All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi all,  Im trying to use this app by Baboon - Monitoring of Java Virtual Machines with JMX I get some error when i click on data inputs Oops. Page not found! Click here to return to Splunk h... See more...
Hi all,  Im trying to use this app by Baboon - Monitoring of Java Virtual Machines with JMX I get some error when i click on data inputs Oops. Page not found! Click here to return to Splunk homepage. Would I need to activate the app first?
You can't timechart by more than 2 dimensions and _time is one of those, try combining Env and Tenant index=_introspection sourcetype=splunk_resource_usage component=Hostwide | eval total_cpu_usage=... See more...
You can't timechart by more than 2 dimensions and _time is one of those, try combining Env and Tenant index=_introspection sourcetype=splunk_resource_usage component=Hostwide | eval total_cpu_usage=('data.cpu_system_pct' + 'data.cpu_user_pct') | eval EnvTenant=Env.":".Tenant | timechart Perc90(total_cpu_usage) AS cpu_usage span=12h useother=f by EnvTenant
@renjith_nair Thanks for the response but I don't think your solution is fully working. I tried it like below but then _time will not be available for me to plot the graph. I need to plot that durat... See more...
@renjith_nair Thanks for the response but I don't think your solution is fully working. I tried it like below but then _time will not be available for me to plot the graph. I need to plot that duration on a graph. Is there a way to do that? | stats earliest(_time) as starttime,latest(_time) as endtime by uniqueId | eval duration=endtime-starttime | timechart span=15m p95(duration) as p95Responsetime
Hi, For a few days now, my Splunk Dashboard shortcut has been displaying an error when I connect with the administrator account. But when I use another account with less privilege via LDAP auth... See more...
Hi, For a few days now, my Splunk Dashboard shortcut has been displaying an error when I connect with the administrator account. But when I use another account with less privilege via LDAP authentication, I don't get this error, the page displays fine. Do you have any idea what the problem is? Thanks for your help.
Thank you so much PickleRick. It works for me well. I was able isolate 3 consecutive results. I appreciate
For OAuth 2.0. Authentication in Splunk_TA_snow, under ServiceNow account configuration you type in Client Id and Client Secret. Once you click on save/Update button, if the connection is successful,... See more...
For OAuth 2.0. Authentication in Splunk_TA_snow, under ServiceNow account configuration you type in Client Id and Client Secret. Once you click on save/Update button, if the connection is successful, a pop-up window opens where you have to login with a proper user and password. Mind that the browser doesn't take your personal credentials, but you login with a user that was predefined in ServiceNow.
Yes. That's so... and that was a really bad idea for App order UI in WebGUI 🤦‍ 🤦‍ 🤦‍ Previously drag option with jquery was perfect... really do not know why they change drastically this sect... See more...
Yes. That's so... and that was a really bad idea for App order UI in WebGUI 🤦‍ 🤦‍ 🤦‍ Previously drag option with jquery was perfect... really do not know why they change drastically this section Editing "user-prefs.conf" need a daemon restart. Annoying.
Hi Splunker, I’ve been developing a React app for Splunk that manages users via the REST API (create/update/delete). Initially, I hardcoded the REST API URL, username, and password for development ... See more...
Hi Splunker, I’ve been developing a React app for Splunk that manages users via the REST API (create/update/delete). Initially, I hardcoded the REST API URL, username, and password for development purposes. Now that the development is nearly complete, I need to make the URL dynamic. It should retrieve the REST API server URL and the currently logged-in user’s information and use it in the Splunk React app. How can I achieve this? Here is the current hardcoded code: const fetchAllUsers = async () => { try { const response = await axios.get('https://mymachine:8089/services/authentication/users', { auth: { username: 'admin', password: 'admin123' }, headers: { 'Content-Type': 'application/xml' } }); } catch (error) { console.error('Error fetching users:', error); } }; #restapi  #createuser #react #reactapp thanks in advance
Perfect, worked for me thanks!!
I use the linked list input type to control sets of panels, something like this <input id="inventory_type" type="link" token="tok_category" searchWhenChanged="true"> <choice value="hos... See more...
I use the linked list input type to control sets of panels, something like this <input id="inventory_type" type="link" token="tok_category" searchWhenChanged="true"> <choice value="host">Host</choice> <choice value="user">User</choice> <initialValue>host</initialValue> <change> <condition value="host"> <set token="by_host"></set> <unset token="by_user"></unset> </condition> <condition value="user"> <set token="by_user"></set> <unset token="by_host"></unset> </condition> </change> </input> You can then have <row depends="$by_host$> and <row depends="$by_user$> to control which rows are shown. If you want to have inline CSS to then tweak the buttons you can do it in the dashboard. See this app which has an example of how to customise the XML and tabs.  https://splunkbase.splunk.com/app/5256 You can then get this type of display   
OK, so you've got two tokens going on here. The default 'All' (*) is selected. When you select one from the list, the intention is that the All (*) should disappear otherwise the selected options are... See more...
OK, so you've got two tokens going on here. The default 'All' (*) is selected. When you select one from the list, the intention is that the All (*) should disappear otherwise the selected options are *,1 (or whatever 1 is in your case). So, my condition resets the form. token so that it removes * from the options. What token are you actually using in the search? Are you using app_fm_entity_id or app_net_fm_entity_id If you need a second token which also has the word "_all" when * is selected, then your problem is that you are using <eval> to set that token, when you just need to use <set> I use an html panel sometimes to debug tokens - multiselect behaviour is a little unintuitive and technically the documentation says that <change> is not supported for multiselect, but it does work, it's just odd... <panel> <input id="app_nodes_multiselect" type="multiselect" token="app_fm_entity_id" searchWhenChanged="true"> <label>Nodes</label> <delimiter> </delimiter> <fieldForLabel>entity_name</fieldForLabel> <fieldForValue>internal_entity_id</fieldForValue> <search> <query> | makeresults count=5 | streamstats c | eval entity_name="name:".c, internal_entity_id=c | table entity_name, internal_entity_id | sort entity_name </query> </search> <choice value="*">All</choice> <default>*</default> <change> <condition match="$form.app_fm_entity_id$=&quot;*&quot;"> <set token="app_net_fm_entity_id">_all</set> <set token="condition">1</set> </condition> <condition> <set token="condition">2</set> <eval token="form.app_fm_entity_id">case(mvcount($form.app_fm_entity_id$)="2" AND mvindex($form.app_fm_entity_id$,0)="*", mvindex($form.app_fm_entity_id$,1), mvfind($form.app_fm_entity_id$,"^\\*$$")=mvcount($form.app_fm_entity_id$)-1, "_all", true(), $form.app_fm_entity_id$)</eval> <set token="app_net_fm_entity_id">$app_fm_entity_id$</set> </condition> </change> </input> <html> app_fm_entity_id::$app_fm_entity_id$<p/> form.app_fm_entity_id::$form.app_fm_entity_id$<p/> app_fm_entity_id::$app_fm_entity_id$<p/> app_net_fm_entity_id::$app_net_fm_entity_id$<p/> condition::$condition$ </html> </panel>  
Hi @dinesh001kumar, In Simple XML and without resorting to custom HTML, CSS, and JavaScript in separate files, you can use a visualization to draw circles and drilldowns to control the visibility of... See more...
Hi @dinesh001kumar, In Simple XML and without resorting to custom HTML, CSS, and JavaScript in separate files, you can use a visualization to draw circles and drilldowns to control the visibility of rows or panels. Here's an (ugly) example using six rows of five single value panels controlled by a separate table panel: <dashboard version="1.1" theme="light"> <label>pagination</label> <init> <set token="show_page_1_tok">1</set> <set token="page_1_tok">⬤</set> <unset token="show_page_2_tok"></unset> <set token="page_2_tok">◯</set> <unset token="show_page_3_tok"></unset> <set token="page_3_tok">◯</set> <unset token="show_page_4_tok"></unset> <set token="page_4_tok">◯</set> <unset token="show_page_5_tok"></unset> <set token="page_5_tok">◯</set> <unset token="show_page_6_tok"></unset> <set token="page_6_tok">◯</set> </init> <row depends="$show_page_1_tok$" rejects="$show_page_2_tok$,$show_page_3_tok$,$show_page_4_tok$,$show_page_5_tok$,$show_page_6_tok$"> <panel> <single> <search> <query>| stats count | eval count=1</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=1</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=1</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=1</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=1</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> </row> <row depends="$show_page_2_tok$" rejects="$show_page_1_tok$,$show_page_3_tok$,$show_page_4_tok$,$show_page_5_tok$,$show_page_6_tok$"> <panel> <single> <search> <query>| stats count | eval count=2</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=2</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=2</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=2</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=2</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> </row> <row depends="$show_page_3_tok$" rejects="$show_page_1_tok$,$show_page_2_tok$,$show_page_4_tok$,$show_page_5_tok$,$show_page_6_tok$"> <panel> <single> <search> <query>| stats count | eval count=3</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=3</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=3</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=3</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=3</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> </row> <row depends="$show_page_4_tok$" rejects="$show_page_1_tok$,$show_page_2_tok$,$show_page_3_tok$,$show_page_5_tok$,$show_page_6_tok$"> <panel> <single> <search> <query>| stats count | eval count=4</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=4</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=4</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=4</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=4</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> </row> <row depends="$show_page_5_tok$" rejects="$show_page_1_tok$,$show_page_2_tok$,$show_page_3_tok$,$show_page_4_tok$,$show_page_6_tok$"> <panel> <single> <search> <query>| stats count | eval count=5</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=5</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=5</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=5</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=5</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> </row> <row depends="$show_page_6_tok$" rejects="$show_page_1_tok$,$show_page_2_tok$,$show_page_3_tok$,$show_page_4_tok$,$show_page_5_tok$"> <panel> <single> <search> <query>| stats count | eval count=6</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=6</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=6</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=6</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=6</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> </row> <row> <panel> <html> <style> #page_table thead { visibility: collapse !important; } </style> </html> <table id="page_table"> <search> <query>| makeresults | fields - _time | eval "Page 1"="$page_1_tok$", "Page 2"="$page_2_tok$", "Page 3"="$page_3_tok$", "Page 4"="$page_4_tok$", "Page 5"="$page_5_tok$", "Page 6"="$page_6_tok$"</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <option name="wrap">false</option> <drilldown> <condition field="Page 1"> <set token="show_page_1_tok">1</set> <set token="page_1_tok">⬤</set> <unset token="show_page_2_tok"></unset> <set token="page_2_tok">◯</set> <unset token="show_page_3_tok"></unset> <set token="page_3_tok">◯</set> <unset token="show_page_4_tok"></unset> <set token="page_4_tok">◯</set> <unset token="show_page_5_tok"></unset> <set token="page_5_tok">◯</set> <unset token="show_page_6_tok"></unset> <set token="page_6_tok">◯</set> </condition> <condition field="Page 2"> <unset token="show_page_1_tok"></unset> <set token="page_1_tok">◯</set> <set token="show_page_2_tok">1</set> <set token="page_2_tok">⬤</set> <unset token="show_page_3_tok"></unset> <set token="page_3_tok">◯</set> <unset token="show_page_4_tok"></unset> <set token="page_4_tok">◯</set> <unset token="show_page_5_tok"></unset> <set token="page_5_tok">◯</set> <unset token="show_page_6_tok"></unset> <set token="page_6_tok">◯</set> </condition> <condition field="Page 3"> <unset token="show_page_1_tok"></unset> <set token="page_1_tok">◯</set> <unset token="show_page_2_tok"></unset> <set token="page_2_tok">◯</set> <set token="show_page_3_tok">1</set> <set token="page_3_tok">⬤</set> <unset token="show_page_4_tok"></unset> <set token="page_4_tok">◯</set> <unset token="show_page_5_tok"></unset> <set token="page_5_tok">◯</set> <unset token="show_page_6_tok"></unset> <set token="page_6_tok">◯</set> </condition> <condition field="Page 4"> <unset token="show_page_1_tok"></unset> <set token="page_1_tok">◯</set> <unset token="show_page_2_tok"></unset> <set token="page_2_tok">◯</set> <unset token="show_page_3_tok"></unset> <set token="page_3_tok">◯</set> <set token="show_page_4_tok">1</set> <set token="page_4_tok">⬤</set> <unset token="show_page_5_tok"></unset> <set token="page_5_tok">◯</set> <unset token="show_page_6_tok"></unset> <set token="page_6_tok">◯</set> </condition> <condition field="Page 5"> <unset token="show_page_1_tok"></unset> <set token="page_1_tok">◯</set> <unset token="show_page_2_tok"></unset> <set token="page_2_tok">◯</set> <unset token="show_page_3_tok"></unset> <set token="page_3_tok">◯</set> <unset token="show_page_4_tok"></unset> <set token="page_4_tok">◯</set> <set token="show_page_5_tok">1</set> <set token="page_5_tok">⬤</set> <unset token="show_page_6_tok"></unset> <set token="page_6_tok">◯</set> </condition> <condition field="Page 6"> <unset token="show_page_1_tok"></unset> <set token="page_1_tok">◯</set> <unset token="show_page_2_tok"></unset> <set token="page_2_tok">◯</set> <unset token="show_page_3_tok"></unset> <set token="page_3_tok">◯</set> <unset token="show_page_4_tok"></unset> <set token="page_4_tok">◯</set> <unset token="show_page_5_tok"></unset> <set token="page_5_tok">◯</set> <set token="show_page_6_tok">1</set> <set token="page_6_tok">⬤</set> </condition> </drilldown> </table> </panel> </row> </dashboard>  
WoW!!  Your example got me super close to the finish line!!! The only issue left is that when I have "All" selected with other options and then unselect other options so that only the "All" option... See more...
WoW!!  Your example got me super close to the finish line!!! The only issue left is that when I have "All" selected with other options and then unselect other options so that only the "All" option remains, then the "app_net_fm_entity_id" token gets unset, instead of having the value of "_all" <input id="app_nodes_multiselect" type="multiselect" depends="$app_fm_app_id$" token="app_fm_entity_id" searchWhenChanged="true"> <label>Nodes</label> <delimiter> </delimiter> <fieldForLabel>entity_name</fieldForLabel> <fieldForValue>internal_entity_id</fieldForValue> <search> <query> | inputlookup aix_kv_apm_comps WHERE entity_type!=$app_fm_group_nodes$ | search [| makeresults | eval search="internal_parent_id=(".mvjoin($app_fm_app_id$, " OR internal_parent_id=").")" | return $search] | table entity_name, internal_entity_id | sort entity_name </query> </search> <choice value="*">All</choice> <default>*</default> <change> <condition match="$form.app_fm_entity_id$=&quot;*&quot;"> <eval token="app_net_fm_entity_id">_all</eval> </condition> <condition> <eval token="app_net_fm_entity_id">case(mvcount($form.app_fm_entity_id$)="2" AND mvindex($form.app_fm_entity_id$,0)="*", mvindex($form.app_fm_entity_id$,1), mvfind($form.app_fm_entity_id$,"^\\*$$")=mvcount($form.app_fm_entity_id$)-1, "_all", true(), $form.app_fm_entity_id$)</eval> </condition> </change> </input>      
Thank you so much for your help!!! I apologize that I wasn't completely clear in my requirement. I need the "app_net_fm_entity_id" token set to "_all" IF the "app_fm_entity_id" (aka selectedvalues)... See more...
Thank you so much for your help!!! I apologize that I wasn't completely clear in my requirement. I need the "app_net_fm_entity_id" token set to "_all" IF the "app_fm_entity_id" (aka selectedvalues) has only the "*" value selected. A different way to say that is, I need the "app_net_fm_entity_id" token set to "_not_star_but_other" IF the "app_fm_entity_id" (aka selectedvalues) has only the "*" value selected.  
@ITWhisperer Yes, env and tenant are already extracted, yes, we need stat broken by env and tenant as well as time   {"datetime":"08-19-2024 10:40:30.196 +1000","log_level":"INFO","component":"... See more...
@ITWhisperer Yes, env and tenant are already extracted, yes, we need stat broken by env and tenant as well as time   {"datetime":"08-19-2024 10:40:30.196 +1000","log_level":"INFO","component":"Hostwide","data":{"cpu_arch":"x86_64","os_name":"Linux","os_name_ext":"Linux","os_build":"#1 ABC Thu Apr 4 03:33:23 EDT 2024","os_version":"3.10.0-1160.118","instance_guid":"ABCDEFGH","splunk_version":"9.2.1","mem":"382641.051","mem_used":"41983.578","swap":"511.996","swap_used":"511.996","pg_paged_out":"50842005897","pg_swapped_out":"164124","forks":"00000600","cpu_count":"24","virtual_cpu_count":"48","runnable_process_count":"19","normalized_load_avg_1min":"1.14","cpu_user_pct":"45.35","cpu_system_pct":"10.68","cpu_idle_pct":"43.98"}}  
Yes, thank you. On top of creating those two separate tables. I want to then store the table data in separate indexes and maintaining all fields headers and values. From there I want to restrict acce... See more...
Yes, thank you. On top of creating those two separate tables. I want to then store the table data in separate indexes and maintaining all fields headers and values. From there I want to restrict access to the indexes. Ideally, I want to avoid creating separate apps
1. The use case is ideally I just want to create separate indexes based on a search filter and be able to restrict access to these filters based on roles without the need to create different apps. Th... See more...
1. The use case is ideally I just want to create separate indexes based on a search filter and be able to restrict access to these filters based on roles without the need to create different apps. The data I'm ingesting is aggregate so only admins can see it. From there, I want to create two separate dashboards (not Splunk apps if possible) showing data for superheros or villains. I need only users with the role "good guys" to access the superhero dashboard and be unable to access the villain dashboard and vice versa. The solution I've thought about is by creating indexes which only differ by one line (e.g. archetype=superhero/villain) and then restricting access to these indexes based on user roles. 2. I can't restrict access when using search-time filters though. 3. Okay I understand summary indexing is not the best approach. Do you have a better solution
Arrows are an attribute of lines.  They don't show up, however, until you increase the thickness of the line.  
Yes, I've thought about creating different apps but I wanted to avoid this since the only difference between the apps will be one line in the filter (e.g. archetype="superhero"). Ideally I just want ... See more...
Yes, I've thought about creating different apps but I wanted to avoid this since the only difference between the apps will be one line in the filter (e.g. archetype="superhero"). Ideally I just want to create separate indexes based on a search filter and be able to restrict access to these filters based on roles without the need to create different apps. I tried populating the summary index using the query above. By Original Fields not populating, I mean once you run the query and check the index that was created (e.g. index=superheros), the fields present in the search don't include id, strengths, and archetype but only default fields like date_hour, index, timeendpos etc).