All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I'm not sure I get the question right. Are you asking how to externalize config from the code in react application? I'm not a react developer but there are several easily googleable links in that to... See more...
I'm not sure I get the question right. Are you asking how to externalize config from the code in react application? I'm not a react developer but there are several easily googleable links in that topic. For example https://stackoverflow.com/questions/30568796/how-to-store-configuration-file-and-read-it-using-react
Hey @PickleRick Apologies I dont think I have fully understood what you are trying to imply here. My objective is to calculate duration between 2 set of events but one of those 2 events can happen m... See more...
Hey @PickleRick Apologies I dont think I have fully understood what you are trying to imply here. My objective is to calculate duration between 2 set of events but one of those 2 events can happen multiple times. It is like sending a request to an API and then validate the response. If the response is not what was expected then send the same request again and keep sending until you get the expected response. So my objective is to calculate the time when the 1st request was sent and when the last expected response was received. 2024-08-16 13:43:34,232|catalina-exec-192|INFO|LoggingClientHttpRequestInterceptor|Sending GET request to https://myapi.com/test 2024-08-16 13:43:50,232|catalina-exec-192|INFO|LoggingClientHttpRequestInterceptor|Sending GET request to https://myapi.com/test 2024-08-16 13:44:14,232|catalina-exec-192|INFO|LoggingClientHttpRequestInterceptor|Sending GET request to https://myapi.com/test 2024-08-16 13:43:44,232|catalina-exec-192|INFO|LoggingClientHttpRequestInterceptor|Sending GET request to https://myapi.com/test 2024-08-16 13:43:57,510|catalina-exec-192|INFO|LoggingClientHttpRequestInterceptor|Response Received in 114 milliseconds "200 OK" response for GET request to https://myapi.com/test: "status":"MatchCompleted"  Please find the set of events again here. 
Your "working" role might have less capabilities but can have access to some objects (especially the dashboard itself) that the "non-working" role does not. Check the _audit log for denied access to... See more...
Your "working" role might have less capabilities but can have access to some objects (especially the dashboard itself) that the "non-working" role does not. Check the _audit log for denied access to objects for the non-working user.
Since you're aggregating a relatively long-spanned set of events into a single data point you have to make a concious decision which point in time to assume as the timestamp for the result. You can e... See more...
Since you're aggregating a relatively long-spanned set of events into a single data point you have to make a concious decision which point in time to assume as the timestamp for the result. You can easily assign a value to the _time field just by doing | eval _time=something But you have to decide which timestamp to use. Is it the start time for your transaction? Is it the endtime? Maybe it's a middle of the transaction... It's up to you to make that decision. Anyway, when dealing with _time in stats, there's not much point in using latest() and earliest(). min() and max() suffice
Hi all,  Im trying to use this app by Baboon - Monitoring of Java Virtual Machines with JMX I get some error when i click on data inputs Oops. Page not found! Click here to return to Splunk h... See more...
Hi all,  Im trying to use this app by Baboon - Monitoring of Java Virtual Machines with JMX I get some error when i click on data inputs Oops. Page not found! Click here to return to Splunk homepage. Would I need to activate the app first?
You can't timechart by more than 2 dimensions and _time is one of those, try combining Env and Tenant index=_introspection sourcetype=splunk_resource_usage component=Hostwide | eval total_cpu_usage=... See more...
You can't timechart by more than 2 dimensions and _time is one of those, try combining Env and Tenant index=_introspection sourcetype=splunk_resource_usage component=Hostwide | eval total_cpu_usage=('data.cpu_system_pct' + 'data.cpu_user_pct') | eval EnvTenant=Env.":".Tenant | timechart Perc90(total_cpu_usage) AS cpu_usage span=12h useother=f by EnvTenant
@renjith_nair Thanks for the response but I don't think your solution is fully working. I tried it like below but then _time will not be available for me to plot the graph. I need to plot that durat... See more...
@renjith_nair Thanks for the response but I don't think your solution is fully working. I tried it like below but then _time will not be available for me to plot the graph. I need to plot that duration on a graph. Is there a way to do that? | stats earliest(_time) as starttime,latest(_time) as endtime by uniqueId | eval duration=endtime-starttime | timechart span=15m p95(duration) as p95Responsetime
Hi, For a few days now, my Splunk Dashboard shortcut has been displaying an error when I connect with the administrator account. But when I use another account with less privilege via LDAP auth... See more...
Hi, For a few days now, my Splunk Dashboard shortcut has been displaying an error when I connect with the administrator account. But when I use another account with less privilege via LDAP authentication, I don't get this error, the page displays fine. Do you have any idea what the problem is? Thanks for your help.
Thank you so much PickleRick. It works for me well. I was able isolate 3 consecutive results. I appreciate
For OAuth 2.0. Authentication in Splunk_TA_snow, under ServiceNow account configuration you type in Client Id and Client Secret. Once you click on save/Update button, if the connection is successful,... See more...
For OAuth 2.0. Authentication in Splunk_TA_snow, under ServiceNow account configuration you type in Client Id and Client Secret. Once you click on save/Update button, if the connection is successful, a pop-up window opens where you have to login with a proper user and password. Mind that the browser doesn't take your personal credentials, but you login with a user that was predefined in ServiceNow.
Yes. That's so... and that was a really bad idea for App order UI in WebGUI 🤦‍ 🤦‍ 🤦‍ Previously drag option with jquery was perfect... really do not know why they change drastically this sect... See more...
Yes. That's so... and that was a really bad idea for App order UI in WebGUI 🤦‍ 🤦‍ 🤦‍ Previously drag option with jquery was perfect... really do not know why they change drastically this section Editing "user-prefs.conf" need a daemon restart. Annoying.
Hi Splunker, I’ve been developing a React app for Splunk that manages users via the REST API (create/update/delete). Initially, I hardcoded the REST API URL, username, and password for development ... See more...
Hi Splunker, I’ve been developing a React app for Splunk that manages users via the REST API (create/update/delete). Initially, I hardcoded the REST API URL, username, and password for development purposes. Now that the development is nearly complete, I need to make the URL dynamic. It should retrieve the REST API server URL and the currently logged-in user’s information and use it in the Splunk React app. How can I achieve this? Here is the current hardcoded code: const fetchAllUsers = async () => { try { const response = await axios.get('https://mymachine:8089/services/authentication/users', { auth: { username: 'admin', password: 'admin123' }, headers: { 'Content-Type': 'application/xml' } }); } catch (error) { console.error('Error fetching users:', error); } }; #restapi  #createuser #react #reactapp thanks in advance
Perfect, worked for me thanks!!
I use the linked list input type to control sets of panels, something like this <input id="inventory_type" type="link" token="tok_category" searchWhenChanged="true"> <choice value="hos... See more...
I use the linked list input type to control sets of panels, something like this <input id="inventory_type" type="link" token="tok_category" searchWhenChanged="true"> <choice value="host">Host</choice> <choice value="user">User</choice> <initialValue>host</initialValue> <change> <condition value="host"> <set token="by_host"></set> <unset token="by_user"></unset> </condition> <condition value="user"> <set token="by_user"></set> <unset token="by_host"></unset> </condition> </change> </input> You can then have <row depends="$by_host$> and <row depends="$by_user$> to control which rows are shown. If you want to have inline CSS to then tweak the buttons you can do it in the dashboard. See this app which has an example of how to customise the XML and tabs.  https://splunkbase.splunk.com/app/5256 You can then get this type of display   
OK, so you've got two tokens going on here. The default 'All' (*) is selected. When you select one from the list, the intention is that the All (*) should disappear otherwise the selected options are... See more...
OK, so you've got two tokens going on here. The default 'All' (*) is selected. When you select one from the list, the intention is that the All (*) should disappear otherwise the selected options are *,1 (or whatever 1 is in your case). So, my condition resets the form. token so that it removes * from the options. What token are you actually using in the search? Are you using app_fm_entity_id or app_net_fm_entity_id If you need a second token which also has the word "_all" when * is selected, then your problem is that you are using <eval> to set that token, when you just need to use <set> I use an html panel sometimes to debug tokens - multiselect behaviour is a little unintuitive and technically the documentation says that <change> is not supported for multiselect, but it does work, it's just odd... <panel> <input id="app_nodes_multiselect" type="multiselect" token="app_fm_entity_id" searchWhenChanged="true"> <label>Nodes</label> <delimiter> </delimiter> <fieldForLabel>entity_name</fieldForLabel> <fieldForValue>internal_entity_id</fieldForValue> <search> <query> | makeresults count=5 | streamstats c | eval entity_name="name:".c, internal_entity_id=c | table entity_name, internal_entity_id | sort entity_name </query> </search> <choice value="*">All</choice> <default>*</default> <change> <condition match="$form.app_fm_entity_id$=&quot;*&quot;"> <set token="app_net_fm_entity_id">_all</set> <set token="condition">1</set> </condition> <condition> <set token="condition">2</set> <eval token="form.app_fm_entity_id">case(mvcount($form.app_fm_entity_id$)="2" AND mvindex($form.app_fm_entity_id$,0)="*", mvindex($form.app_fm_entity_id$,1), mvfind($form.app_fm_entity_id$,"^\\*$$")=mvcount($form.app_fm_entity_id$)-1, "_all", true(), $form.app_fm_entity_id$)</eval> <set token="app_net_fm_entity_id">$app_fm_entity_id$</set> </condition> </change> </input> <html> app_fm_entity_id::$app_fm_entity_id$<p/> form.app_fm_entity_id::$form.app_fm_entity_id$<p/> app_fm_entity_id::$app_fm_entity_id$<p/> app_net_fm_entity_id::$app_net_fm_entity_id$<p/> condition::$condition$ </html> </panel>  
Hi @dinesh001kumar, In Simple XML and without resorting to custom HTML, CSS, and JavaScript in separate files, you can use a visualization to draw circles and drilldowns to control the visibility of... See more...
Hi @dinesh001kumar, In Simple XML and without resorting to custom HTML, CSS, and JavaScript in separate files, you can use a visualization to draw circles and drilldowns to control the visibility of rows or panels. Here's an (ugly) example using six rows of five single value panels controlled by a separate table panel: <dashboard version="1.1" theme="light"> <label>pagination</label> <init> <set token="show_page_1_tok">1</set> <set token="page_1_tok">⬤</set> <unset token="show_page_2_tok"></unset> <set token="page_2_tok">◯</set> <unset token="show_page_3_tok"></unset> <set token="page_3_tok">◯</set> <unset token="show_page_4_tok"></unset> <set token="page_4_tok">◯</set> <unset token="show_page_5_tok"></unset> <set token="page_5_tok">◯</set> <unset token="show_page_6_tok"></unset> <set token="page_6_tok">◯</set> </init> <row depends="$show_page_1_tok$" rejects="$show_page_2_tok$,$show_page_3_tok$,$show_page_4_tok$,$show_page_5_tok$,$show_page_6_tok$"> <panel> <single> <search> <query>| stats count | eval count=1</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=1</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=1</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=1</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=1</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> </row> <row depends="$show_page_2_tok$" rejects="$show_page_1_tok$,$show_page_3_tok$,$show_page_4_tok$,$show_page_5_tok$,$show_page_6_tok$"> <panel> <single> <search> <query>| stats count | eval count=2</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=2</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=2</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=2</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=2</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> </row> <row depends="$show_page_3_tok$" rejects="$show_page_1_tok$,$show_page_2_tok$,$show_page_4_tok$,$show_page_5_tok$,$show_page_6_tok$"> <panel> <single> <search> <query>| stats count | eval count=3</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=3</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=3</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=3</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=3</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> </row> <row depends="$show_page_4_tok$" rejects="$show_page_1_tok$,$show_page_2_tok$,$show_page_3_tok$,$show_page_5_tok$,$show_page_6_tok$"> <panel> <single> <search> <query>| stats count | eval count=4</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=4</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=4</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=4</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=4</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> </row> <row depends="$show_page_5_tok$" rejects="$show_page_1_tok$,$show_page_2_tok$,$show_page_3_tok$,$show_page_4_tok$,$show_page_6_tok$"> <panel> <single> <search> <query>| stats count | eval count=5</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=5</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=5</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=5</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=5</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> </row> <row depends="$show_page_6_tok$" rejects="$show_page_1_tok$,$show_page_2_tok$,$show_page_3_tok$,$show_page_4_tok$,$show_page_5_tok$"> <panel> <single> <search> <query>| stats count | eval count=6</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=6</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=6</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=6</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=6</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> </row> <row> <panel> <html> <style> #page_table thead { visibility: collapse !important; } </style> </html> <table id="page_table"> <search> <query>| makeresults | fields - _time | eval "Page 1"="$page_1_tok$", "Page 2"="$page_2_tok$", "Page 3"="$page_3_tok$", "Page 4"="$page_4_tok$", "Page 5"="$page_5_tok$", "Page 6"="$page_6_tok$"</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <option name="wrap">false</option> <drilldown> <condition field="Page 1"> <set token="show_page_1_tok">1</set> <set token="page_1_tok">⬤</set> <unset token="show_page_2_tok"></unset> <set token="page_2_tok">◯</set> <unset token="show_page_3_tok"></unset> <set token="page_3_tok">◯</set> <unset token="show_page_4_tok"></unset> <set token="page_4_tok">◯</set> <unset token="show_page_5_tok"></unset> <set token="page_5_tok">◯</set> <unset token="show_page_6_tok"></unset> <set token="page_6_tok">◯</set> </condition> <condition field="Page 2"> <unset token="show_page_1_tok"></unset> <set token="page_1_tok">◯</set> <set token="show_page_2_tok">1</set> <set token="page_2_tok">⬤</set> <unset token="show_page_3_tok"></unset> <set token="page_3_tok">◯</set> <unset token="show_page_4_tok"></unset> <set token="page_4_tok">◯</set> <unset token="show_page_5_tok"></unset> <set token="page_5_tok">◯</set> <unset token="show_page_6_tok"></unset> <set token="page_6_tok">◯</set> </condition> <condition field="Page 3"> <unset token="show_page_1_tok"></unset> <set token="page_1_tok">◯</set> <unset token="show_page_2_tok"></unset> <set token="page_2_tok">◯</set> <set token="show_page_3_tok">1</set> <set token="page_3_tok">⬤</set> <unset token="show_page_4_tok"></unset> <set token="page_4_tok">◯</set> <unset token="show_page_5_tok"></unset> <set token="page_5_tok">◯</set> <unset token="show_page_6_tok"></unset> <set token="page_6_tok">◯</set> </condition> <condition field="Page 4"> <unset token="show_page_1_tok"></unset> <set token="page_1_tok">◯</set> <unset token="show_page_2_tok"></unset> <set token="page_2_tok">◯</set> <unset token="show_page_3_tok"></unset> <set token="page_3_tok">◯</set> <set token="show_page_4_tok">1</set> <set token="page_4_tok">⬤</set> <unset token="show_page_5_tok"></unset> <set token="page_5_tok">◯</set> <unset token="show_page_6_tok"></unset> <set token="page_6_tok">◯</set> </condition> <condition field="Page 5"> <unset token="show_page_1_tok"></unset> <set token="page_1_tok">◯</set> <unset token="show_page_2_tok"></unset> <set token="page_2_tok">◯</set> <unset token="show_page_3_tok"></unset> <set token="page_3_tok">◯</set> <unset token="show_page_4_tok"></unset> <set token="page_4_tok">◯</set> <set token="show_page_5_tok">1</set> <set token="page_5_tok">⬤</set> <unset token="show_page_6_tok"></unset> <set token="page_6_tok">◯</set> </condition> <condition field="Page 6"> <unset token="show_page_1_tok"></unset> <set token="page_1_tok">◯</set> <unset token="show_page_2_tok"></unset> <set token="page_2_tok">◯</set> <unset token="show_page_3_tok"></unset> <set token="page_3_tok">◯</set> <unset token="show_page_4_tok"></unset> <set token="page_4_tok">◯</set> <unset token="show_page_5_tok"></unset> <set token="page_5_tok">◯</set> <set token="show_page_6_tok">1</set> <set token="page_6_tok">⬤</set> </condition> </drilldown> </table> </panel> </row> </dashboard>  
WoW!!  Your example got me super close to the finish line!!! The only issue left is that when I have "All" selected with other options and then unselect other options so that only the "All" option... See more...
WoW!!  Your example got me super close to the finish line!!! The only issue left is that when I have "All" selected with other options and then unselect other options so that only the "All" option remains, then the "app_net_fm_entity_id" token gets unset, instead of having the value of "_all" <input id="app_nodes_multiselect" type="multiselect" depends="$app_fm_app_id$" token="app_fm_entity_id" searchWhenChanged="true"> <label>Nodes</label> <delimiter> </delimiter> <fieldForLabel>entity_name</fieldForLabel> <fieldForValue>internal_entity_id</fieldForValue> <search> <query> | inputlookup aix_kv_apm_comps WHERE entity_type!=$app_fm_group_nodes$ | search [| makeresults | eval search="internal_parent_id=(".mvjoin($app_fm_app_id$, " OR internal_parent_id=").")" | return $search] | table entity_name, internal_entity_id | sort entity_name </query> </search> <choice value="*">All</choice> <default>*</default> <change> <condition match="$form.app_fm_entity_id$=&quot;*&quot;"> <eval token="app_net_fm_entity_id">_all</eval> </condition> <condition> <eval token="app_net_fm_entity_id">case(mvcount($form.app_fm_entity_id$)="2" AND mvindex($form.app_fm_entity_id$,0)="*", mvindex($form.app_fm_entity_id$,1), mvfind($form.app_fm_entity_id$,"^\\*$$")=mvcount($form.app_fm_entity_id$)-1, "_all", true(), $form.app_fm_entity_id$)</eval> </condition> </change> </input>      
Thank you so much for your help!!! I apologize that I wasn't completely clear in my requirement. I need the "app_net_fm_entity_id" token set to "_all" IF the "app_fm_entity_id" (aka selectedvalues)... See more...
Thank you so much for your help!!! I apologize that I wasn't completely clear in my requirement. I need the "app_net_fm_entity_id" token set to "_all" IF the "app_fm_entity_id" (aka selectedvalues) has only the "*" value selected. A different way to say that is, I need the "app_net_fm_entity_id" token set to "_not_star_but_other" IF the "app_fm_entity_id" (aka selectedvalues) has only the "*" value selected.  
@ITWhisperer Yes, env and tenant are already extracted, yes, we need stat broken by env and tenant as well as time   {"datetime":"08-19-2024 10:40:30.196 +1000","log_level":"INFO","component":"... See more...
@ITWhisperer Yes, env and tenant are already extracted, yes, we need stat broken by env and tenant as well as time   {"datetime":"08-19-2024 10:40:30.196 +1000","log_level":"INFO","component":"Hostwide","data":{"cpu_arch":"x86_64","os_name":"Linux","os_name_ext":"Linux","os_build":"#1 ABC Thu Apr 4 03:33:23 EDT 2024","os_version":"3.10.0-1160.118","instance_guid":"ABCDEFGH","splunk_version":"9.2.1","mem":"382641.051","mem_used":"41983.578","swap":"511.996","swap_used":"511.996","pg_paged_out":"50842005897","pg_swapped_out":"164124","forks":"00000600","cpu_count":"24","virtual_cpu_count":"48","runnable_process_count":"19","normalized_load_avg_1min":"1.14","cpu_user_pct":"45.35","cpu_system_pct":"10.68","cpu_idle_pct":"43.98"}}