All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

index="_internal" source="*license_usage.log" type=RolloverSummary earliest=-30d@d latest=now | eval _time = _time - 43200 | bin _time span=1d | stats latest(b) AS b by slave,pool,_time | eval DailyG... See more...
index="_internal" source="*license_usage.log" type=RolloverSummary earliest=-30d@d latest=now | eval _time = _time - 43200 | bin _time span=1d | stats latest(b) AS b by slave,pool,_time | eval DailyGB=round(bytes/1024/1024/1024,2) | timechart sum(DailyGB) as "volume (GB)" span=1d @FrankVl The above gives me aggregated values across all the clusters.  How do I find out the usage per  indexers cluster? I have around 7-8 clusters. Any leads would be appreciated. Thanks
.
Hi @KendallW No I just want to update the SSO HTML file of this homepage.  
I have try to prompt with my email. To execute the requested action, deny or delegate, click here https://10.250.74.118:8443/approval/14. It need to enter the WEB UI and found the "certain" prompt.... See more...
I have try to prompt with my email. To execute the requested action, deny or delegate, click here https://10.250.74.118:8443/approval/14. It need to enter the WEB UI and found the "certain" prompt. If I have 10000 prompt, I can not found the event related to the email rapidly.  If it is possible that use rest api to post prompt decision to soar certain event?
Hi @ richgalloway  Thanks for the reply,The query looks good but I am missing  the below two fields  in the results. Can help in getting them populated. 1) | rex "status:\s+(?<Status>.*)\"}"  2) | ... See more...
Hi @ richgalloway  Thanks for the reply,The query looks good but I am missing  the below two fields  in the results. Can help in getting them populated. 1) | rex "status:\s+(?<Status>.*)\"}"  2) | rex "Path\:\s+(?<ResourcePath>.*)\"" 
That looks like it's the token setter JS from the dashboard examples. However, you have require(['jquery', 'underscore', 'splunkjs/mvc', 'util/console'], function($, _, mvc, console) { whereas the... See more...
That looks like it's the token setter JS from the dashboard examples. However, you have require(['jquery', 'underscore', 'splunkjs/mvc', 'util/console'], function($, _, mvc, console) { whereas the original is require(['jquery', 'underscore', 'splunkjs/mvc'], function($, _, mvc) { have you tried removing the util/console and console declarations  
Thanks for all the replies. Looks like there are 2 approaches to explore.  The foreach approach seems to work fine. I'd like to explore the other as well. Sorry for the response delay. I had PTO and ... See more...
Thanks for all the replies. Looks like there are 2 approaches to explore.  The foreach approach seems to work fine. I'd like to explore the other as well. Sorry for the response delay. I had PTO and some other things to do. 
Thanks much for your reply! I'm checking with the support if they can help to set props.conf on the backend, since we are using splunk cloud.
Hello  I have some issue getting the Windows performance -Velocity SD Service Counters logs. I used [perform://Velocity SD Service Counters] counter=* disable==0 instances=* object=Velocity SD ... See more...
Hello  I have some issue getting the Windows performance -Velocity SD Service Counters logs. I used [perform://Velocity SD Service Counters] counter=* disable==0 instances=* object=Velocity SD Service Counters mode=multikv showZeroValue=1 index=windows But not getting events. Any recommendation will be highly appreciated!  
Hi @Iris_Pi would it be feasible to specify the time zone using source stanzas in props.conf instead of sourcetype in this case? [source::] takes precedence over [<sourcetype>] in props.conf.   
Hi @Muthu_Vinith could you please clarify the question.. Do you want to on-board an SSO error file to Splunk?
Hello Pickle, thanks much for the help! I'm using the raw endpoint and I can set the host by using the host parameter now.  
This app now exists which does a better job at PDF production https://splunkbase.splunk.com/app/7171  
Hey PickleRick, I see, I was not aware that having different sourcetype than stash would double licence usage thank you for making me aware of that. I see so the only solutions available to restrict... See more...
Hey PickleRick, I see, I was not aware that having different sourcetype than stash would double licence usage thank you for making me aware of that. I see so the only solutions available to restrict search access based on filters is to create separate apps or do data processing prior to event ingestion. I didn't want to do separate apps because of congestion, especially since they will only differ from one line in the search filter. Please correct me if I'm wrong but I thought this would increase costs. Wasn't aware that having different sourcetypes other than stash would also incur costs (thanks). The speeding up search was in reference to summary indexing, not a concern. I was wondering why summary indexing wouldn't work since filtering the search for only superheros/villains will speed up the search, which is what summary indexing is meant to help with. The main purpose was always for access restrictions. Thanks,
Try this : [hecpaloalto_in] INGEST_EVAL = index=if(match(sourcetype, "pan:logs"), "palo_alto", "aws")
@marcoscala were you able to fix the Palo Alto Splunk app throwing JS errors ?
@shawno were you able to fix the error ? 
FYI, converting to Dashboard Studio fixes the diagrams, but truncates the tables. yay.
Same here, for as long as I can remember (don't ask me the versions) -- but still currently an issue with 9.2.2. Funny thing is, I have about 9 graphs, and three work OK. Tried all kinds of tactics l... See more...
Same here, for as long as I can remember (don't ask me the versions) -- but still currently an issue with 9.2.2. Funny thing is, I have about 9 graphs, and three work OK. Tried all kinds of tactics like: putting the graphs on on it's own line, putting all together, changing the order, trying landscape v.s. letter, changing the paper type, "plain text", "HTML & plain text"....
Hello,  Is there a way to add 3rd party python modules to the add-on builder? I am trying to create a python script in the add-on builder, but looks like I need to use a module that is not included... See more...
Hello,  Is there a way to add 3rd party python modules to the add-on builder? I am trying to create a python script in the add-on builder, but looks like I need to use a module that is not included in the add-on builder. Thanks for any help on this. Tom