Hard a hard time debugging that one. It only works if your SPL code with subquery return is in a dashboard "base search". <dashboard>
<label>My dashboard title</label>
<search id="parent_search_1">
<query>``` put your query here with your subquery return $ ```</query>
</search>
<row>
<panel>
<table>
<title>My child visualization</title>
<search base="parent_search_1">
<query>``` have the rest of your query there ```</query>
... View more
Splunk 8.x.x here. Profiling settings did block my apply bundle command. /opt/splunk/bin/splunk apply cluster-bundle
Encountered some errors while applying the bundle.
Cannot apply (or) validate configuration settings. Bundle validation is in progress.
/opt/splunk/bin/splunk show cluster-bundle
...
<bundle_validation_errors on master>
... This command did the trick: curl -k -u admin https://CLUSTER_MASTER_IP:8089/services/cluster/master/control/default/cancel_bundle_push -X POST And I could edit and apply the bundle afterwards.
... View more
Following the previous answer, simply use a stats command: | index=yourindex
| rex "(?<newfield>[^\/]+)(?=.vmx)"
| stats latest(_raw), count by newfield
... View more
Fast forward to 2019, Splunk 7, the bug is still happening.
One dashboard queries and evals action="restart_splunkd" which causes an Audit:[timestamp=XXX, user=XXX, action=restart_splunkd, info=granted][n/a] log to appear in the _audit index with an audittrail sourcetype (everytime the dashboad is reloaded).
... View more