This is awesome and just solved my custom panel width issue after banging my head for the last hour.  Do you know where this attribute is documented for either behavior or which CSS items are support per version of Splunk. ... View more

Check this out.   https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/Inputsconf#MONITOR:   ... View more

I can not find anything in the outputs.conf that will allow you to control the HTTP version sourced at the UF itself.  Splunk documentation implies a LB can/should be used and can control HTTP version.  Their example is NGINX but there are others out there which may or may not support in the same fashion. https://docs.splunk.com/Documentation/Forwarder/9.4.0/Forwarder/Configureforwardingwithoutputs.conf#Send_data_over_HTTP_using_a_load_balancer   ... View more

Try adding this additional ARG on startup - I don't know the syntax for docker so google it please.   --no-prompt ... View more

04-02-2025 11:08:28.852 +0000 INFO ExecProcessor [8927 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" Lines Processed: 1   It appears to me that it made a successful connection and request for data download, but that download was empty.  I'm not an Akamai expert but perhaps you are requesting the wrong account/category of logs so revalidate the input config on the HF. All the logs are INFO or higher so no DEBUG level logs.  You could potentially change logging levels from INFO to DEBUG in order to catch additional details about the connection and request that could be helpful. ... View more

In my research you need 3 values and your table only as 2.  Heat maps are representing change of value over interval of time by category.   | timechart span=<interval> max(<value>) as perc by <field_name> ... View more

https://docs.splunk.com/Documentation/Splunk/9.4.1/Viz/EventHandlerReference#chart_.28event_tokens.29 I haven't done exactly what you are asking but I've done similar stuff.  The documents should help you out. ... View more

Splunk Web and interface issues   Date resolved Issue number Description 2024-07-09 SPL-256902 Splunk is crashing with "Crashing thread: WebuiStartup" when TLS is used for Splunk Web with an empty DNS under "X509v3 Subject Alternative Name" field of the certificate   This got posted first in 9.2.x and shows fixed in 9.4.0 but I don't see it listed as known or fixed in any 9.3.x release docs.  Might be something to ponder. ... View more

I think an example of your table is required at this point. ... View more

I have never seen the capability to make the hover value anything other than the original value.  If your third column is numeric in nature you could just use column 3 as an overlay value in your viz. ... View more

| eval duration = tostring(diff, "duration") This will output Days & Clock type output. ... View more

I have Splunk 9.4 installed and this is the file in the root $SPLUNK_HOME folder. splunk-9.4.0-6b4ebe426ca6-windows-x64-manifest That file name changes based on the version you have installed.  Inside that file is a list of ~30K files with expected owner and permissions.  The health check verifies against all of the contents but only on Splunk restart. ... View more

https://docs.splunk.com/Documentation/Splunk/9.4.0/Admin/Inputsconf interval = [<decimal>|<cron schedule>] * How often, in seconds, to run the specified command, or a valid "cron" schedule. * If you specify the interval as a number, it may have a fractional component; for example, 3.14 * To specify a cron schedule, use the following format: * "<minute> <hour> <day of month> <month> <day of week>" * Cron special characters are acceptable. You can use combinations of "*", ",", "/", and "-" to specify wildcards, separate values, specify ranges of values, and step values. * The cron implementation for data inputs does not currently support names of months or days. * The special value "0" forces this scripted input to be run continuously. As soon as the script exits, the input restarts it. * The special value "-1" causes the scripted input to run once on start-up. * NOTE: when you specify a cron schedule, the input does not run the script on start-up. * Default: 60.0 ... View more

$row.<column-field-name>.value$ Since the token referenced the column field name that is as specific as it gets.  I understand that you want to have multiple columns with unique URL for a reference.  All the documentation at this time points very specifically that you are limited to only one URL per row. ... View more

Can you tell me which format your are ingesting from these examples. https://learn.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525807(v=vs.90) #Software: Internet Information Services 6.0 #Version: 1.0 #Date: 2001-05-02 17:42:15 #Fields: time c-ip cs-method cs-uri-stem sc-status cs-version 17:42:15 172.16.255.255 GET /default.htm 200 HTTP/1.0 OR 192.168.114.201, -, 03/20/01, 7:55:20, W3SVC2, SALES1, 172.21.13.45, 4502, 163, 3223, 200, 0, GET, /DeptLogo.gif, -, 172.16.255.255, anonymous, 03/20/01, 23:58:11, MSFTPSVC, SALES1, 172.16.255.255, 60, 275, 0, 0, 0, PASS, /Intro.htm, -,   Once you confirm which format someone should be able to provide a recommended props.conf for the ingested sourcetype. Ofcourse you could opt for the app from Splunk base which looks to be very complete for IIS server logs. https://splunkbase.splunk.com/app/3185   ... View more

Sorry are you: 1) Trying to make a single Search Head Deployer serve 2 individual clusters? OR 2) Trying to move a single Search Head Deployer away from Cluster X and now server Cluster Y ... View more

Does the axis show todays date but no data fill? or is it that the axis is cut off as well? ... View more

The regex is simple enough. ^.*\sSetting\sconnector\s(?<connector_event>[^\s]+).*$ ... View more

No matter which version you upgrade to you can always reference the manifest file.  If the manifest does not list the file in the warning then it can be deleted. ... View more

Please keep in mind that Splunk docs no longer specify support for Windows 10/11, only specifically server version.  Something may have impacted the install extraction process. ... View more

The way that hot/warm/cold buckets along with bucket replication works it is in your best interest to make site 1 and site 2 indexing tier identical.  Someone with advanced on prem admin experience would be able to size this but storage becomes you biggest concern with unaligned resources. If you have some sort of business or budget constraints then I get why you would have unaligned sites - however personally I would very strongly suggest that both sites be identical compute and storage capacity at the indexing tier. Your individual indexer CPU count will determine how many concurrent searches can be run.  The compute power of your new machines appears acceptable from the minimal information available.  Keep an eye on skipped searches to confirm - the internal logs will indicate a skip reason.  Ideally SH and IDX should keep similar if not exact same CPU cores. ... View more

Are these values always aligned, or are the values sometimes unaligned and you still want to know if they are in both fields? ... View more

Which Windows OS? ... View more