Hi everyone, I've been trying several day to create a query that can give me the list of name/value  inside the JSON file the file has hundreds of event and each event has multiple name/value as the picture below I'm not able to create a table out of the name/value pair from each event as below can anyone help me or guide me in the right direction ? GarageId         GarageClassId              GarageTypeId 4 1 5 3 4 5 6 5 4     thanks a lot for your time and support           ... View more

HI, does anyone know why when i use data preview or a manually upload the file and apply a custom json sourcetype everything seems to be fine and splunk is recognizing an event per line, but when i monitor a file from a remote server i can see in the index the exact number of event that i have in the remote file but the search only show 1 event in the remote inputs.conf file i have specified the name of the sourcetype i want to use [monitor://X:\Logs\Website] disabled = false index = sandbox_webservers_logs_errors whitelist = errors sourcetype = ErrorLog_json thanks for your help... ... View more

Hi, i have 10 dashboards where i am currently initializing the same tokens in all the dashboards. The problem with this is that i have to go to all 10 dashboards tho change the value when i need to change the value of a token. question: is there a way to set a static value of a token outside a dashboard and use this token inside my dashboards ??? something like global variable/token so i only need to change the value in one place. Note: the value of the token is static so it wont change. thanks ... View more

Hi all, I have a dbxquery from DB connect which return all results in the DB, then I put this in a splunk dashboard with a time picker but the time chosen is no being considered by the dbxquery. dbxquery query="SELECT * FROM \"HealthMon\".\"dbo\".\"Access\"" connection="HealthMon" is there a way to limit the results of dbxquery based on the chosen time ? thanks a lot ... View more

HI, i am trying to index a local json file, but when going trough the sourcetype the predefined json source type is not reading the file properly..splunk put everything in one line...no detecting time format or something (see attached file) then i found that splunk is not indexing separate events because the json file starts with { and ends with } if i removed those character splunk will give me a line per event. does someone knows how I can remove the { at the beginning and the } at the end with splunk before indexing? i'm putting this when i go through wizard data inpout local file in the advance section SEDCMD-removesymbol = s/^{/g (this is not working) thanks { "records": [ { "time": "2018-05-11T13:29:03Z", "GatewayId": "4r566-5678-4753-968f-34568", "Region": "unknown", "operationName": "ApplicationGatewayAccess", "category": "ApplicationGatewayAccessLog", } , { "time": "2018-05-11T13:29:05Z", "GatewayId": "4r566-ae57-dfg543-968f-xxx45t67", "Region": "unknown", "operationName": "ApplicationGatewayAccess", "category": "ApplicationGatewayAccessLog", } } can someone please help me ? thanks ... View more

HI, i am trying to index a local json file, but when going trough the sourcetype the predefined json source type is not reading the file properly..splunk put everything in one line...no detecting time format or something (see attached file) this is an exemple inside the file { "records": [ { "time": "2018-05-11T13:29:03Z", "GatewayId": "4r566-5678-4753-968f-34568", "Region": "unknown", "operationName": "ApplicationGatewayAccess", "category": "ApplicationGatewayAccessLog", } , { "time": "2018-05-11T13:29:05Z", "GatewayId": "4r566-ae57-dfg543-968f-xxx45t67", "Region": "unknown", "operationName": "ApplicationGatewayAccess", "category": "ApplicationGatewayAccessLog", } can someone help me to figure this out ? thanks for your support ... View more