@kumaranv  I don't see a point to that, and would say don't do that. However, assuming you have reasons I can't think of, that's not going to be possible. The best you could do is to use an HTML panel with a hyperlink to the specific docs you were looking to embed. ... View more

@maiks1When I saw another fields values show up in a given field, a sysadmin had changed the order of the logs. This can show up as a new order to the same number of fields, introduction of a new field in the log, removal of a field, which changes the order of later fields in the log, etc.. Sourcetype configuration wasn't updated, so it keeps parsing per its definition. Lesson: walk through the whole thing slowly, starting at the beginning. Once you identified what changed, then you can work on why it changed. ... View more

1) The limits.conf file is configured by your administrator: https://docs.splunk.com/Documentation/Splunk/9.2.0/admin/limitsconf#.5Brex.5D 2) When I search for similar questions to yours. I find some possible answers to your problem: https://community.splunk.com/t5/Splunk-Search/Rex-has-exceeded-configured-match-limit/m-p/391837 https://community.splunk.com/t5/Splunk-Search/Regex-error-exceeded-configured-match-limit/m-p/469890 https://community.splunk.com/t5/Splunk-Search/Error-has-exceeded-configured-match-limit/m-p/539725 3) You'll notice in these other answers, that the questions supply a log sample and their query to show what the rex is working against. Only do this if the event information is not sensitive. But without that information, it'll be difficult for the community to help you. That's why I'm supplying you with some other information too. ... View more

Note: 1) The spath command can be expensive, especially against large data sets 2) If all you need is to parse a string and get the values, consider regular expressions for json data also. In the rex below, I named the a|b|c|d field "foo", in case it had value later on. If not, it doesn't need to be used | makeresults ```creating dummy data based on the original question``` | eval json_data="{data: {a : { x: {value_x} y: {value_y}}} }" | append [ makeresults | eval json_data="{data: {b : { x: {value_x} y: {value_y}}} }" ] | append [ makeresults | eval json_data="{data: {c : { x: {value_x} y: {value_y}}} }" ] | append [ makeresults | eval json_data="{data: {d : { x: {value_x} y: {value_y}}} }" ] ```ending the creation of dummy data``` | rex field=json_data "{(?<foo>\w+)\s:\s{\s\sx:\s{(?<x_value>.+)}\s\sy:\s{(?<y_value>.+)}}}" ```parse strings using a regular expression``` | table json_data x_value y_value ```display results of regular expression in a table``` Results in:   ... View more

@shocko  I love the question. The answers are complicated.  I'll respond below for Simple XML Dashboards. For Dashboard Studio, please submit a different and detailed question to the Splunk Community. 1) themes out of the box are light and dark. You can look through the docs on how to create your own, if you wish: https://dev.splunk.com/enterprise/docs/developapps/createapps/buildapps/adduithemes/ 2) If you search your Splunk filesystem for bootstrap-dark.css, you'll find the file that provides dark theme. 2.5) If you don't have access to the filesystem, you can use your browser dev tools to get the URL to bootstrap-dark.css. 2.7) Be warned. It's a BIG file. Formatted pretty, it comes to >7300 lines 3) You're better off to change the font, IMHO, to use CSS overrides. To read more: https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/UseCSS https://docs.splunk.com/Documentation/Splunk/9.1.2/Viz/PanelreferenceforSimplifiedXML Finally, note in that last example, you can include css style inside an HTML panel within a dashboard. Searching through this larger Splunk Answers Community for "html css style dashboard panel", should yield you plenty of examples. Here's a great one from my friend Niket to get you started with nearly ready copy/paste code: https://community.splunk.com/t5/Dashboards-Visualizations/How-to-add-style-to-panel-titles-in-my-dashboard/m-p/405736   ... View more

@niketn  I miss you, my friend. I remember this started a great bunch of conversations between us that included a hug at .conf19. I want to give a shout out to @kaeleyt for providing my go-to solution for this problem: https://community.splunk.com/t5/Splunk-Search/How-to-add-colors-to-a-table-for-dynamic-columns/m-p/411419 After looking further, I found this line in the documentation, https://docs.splunk.com/Documentation/Splunk/latest/Viz/TableFormatsXML: "If you do not specify a field, the format rule is applied to the entire table. " So the magic is not specifying a field in the line:   <format type="color">   I also want to provide, like Niket taught me by example, to include a run-anywhere example implementing the solution.   <dashboard version="1.1"> <label>Erics Column Test</label> <row> <panel> <title>Data Example</title> <table> <search> <query>index=_internal sourcetype=splunkd log_level!=INFO earliest=-7m@m latest=now | eval Time=strftime(_time,"%Y-%m-%d %H:%M") | chart count as Error by component Time</query> <earliest>-1h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color"> <colorPalette type="list">[#118832,#1182F3,#CBA700,#D94E17,#D41F1F]</colorPalette> <scale type="threshold">0,30,70,100</scale> </format> </table> </panel> </row> </dashboard>     ... View more

@sjringo  You're so close... you need a "BY _time" on your stats line index=anIndex sourcetype=aSourcetype "SFTP upload finished" OR "File sent to MFS" OR "File download sent to user" OR "HTTP upload finished" earliest=-0month@month latest=now | bucket _time span=day | stats count(eval(searchmatch("SFTP upload finished"))) as SFTPCount count(eval(searchmatch("File sent to MFS"))) as MFSCount count(eval(searchmatch("File download sent to user"))) as DWNCount count(eval(searchmatch("HTTP upload finished"))) as HTTPCount BY _time ... View more

HI@arist0telis ! A percentage is number of escalations out of the total established, times 100. Or with more math notation: (BotEscalated/ChatbotEstablished) x 100 = Percentage Escalated So we convert that to eval statements. I haven't tested it below, but it should be pretty close. index=sfdc sourcetype=sfdc:conversationentry EntryType IN ("ChatbotEstablished", "BotEscalated") | stats count(eval(EntryType=='BotEscalated')) as "BEcount", count(eval(EntryType=='ChatbotEstablished')) as "CEcount" ``` get the counts``` | eval mypercentage = round(('BEcount'/'CEcount')*100, 2) ```get the percentage and round to 2 places``` ... View more

@av_  Thank you for the additional detail. Makes sense. I would handle that as two separate jobs. I would say this is the solution and can be cleanly executed.   ... View more

Hi @av_ ! Your expression looks correct to account for the 8 hour difference, assuming the cron job is executing in your timezone. 21:00 Sunday GMT would be 5:00 Monday BJT. So if that is not working as expected, then the cron job may not be running out of your GMT timezone. If it's running out of the BJT timezone, then the cron needs to be re-written to: */5 5-22 * * 1-5 Did you test that? What was the result? If that also isn't working, then more details are needed for people to figure out why the cron is executing in neither timezone ... View more

Hi @av_ ! To double-check cron expressions, I may resort to using a tool like crontab guru. When I put the expression you provided in there, it suggests the 0-5 part of the cron expression includes Sunday. https://crontab.guru/#*/5_21-23,0-13_*_*_0-5 So if we change that part from 0-5 to 1-5, it appears that may work for you. Good luck! If you find this hopeful please give it a thumbs up! ... View more

Hi @av_ ! There's a tool some of us use to provide a gut-check, crontab guru (not affiliated in any way with it - just a user),  which I used on the cron you provided: https://crontab.guru/#*/5_21-23,0-13_*_*_0-5 The tool's assessment, is the cron runs on Sundays. If we breakdown the cron, the last part (0-5) sets the days of the week. So it we try changing that to 1-5, it appears it may work for you. */5 21-23,0-13 * * 1-5 There are other tools out there. There's nothing magical about what I used, but I like it for people who are unfamiliar with cron. Good luck! If this helped you, please provide it a thumbs up. ... View more

@geofrey1  Welcome to the Splunk Community! You mean after people log in, the page that loads is not the same for everyone? That's correct. Each person can set their own preference. Once logged in, click your username, select preferences, and select your default application. Each default application, can also have a default page, but you can't select that, that's in the app's configuration set by the admins. ... View more

Hi @kundanti! Here's some helpful links to get you started on your journey. Once you have attempted to solve the problem, if you have a very specific issue, open a new question here. You'll need a search specific to your environment and your permissions that can access the information: https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-to-find-license-usage-for-a-particular/m-p/359652 Then you'll need to figure out what "normal" for your org looks like. Then you'll need to alert if below "normal". https://community.splunk.com/t5/Alerting/alert-on-license-usage/m-p/32474 Good luck! ... View more

@Sharzi  There's no silver bullet to these types of things. It's a lot of trial and error. @VatsalJagani offered some good tips. We also found sometimes using the AUTO window when scheduling (with the cron), have some queries send to summary index once a week (instead of twice a day), making sure we look at conflicting schedules, s not just our jobs in our app, but all jobs across all apps, etc. After support tickets, with band-aids like this, things became worse. We diagnosed the hardware and found contention on some KPI's. We upgraded the hardware and the issues went away. Good luck! ... View more

@sovereign-03  You provided the search you're running, but what's the problem? You mention unbalanced quotes in your title, but there's no quotes in your search. Is it that the search won't run, or you aren't getting the results you expected (what are the results you're getting?), or something else? More details may lead to someone being able to help out. ... View more

@Jdtoney  My mind went to regular expressions, and I went to sanity check my thoughts against the following articles: https://community.splunk.com/t5/Splunk-Search/Multi-Line-field-extraction/m-p/331355 https://community.splunk.com/t5/Splunk-Search/Multi-line-field-Extraction/m-p/73920 with one of them mentioning using the field extractor: https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX Using what you provided, I was able to craft a regular expression that gets close to what you want as two fields, and then you can use an eval to glue the two fields together. YMMV, for what you want to capture and not, and based on your actual logs. Regular Expression: Message: Help\. Reason: (?<firstpart>.*)\n\n.*?@ 1 @ (?<secondpart>.*).$ In context: https://regex101.com/r/29jHcy/1 Good luck! If this was helpful at all, please consider giving some karma. ... View more

Congratulations to everyone in this Splunk MVP cohort! I am humbled and honored to have been selected for this amazing group! ... View more

@dmoberg  Your description gives you a possible answer. You're looking for a combination of location and statuscode  by time. So that's what you provide to the timechart command: | eval newfield = 'body.records.properties.responseCode' + "_" + 'body.records.location' ``` double check these single and double quotes due to editor here``` | timechart span=15 count BY newfield What you end up with is a timechart showing something like this along your timechart: 200_Omaha 404_Anahiem ... View more

@MonkeyK All the possible fields for all the selected sourcetypes? With an assumption that the sourcetypes all have the same fields every time so you can create a list of "supposed_to_be_there_fields" and then reference that list every time, to find when a field is missing. Is that right? That's a few questions rolled into one. They probably all won't be answered here. Solve for the first part and then create another question for the second part (referencing the first part, for those who come along later). * Create a list. Use what you have (then determine how often it's going to be updated). An alternative could be something like | fieldsummary I suspect you already knew this command. Here's the link to the docs for those finding this later: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fieldsummary * Export as csv, and use as a lookup. Comparing the lookup list against what's available to find what's missing. In the Splunk community, we often kick this link around (credit: Duane Waddle): https://www.duanewaddle.com/proving-a-negative/ As a one-off, this might be okay. As an ongoing solution against 100's of sourcetypes, it sounds a little fragile. YMMV. Best of luck! Maybe this helped some. ... View more

@mdr003That's possible. Depending on where you're getting the data from with the correct index, source, sourcetype, host values, and search terms, you can get there. Here's a fictitious example, that might help you get there. This gets the data, breaks time into 1 second bins, performs a status count per the time of 1 second bins, sorts the result with largest count first, then clips it to the first 3. Season to taste. Good luck! index=_internal source=*scheduler.log search_type=scheduled | bin _time AS _time span=1s | stats count(host) AS Count BY _time host | sort - Count | head 3 ... View more

@Jouman  If the answers helped you, please don't forget to "accept" the answer (so the community knows this has been answered) and click the thumbs up to give some karma! 🙂 ... View more

@Sammy13  is there really a "T" in there, or is that a typo? Can you show us an actual log entry? obfuscate any sensitive data ... View more