As Workaround i now used CSS to hide the "View on Mobile" button. .view-mobile {     display: none !important; } ... View more

Thank you, found the authentication.conf with LDAP Configuration on our indexers ... View more

We have that false positives lately too and we found out with helkp of the following search that our peers ran into authTokenConnectionTimeout which defaults to 5 seconds authTokenConnectionTimeout is located in distsearch.conf       index=_internal (GetRemoteAuthToken OR DistributedPeer OR DistributedPeerManager) source!="/opt/splunk/var/log/splunk/remote_searches.log" | rex field=_raw "Peer:(?<peer>\S+)" | rex field=_raw "peer: (?<peer>\S+)" | rex field=_raw "uri=(?<peer>\S+)" | eval peer = replace(peer, "https://", "") | rex field=_raw "\d+-\d+-\d+\s+\d+:\d+:\d+.\d+\s+\S+\s+(?<loglevel>\S+)\s+(?<process>\S+)" | rex field=_raw "\] - (?<logMsg>.+)" | reverse | eval time=strftime(_time, "%d.%m.%Y %H:%M:%S.%Q") | bin span=1d _time | stats list(*) as * by peer _time | table peer time loglevel process logMsg     ... View more

Hello @Stives , How does your Inputstanza looks like? If no crcSalt is specified in the stanza, Splunk will look into the first (i think 256) Bytes of a file and determines based on that if it already know the File. If the first Bytes in the CSV files will always be the same you could change your inputstanza and add      crcSalt = <SOURCE>     docs to monitoring stanza for a deeper look into crcSalt:  https://docs.splunk.com/Documentation/Splunk/9.1.2/Admin/Inputsconf#MONITOR: But be cautious, this will tell splunk to watch for the full path to determine if this file is already been indexed, so there is a possibility that you index the same file twice. Especially for Directories with rolling logfiles. Other possibility could be that the dates are out of the retention time scope. (If the files got indexed once but due to retention time got removed again when its bucket is not hot anymore) ... View more

I just found an imo ugly Workaround for that. Basically its not directly postprocessing search. Its using the SID of the basesearch and loads it using | loadjob with the "postprocessing" query, that creates an own SID for the further search, that can be used to export the results. But i have no clue how its differs to postprocessing searches in terms of performance/resource usage   <form theme="dark" version="1.1"> <label>test</label> <search id="baseSearch"> <query> index="test" | table A B C D E F _time </query> <earliest>-7d@d</earliest> <latest>now</latest> <done> <set token="job_to_exportTocsv">$job.sid$</set> </done> </search> <row> <panel> <html depends="$job_exportTocsv$"> <a target="_blank" class="btn" href="/api/search/jobs/$jobexportTocsv$/results?isDownload=true&amp;maxLines=0&amp;count=0&amp;filename=csv_export&amp;outputMode=csv" role="button">CSV Export</a> </html> <table> <search> <query> | loadjob $job_to_exportTocsv$ | stats count by A | addinfo </query> <done> <set token="job_exportTocsv">$job.sid$</set> </done> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>       ... View more

Oh, I didnt knew that. Where is that info? In the Docs Define tokens for conditional operations with form inputs i cant find that info. ... View more

@annisha26  You can easily do that with the following: <input type="multiselect" token="panelTok" searchWhenChanged="true"> <label>select Panels to show</label> <choice value="1">Entry1</choice> <choice value="2">Entry2</choice> <choice value="3">Entry3</choice> <choice value="4">Entry4</choice> <change> <eval token="DisplayPanel1">if(isnull(mvfind($panelTok$, "1")),null(),true())</eval> <eval token="DisplayPanel2">if(isnull(mvfind($panelTok$, "2")),null(),true())</eval> <eval token="DisplayPanel3">if(isnull(mvfind($panelTok$, "3")),null(),true())</eval> <eval token="DisplayPanel4">if(isnull(mvfind($panelTok$, "4")),null(),true())</eval> </change> </input>   ... View more

I have a similar Problem. I call a Dashboard with <URL To Dashboard>?form.dropdown1=val1&form.dropdown2=val2&form.show_panel_tok=panel1 In the called Dashboard i have ... <init> <eval>token="show_panel1_tok">if($form.show_panel_tok$=="panel1",true(),null())</eval> <eval>token="show_panel2_tok">if($form.show_panel_tok$=="panel2",true(),null())</eval> </init> ... <panel depends="$show_panel1_tok$"> ... <panel depends="$show_panel2_tok$"> ...   the dropdown inputs dropdown1 and dropdown2 are showing the given value, but the evaluated tokens from init do sometimes work but mostly dont. Could it be a timing problem of splunk? If yes does anyone know a workaround? ... View more

Not the most recent Topic, but it got shown first, so i'll post my approach here. Recently i had similar difficulties and ended up  with a solution with way less lines and without much <set> ans <unset> Dropdown: <input type="dropdown" token="dropdownTok" searchWhenChanged="true"> <label>dropdown</label> <choice value="all">All</choice> <choice value="1">Entry1</choice> <choice value="2">Entry2</choice> <choice value="3">Entry3</choice> <choice value="4">Entry4</choice> <change> <eval token="DisplayPanel1">if($value$="1",true(),if($value$="all",true(),null()))</eval> <eval token="DisplayPanel2">if($value$="2",true(),if($value$="all",true(),null()))</eval> <eval token="DisplayPanel3">if($value$="3",true(),if($value$="all",true(),null()))</eval> <eval token="DisplayPanel4">if($value$="4",true(),if($value$="all",true(),null()))</eval> </change> <default>all</default> </input> That couple of lines inside <change> allows to set/unset the Tokens without <condition> I simply can u8se depends="$DisplayPanel2$" and that Row/Panel only shows up when all or Entry2 is selected ... View more

For testing stuff i sometimes do the following search for incremental counts: | makeresults count=10 ```for generating 10 tablerows``` | streamstats count ```for count upwards with the rows, starting with 1``` For "saving" the last count you could write that into an Index or into a Lookup or count the data that already got counted incrementally. and add that to a new incremental count. ... View more

@kamlesh_vaghela  No, i dont get any errors from the JS. I think the Error you get, depends on the used Browser or the settings in splunks internal webserver. Wich Browser are you using? I use OperaGX ... View more

@kamlesh_vaghela  Does your addition of the override of the render() function changed the behaviour, except logging "Hello, world!" to the console?  I dont notice a difference ... View more

@kamlesh_vaghela  Its a simple JS, that make a search, convert the Transaction Results to JSON-Objects and simply print them as HTML-table. I used a sample JS-View that i customized a bit. Script thats directly referred in the Dashboard: require([ "/static/app/fishingbot/tableview.js", "splunkjs/mvc/searchmanager", "splunkjs/mvc/simplexml/ready!" ], function(DemoView, SearchManager) { // Create a custom view var customView = new DemoView({ id: "mycustomview", managerid: "mysearch", el: $("#mycustomview") }).render(); var mysearch = new SearchManager({ id: "mysearch", preview: true, cache: true, search: "index=fishingbot | fields * | transaction maxspan=0s maxpause=0s | search message=\"*->*\" | where eventcount > 1 | table message", earliest_time:"0", latest_time:"now" }); });   The second Script, that uses the Result, converts to JSON and prints as table: /* demoview.js */ class EnchantedItem { constructor(name, enchantments) { this.name = name; this.enchantments = enchantments; } }; class Enchantment { constructor(name, level) { this.name = name; this.level = level; } }; define(function(require, exports, module){ // Base class for custom views var SimpleSplunkView = require('splunkjs/mvc/simplesplunkview'); // Require Underscore.js to work with a list of search results var _ = require("underscore"); // Define the custom view class var DemoView = SimpleSplunkView.extend({ className: "demoview", // Change the value of the "data" property options: { data: "results" }, // Override this method to format your data in a specific way // Our view expects HTML, so reformat the results array accordingly formatData: function(data) { // Display the data object to the console console.log("The data object: ", data); // Format each row of results as an HTML list var items = []; _.each(data, function(row, index){ let itemName = row[0][0].split(" "); itemName = itemName[0].replace(/"/g, ""); itemName = itemName.replace(/_/g, " "); let enchants = []; row[0].shift(); row[0].forEach(function(val) { var enchInfo = val.split(" "); let enchant = new Enchantment(enchInfo[1].replace(/_/g, " "),enchInfo[2]); enchants.push(enchant); }); let enchItem = new EnchantedItem(itemName, enchants); items.push(enchItem); }); var mydatastring = ""; items.sort(dynamicSort("name")); items.forEach(function(item) { mydatastring = mydatastring + "<tr><td>" + item.name + "</td><td>"; item.enchantments.forEach(function(enchant) { mydatastring = mydatastring + enchant.name + " " + enchant.level + "</br>"; }) mydatastring = mydatastring + "</td></tr>"; }); mydatastring = "<table class=\"table table-hover\"><thead><tr><td>Item</td><td>Enchantment<td></tr></thead><tbody>" + mydatastring + "</tbody></table>"; return mydatastring; }, // Override this method to configure your view createView: function() { return this; }, // Override this method to put the Splunk data into the view updateView: function(viz, data) { // Display the reformatted data object to the console console.log("HTML-formatted data: ", data); this.$el.html(data); } }); return DemoView; });   ... View more

If the logs have all the same fields and only different values, i would use the Fieldextractor (found at splunks homescreen under "add data") if not i would  try something like index=YourIndex controller.StandardProcessorNode | rex "$.+ o\.a\.n\.controller\.StandardProcessorNode (?<Status>\w+) .+\[id\=(?<id>.+)\]$" | table _time Status id ... View more