Hi, I have a dashboard created in dashboard studio . This contains two drop downs (Country and State).. Both of them are interdependent on each otherc to display values and has default value set to * (All). When I select value from country dropdown , it loads its states in dropdown 2.  But when I do the selection second time, Example -  USA -->  India. States will still have California in display. But on clicking  states dropdown later,t I can see India related states with California as first value. Is there a way that dropdown selection can be reset automatically based on other dropdown value. Example, when I select USA , states of USA must be displayed in states dropdown. When I change selection from USA to India, states dropdown should be either All or first value of Indian state.  Please help on this. Regards, PNV   ... View more

Hi All,  Is there a way in splunk dashboard studio just I make one column clickable  in table displayed?  I have a table visualisation  in dashboard studio. I want just one column value to be clickable. So, that on click of that another table is displayed . ( show / hide).  Please let me know how we can make just value in one column clickable ? Can we ? Regards, PNV ... View more

Hi All, I have a dropdown as below in dashboard studio I also have a table that has options - All, active groups and inactive groups.  If user clicks on "Inactive groups", it should display table that has details of inactive groups, if user clicks on Active groups table with active groups should be displayed. If user clicks on All, then all groups should be displayed. Until any of above chosen table should be hidden.  I have selected "When data is unavailable, hide element" option under visibility in configuration. But I am not getting how to achieve my above use cases. Please can anyone of you help me on this.  Thanks, PNV   ... View more

Hi All, I have created few tags in splunk which are getting disabled automatically. I want to check using splunk query the time they are getting disabled.  Please can anyone of you suggest me the query for this . I tried using REST but not getting exact details. I also tried below but not seeing any related logs. index=_internal sourcetype=splunk_audit action=edit status=disabled info=tags Thanks in advance, PNV ... View more

Hi All,     TagData [ [-] { [-] Key: Application Value: Test_App } { [-] Key: Email Value: test@abc.com } ]     I have nested json data as above. I want to extract Email field value and map it to new field - owner_email . This need to be done during indexing time. With normal splunk search , I am getting way : index=*_test sourcetype="test:sourcetype" source="*:test" | array2object path="TagData" key="Key" value="Value" | rename "TagData.Email" as owner_email Please help me how to achieve this during indexing time. How do I update props.conf file ? Regards, PNV ... View more

Hi All, I want to extract email  from json event in splunk. Query I am using is :     index=*sec sourcetype=test | eval tags_json=spath(_raw, "Tag{}"), final_tag_json=json_object() | foreach mode=multivalue tags_json [ | eval final_tag_json=json_set(final_tag_json, spath('<<ITEM>>', "Key"), spath('<<ITEM>>', "Value"))] | spath input=final_tag_json | rex field=Email "(?<email>^\w+@abc.com$)"     Raw data :     "Tag": [{"Key": "app", "Value": “test”_value}, {"Key": "key1", "Value": "value1"}, {"Key": "key2", "Value": "value2"}, {"Key": “email”, "Value": “test@abc.com}],     I want email to be mapped to contact when indexed. How can I achieve this ? Please help me Regards, pnv ... View more

Hi All, I am trying to extract a value from the indexed field. i.e from source field . I have added the regex in props.conf  Example :  source = 234234324234:us-west-2:firehose_list_tags_for_resource I want everything after second : (colon) as service i.e firehose_list_tags_for_resource I have added in props.conf as below : EXTRACT-service = source([^:]+:[^:]+:(?<service>.+)$) This has created the field service but fetching wrong value. It is fetching last part of raw data. Please can anyone help me to understand how can I extract field value from indexed data ? Should I add in transforms.conf as well ? Please can anyone guide me. It helps me lot Regards, PNV ... View more

Hi All, I have setup new deployment server and new heavy forwarder. There is successful phonehome connection when I check with command "./splunk list deploy-clients". The client is successfully connecting the server. I want to push new app to this new heavy forwarder. But the app is not getting pushed from Deployment server. I verified that  the app is under deployment_apps directory. I also checked serverclass.conf file.Both are looking good. What is the reason that app is not getting written ?  Do I need to first create a app in HF manually so that DS finds the app and pushes the changes ?  Regards, PNV ... View more

Hi All, I have deployed new deployment server  (aws ec2 instance) and updated the existing route53 dns entry to point to this new server. But I see the deployment clients are making connection to old server still. I believe there is  old connection saved at deployment client. Does anyone of you know how to encounter this issue ? Your solution helps me lot please. Regards, PNV ... View more

Hi All, I want to extract service name from sourcetype="aws:metadata" and source field. Example : 434531263412:eu-central-1:elasticache_describe_reserved_cache_nodes_offerings I am using this query :     index=* sourcetype=aws:metadata | eval aws_service=mvindex(split(source,":"),2) | rex field=aws_service "(?<aws_service>[^_]+)" | table aws_service source| dedup aws_service     Using this I will get result :  elasticache. But in case of "434531263412:us-west-2:nat_gateways" its just extracting nat. But it should be gateways. S Similarly in 434531263412:eu-central-1:application_load_balancers, its extracting application. I was thinking if we can check for the keyword and update the value. I want to add this in props.conf file so aws_service field gets created from source. Please can anyone of you help me how can I achieve this ? Regards, PNV ... View more

Hi All, I have a dashboard built using dashboard studio. I want to pass multiple tokens to another dashboard on click of value in one of the panels. I am using interactions --> Link to dashboard. Adding tokens here. But not getting how to pass multiple tokens so it reflects in another dashboard.  Please can anyone suggest me on this. Regards, pnv ... View more

I have a dashboard named dashboard1 created using splunk dashboard studio. It has dropdown as below :   Based on the selection here, it displays line graph. Example : AWSAccount selected, line graph contains different account ids. (xyseries, $Account_Selection$,costing) There is another dashboard  (dashboard2) which has details of the AWSAccounts. It has two dropdowns again- awsaccountid, accountname. My requirement is Example :  when I click on any line in the dashboard1 (where each line is different AWSAccount). It should direct to dashboard2 with this AWSAccount selected in dropdown of dashboard2. Similarly if AWSAccountName  is selected in dropdown and any account is clicked in the panel, it should direct to dashoard2 with the same AWSAccountName in the dashboard2 dropdown.  If AWSAccount is selected and clicked, accountname in dashboardw will have default value "All" i.e *. viceversa if AWSAccountName selected. What I have done ? Under interactions , I selected link to dashboard with dashboard2 and gave Token name = account_id (this is the token set in dashboard 2) Value = Name         "eventHandlers": [ { "type": "drilldown.linkToDashboard", "options": { "app": "Search", "dashboard": "dashboard2", "newTab": true, "tokens": [ { "token": "awsaccountid", "value": "name" } ] } } ] "eventHandlers": [ { "type": "drilldown.linkToDashboard", "options": { "app": "search", "dashboard": "dashboard2", "tokens": [ { "token": "awsaccountid", "value": "row.AWSAccount.value" } ], "newTab": true } } ]         This is working fine. But if I add AWSAccountName under tokens and pass value to it like above, it is causing AWSAccount value to be displayed in "awsaccountid" and "accountname" of dashboard2. Please can anyone of you help me how to implement this. Regards, PNV     ... View more