All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

<form version="1.1" theme="light"> <label>two DS panels</label> <fieldset submitButton="false"> <input type="multiselect" token="server"> <label>Server</label> <choice value="a">A</choice> <choice va... See more...
<form version="1.1" theme="light"> <label>two DS panels</label> <fieldset submitButton="false"> <input type="multiselect" token="server"> <label>Server</label> <choice value="a">A</choice> <choice value="b">B</choice> <choice value="c">C</choice> <choice value="d">D</choice> </input> </fieldset> <row> <panel> <table> <title>US DS</title> <search> <query>| makeresults format=csv data="Host, DS A, US-DS B, US-DS" | table Host DS</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel> <table> <title>UK DS</title> <search> <query>| makeresults format=csv data="Host, DS C, UK-DS D, UK-DS" | table Host DS</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>
How can I solve that?
And the question is?
Math is cool, I did try /100 but did not use exact. doh.   Thanks for the reply.
That worked, thank you both very much. I changed it to en-GB in the URL and it is now working as expected.  Thank you!
You could pipe it to rex and create a new field inside subsearch. Then just use this field with return.
Can you share your dashboard code inside </> block?
I tried that but I don't have a field name from my command. Do I need to set one or how does this work? Still new to understanding all of this. I got the command running but working in the commands.c... See more...
I tried that but I don't have a field name from my command. Do I need to set one or how does this work? Still new to understanding all of this. I got the command running but working in the commands.conf and default.meta files by calling the python/powershell files. Is this something I need to set somewhere?
[serversindex] Configuration initialization for /opt/splunk/var/run/searchpeers/serverhead-1721913866 took longer than expected (1002ms) when dispatching a search with search ID remote_serverhead_u... See more...
[serversindex] Configuration initialization for /opt/splunk/var/run/searchpeers/serverhead-1721913866 took longer than expected (1002ms) when dispatching a search with search ID remote_serverhead_userxx__userxx__search__search1_1723144245.50. This usually indicates problems with underlying storage performance.
Or try to use some other locale than en-US on URL when you login to splunk.
Blame Americanism on this.  In your user account, see if there is an option to customize locale, not just timezone.
Hi have you try | eval testdata = [| nslookupsearch dest_ip|return <your field name from command] r. Ismo 
Are you running splunk as root or some other user? Use root is against security practices! If you are running it as splunk, you should also check btool with that user. Otherwise there is small possib... See more...
Are you running splunk as root or some other user? Use root is against security practices! If you are running it as splunk, you should also check btool with that user. Otherwise there is small possibility that those files are owned by root and splunk user haven’t read access to those. Another option is that some options can set only in …/system/local. Unfortunately you cannot use DS to deploy those configuration into it. Maybe it’s best to rise Spunk support case for it!
I have a custom command that calls a script for nslookup and returns the data to splunk. All of it is working but I want to use this custom command in Splunk to return the data to an eval and output ... See more...
I have a custom command that calls a script for nslookup and returns the data to splunk. All of it is working but I want to use this custom command in Splunk to return the data to an eval and output that into a table. For example, the search string would look something like the following:    index="*" | iplocation src_ip | eval testdata = | nslookupsearch dest_ip | table testdata _time | sort - _time   NOTE: This is not the exact search string, this is just a mock string. When I run:   | nslookupsearch Record_Here   I get the correct output and data that I want to see. But when I run the command to attach the returned value to an eval, it fails. I keep getting errors on doing this but I can't find something that will work like this. The testdata eval keeps failing. 
HI All, I am new to using Splunk.  I am uploading a CSV to Splunk that has a column called 'Transaction Date' with the entries in DD/MM/YYYY format as shown below. At the Set Source Type step ... See more...
HI All, I am new to using Splunk.  I am uploading a CSV to Splunk that has a column called 'Transaction Date' with the entries in DD/MM/YYYY format as shown below. At the Set Source Type step I have updated the timestamp format to avoid getting the default modtime. I have updated it with %d/%m/%Y as shown below. This partly works as my '_time' field no longer shows the default modtime. However it shows the date in the incorrect format of MM/DD/YYYY instead of DD/MM/YYYY. (also shown below)     Everything else I have left as default. These are my advanced settings: Any Ideas how I can fix this to display the correct format?  Thank you!
Searching for "W" or "E" will return a lot of noise.  That's why my suggested query included spaces around each letter - the goal being to find the isolated severity codes.
Have you tried math? index=net Model=ERT-SCM EM_ID=Redacted | stats count by Consumption | eval Consumption = exact(Consumption/100)  
Pretty green with SOAR and haven't been able to find an good answer to this. All of our events in SOAR are generated by pulling them in from Splunk ES.  This creates one artifact for each event.  I'... See more...
Pretty green with SOAR and haven't been able to find an good answer to this. All of our events in SOAR are generated by pulling them in from Splunk ES.  This creates one artifact for each event.  I'm looking for a way to extract data from that artifact so we can start using and labeling that data. Am I missing something here?  I haven't found much in the way of training on the data extraction part of this, so any tips for that would be great too.  
Hello, I have a 4 servers A, B C, & D. These servers points to two different DS. A & B points to US DS server, C & D servers points to UK DS Server. I'm selecting these 4 servers in an multise... See more...
Hello, I have a 4 servers A, B C, & D. These servers points to two different DS. A & B points to US DS server, C & D servers points to UK DS Server. I'm selecting these 4 servers in an multiselect value and it has to show two different panels. (hide initially) But, If i select only A & B it has show only US DS panel. (I don't want to show the DS values in the input values.  
Hello Thank you for your answer. I tried your command and I have got: root@MSVMSLMCLM01:/opt/splunk/bin# ./splunk btool alert_actions list --debug | grep allowed /opt/splunk/etc/apps/setSplunkComm... See more...
Hello Thank you for your answer. I tried your command and I have got: root@MSVMSLMCLM01:/opt/splunk/bin# ./splunk btool alert_actions list --debug | grep allowed /opt/splunk/etc/apps/setSplunkCommonConfig/default/alert_actions.conf allowedDomainList = domain.sk root@MSVMSLMCLM01:/opt/splunk/bin# ./splunk btool alert_actions list --debug | grep from /opt/splunk/etc/apps/setSplunkCommonConfig/default/alert_actions.conf from = splunk@domain.sk So this looks like settings are used from correct file, file from pushed application. But when I check web on this machine, those values are empty: Any idea?