All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

TrackMe (v 1.1.16): How to change order of columns for data host availability alert?

jonqkuldeskisec
Observer
‎06-03-2020 03:55 PM

Hello,

Excellent app by the way. Is there a way to change the order of the columns for the data host availability alert?

Ideally, I would like to have the data_sourcetype column right next to the data_host field.

Would it be possible to modify the search to accommodate that?

Thanks in advance.

Labels (2)
Labels
0 Karma
Reply

guilmxm
Influencer
‎06-04-2020 05:42 AM

Hi @jonqkuldeskisecurity !

Thank you 😉

I understand you are talking about the builtin alert named "TrackMe - Alert on data host availability" and the order of the fields in the results.

You can effectively modify the alert up to your needs to include the fields in the order you prefer, therefore take note that Splunk will automatically achieve a copy of the alert provided by the app code (in the default/savedsearches.conf) to a local copy which will contain your customisation.

This is perfectly fine but any change in the default code will not be reflected anymore and you will have to manage it on your own.

However, in the next upcoming release, version 1.2.11, I will include a macro which defines the order of the fields.
Macros are better to be customised in the meaning that a customisation will impact a very specific part of the alert, rather than its full definition.

Let me me know if this does not make sense, and thank you for using TrackMe !

Guilhem

0 Karma
Reply

jonqkuldeskisec
Observer
‎06-04-2020 08:48 AM

Hi, I really appreciate you getting back to me on this! I can definitely wait until the next release to have this capability. I do have a couple follow-up questions regarding the new version however:

  • When will the new release be out? 🙂
  • I noticed that there are now several app dependencies required for the new versions, Semicircle Donut Chart Viz, Splunk Machine Learning Toolkit, and the Python for Scientific Computing Add-on
    • The requirements for the Machine Learning kit and Python add-on mention that its 8.0, I don't see any 7.x compatibility
  • We are currently have version 7.2.4.2 in the cloud, will the 1.2.11 version be compatible with our version?

Thanks in advance!

0 Karma
Reply

guilmxm
Influencer
‎06-04-2020 10:21 AM

Hi @jonqkuldeskisecurity

To reply:

  • version 1.210 will surely be published shortly, within a week from now
  • the current version is 1.2.9 and is vetted for Splunk Cloud, compatibility starts with 7.2.x
  • Dependencies besides the viz addon are with the machine learning toolkit which itself depends on the Python scientific package
  • The current release of the ML toolkit and Python scientific package are with SPLUNK 8 only, but there are previous versions compatible with your stack version
  • if you ask the ML toolkit deployment, SPLUNK Cloud services will deploy the latest versions compatible with your stack, which will be upgraded too when your stack would be upgraded
  • finally yes the next version will be compatible with 7.2.x, the reason why there is this minimal Splunk version now is that the app uses mcollect which requires this version of Splunk.

Guilhem

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...