no-prompt --seed-passwd $PASSWORD sudo -u splunk /opt/splunkforwarder/bin/splunk enable boot-start sudo -u splunk /opt/splunkforwarder/bin/splunk set deploy-poll $DEPLOY_SERVER --accept-license --answer-yes --auto-ports --no-prompt -auth admin:changeme sudo -u splunk /opt/splunkforwarder/bin/splunk edit user admin -password $PASSWORD -auth admin:changeme ### SCP (copy) the files from Search head into the folder where the user has access to sudo scp -r /opt/splunk/bin/scripts/deploymentclient.conf ec2-user@$HOSTS_FILE:/home/ec2-user/deploymentclient.conf # Change permissions to splunk user sudo chown -R splunk:splunk /home/ec2-user/deploymentclient.conf # Then copy the file to appropriate directory sudo cp -r /home/ec2-user/deploymentclient.conf /opt/splunkforwarder/etc/system/local/ # once the file in /etc/system/local restart to take effect sudo -u splunk /opt/splunkforwarder/bin/splunk restart " ### Continue the same for other UF hosts echo "In 5 seconds, will run the following script on each remote host:" echo echo "====================" echo "$REMOTE_SCRIPT" echo "====================" echo sleep 5 echo "Reading host logins from $HOSTS_FILE" echo echo "Starting." for DST in `cat "$HOSTS_FILE"`; do if [ -z "$DST" ]; then continue; fi echo "---------------------------" echo "Installing to $DST" sudo ssh -t "$DST" "$REMOTE_SCRIPT" done echo "---------------------------" Can't open file "/etc/systemd/system/SplunkForwarder.service" for writing : Permission denied Login failed Login failed cp: cannot stat ‘/opt/splunk/bin/scripts/deploymentclient.conf’: No such file or directory chown: cannot access ‘/home/ec2-user/deploymentclient.conf’: No such file or directory cp: cannot stat ‘/home/ec2-user/deploymentclient.conf’: No such file or directory The deploymentclient file is kept at its location defined in the script on the deployment server but still shows the error and also not sure what this error is about Can't open file "/etc/systemd/system/SplunkForwarder.service" for writing ... View more

Recently my project has changed which is totally different than what i have been doing (Splunking). But since i love Splunk so much i don't want to lose it as a skillset, considering the fact that it is one of the hottest technology out there. My question is to ask experts, what they recommend one of the best way to keep in touch with Splunk. What I have been doing till now: 1) Installed Splunk N box on my macbook, and keep learning clustering stuff every other day. 2) Following the forum( answers.splunk.com) 3) Reading a book that I recently bought. ... View more