All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thank you  @gcusello  for your quick reply and support
I found a couple of things you can do here 1. Add the Entity Lookup Field from your correlation search here: That will give you whatever you evaluate entity_title too in your search as the im... See more...
I found a couple of things you can do here 1. Add the Entity Lookup Field from your correlation search here: That will give you whatever you evaluate entity_title too in your search as the impacted entity in your KPI 2. Just add the entity_key field to your lookup, this automatically adds any entities to the impacted entities for the KPI, though it won't add pseudo entities such as a combined field like host:disk
Hi @AnanthaS , as I said: create the secondary dashboard, click on the three dots of your Single Value panel, insert the secondary dashboard in the window, eventually adding the time tokens you... See more...
Hi @AnanthaS , as I said: create the secondary dashboard, click on the three dots of your Single Value panel, insert the secondary dashboard in the window, eventually adding the time tokens you used for the primary dashboard (in this case, you have to add them also to the secondary dashboard and you'll have your dashboard. Ciao. Giuseppe
I was having the same trouble, even after adding the entity_title field to my correlation search. I fixed it by also adding the entity_key field.
I do want to navigate to Dashboard but more importantly focus on the chart of interest within. 
Hi @AnanthaS , it's avery easy drilldown because you don't need to pass any parameter on click, or at most the time parameters. To do this, you can use the UI feature clicking on the three dots of ... See more...
Hi @AnanthaS , it's avery easy drilldown because you don't need to pass any parameter on click, or at most the time parameters. To do this, you can use the UI feature clicking on the three dots of the Single Value panel and adding the dashboard to link, thet you have to previously prepare. For more infos see at https://docs.splunk.com/Documentation/Splunk/9.3.0/Viz/DrilldownIntro or some videos in YouTube Splunk Channel https://www.youtube.com/@Splunkofficial Ciao. Giuseppe
Hi @Lloyd , in addition to the useful links shared by @bowesmana , I can say that even if in Community you can find many people that encuntered issues using Splunk on Ubuntu, I used it for a very la... See more...
Hi @Lloyd , in addition to the useful links shared by @bowesmana , I can say that even if in Community you can find many people that encuntered issues using Splunk on Ubuntu, I used it for a very large project in Italy and i'm not encountering any issue. We initially used Ubuntu 20.04 and then we upgraded it to 22.04. Ciao. Giuseppe
https://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements https://www.bitsioinc.com/install-splunk-ubuntu/#:~:text=Unlike%20CentOS%2C%20installing%20Splunk%20on,how%20to%20... See more...
https://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements https://www.bitsioinc.com/install-splunk-ubuntu/#:~:text=Unlike%20CentOS%2C%20installing%20Splunk%20on,how%20to%20install%20Splunk%209.0. https://medium.com/@dannyopara/installing-splunk-enterprise-on-ubuntu-step-by-step-guide-b545982038c3  
Have you looked at the chromestatus URL - that tells you the events were deprecated in July 2024 - you can re-enable them, but you may want to look at your script against that explanation.  
Hi Guys, Hope you all the doing good. I have recently started to use Splunk ES and i am trying to create security incidents in ServiceNow for notables. I am using ServiceNow Security Operations... See more...
Hi Guys, Hope you all the doing good. I have recently started to use Splunk ES and i am trying to create security incidents in ServiceNow for notables. I am using ServiceNow Security Operations Integration addon for this and i have created a workflow action to create incident. I am using below search in the workflow action but i am not able to create any incidents. Please let me know if i am missing any thing. Thanks in advance. | expandtoken rule_title rule_description drilldown_searches | fields title rule_description src dest user file_path file_hash file_name _time source severity event_hash | eval src=coalesce(src, src_ip), dest = coalesce(dest, dest_ip) | fillnull value=N/A dvc src dest user file_path file_hash file_name | eval external_link = xyz | eval md5_hash = if(file_hash == "N/A", "N/A", if(len(file_hash) == 32, file_hash, "N/A")) | eval sha256_hash = if(file_hash == "N/A", "N/A", if(len(file_hash) == 64, file_hash, "N/A")) | eval snow_event_ts = strftime(_time, "%m-%d-%Y %H:%M:%S") | eval severity = case(severity=="informational", 0, severity=="low", 4, severity=="medium", 3, severity=="high", 2, severity=="critical", 1) | eval ticket_contents = "short_description \"".title."\"" | eval ticket_contents = ticket_contents." assignment_group \"ABC\"" | eval ticket_contents = ticket_contents." contact_type \"SIEM\"" | eval ticket_contents = ticket_contents." description \"".rule_description."\"" | eval ticket_contents = ticket_contents." source_ip \"".src."\"" | eval ticket_contents = ticket_contents." dest_ip \"".dest."\"" | eval ticket_contents = ticket_contents." u_offence_id \"".event_hash."\"" | eval ticket_contents = ticket_contents." u_source \"".src."\"" | eval ticket_contents = ticket_contents." u_destination \"".dest."\"" | eval ticket_contents = ticket_contents." u_md5_hash \"".md5_hash."\"" | eval ticket_contents = ticket_contents." u_sha256_hash \"".sha256_hash."\"" | eval ticket_contents = ticket_contents." u_event_timestamp \"".snow_event_ts."\"" | eval ticket_contents = ticket_contents." u_event_name \"".source."\"" | eval ticket_contents = ticket_contents." severity \"".severity."\"" | return $ticket_contents  
Thank you so much ....That's working
@sprijosh , while giving the URL, if I am using in clustered environment, which url we need to give? Is that the search heard url?
This one seems better as it exclude scheduled searches. index="_audit" [search index=_internal source="*web_access.log" user!="-" | stats by user | fields user] | search action="search" OR action="r... See more...
This one seems better as it exclude scheduled searches. index="_audit" [search index=_internal source="*web_access.log" user!="-" | stats by user | fields user] | search action="search" OR action="rtsearch" | stats values(action) as Action, values(info) as Info, max(timestamp) as lastTime, min(timestamp) as firstTime by user
Does Splunk enterprises support Ubndu ?
require(["jquery", "splunkjs/mvc", "splunkjs/mvc/simplexml/ready!"], function($, mvc) { // Properties var earliest = 0; var latest = 0; // Update Lead Time to the correct format... See more...
require(["jquery", "splunkjs/mvc", "splunkjs/mvc/simplexml/ready!"], function($, mvc) { // Properties var earliest = 0; var latest = 0; // Update Lead Time to the correct format function setFormatLeadTime() { $("#lead_time svg text").each(function() { if(!$(this).text().match(":")) { $(this).text(secondsTimeSpanToDHM($(this).text())); } }); } // Open a URL in a new window function setUrl(url) { window.open(url, "_blank"); return false; } // Default Token Components var tokens = mvc.Components.get("default"); // Set On-Click listeners $("#throughput .splunk-chart").click(function(){ setUrl("/app/customer_reports/throughput_report_-_0136_system?form.time.earliest="+earliest+"&form.time.latest="+latest+"") }); $("#availability .splunk-chart").click(function(){ setUrl("/app/customer_reports/availability_report?form.time.earliest="+earliest+"&form.time.latest="+latest+"") }); $("#completeness .splunk-chart").click(function(){ setUrl("/app/customer_reports/completeness_order?form.time.earliest="+earliest+"&form.time.latest="+latest+"") }); $("#on_time .splunk-chart").click(function(){ setUrl ("/app/customer_reports/on-time_performance_report_customer?form.time.earliest="+earliest+"&form.time.latest="+latest+"") }); $("#utilization .splunk-chart").click(function(){ setUrl("/app/customer_reports/load_forming_logic?form.time.earliest="+earliest+"&form.time.latest="+latest+"") }); $("#partitioning .splunk-chart").click(function(){ setUrl("/app/customer_reports/load_forming_logic?form.time.earliest="+earliest+"&form.time.latest="+latest+"") }); $("#group_coherence .splunk-chart").click(function(){ setUrl("/app/customer_reports/load_forming_logic?form.time.earliest="+earliest+"&form.time.latest="+latest+"") }); $("#lead_time .splunk-chart").click(function(){ setUrl("/app/customer_reports/lead_time_report?form.time.earliest="+earliest+"&form.time.latest="+latest+"") }); $("#productivity .splunk-chart").click(function(){ setUrl("/app/customer_reports/productivity_total?form.time.earliest="+earliest+"&form.time.latest="+latest+"") }); // Set Token listener for Lead Time tokens.on("change:lead_time", function(model, value, options) { setTimeout(function() { setFormatLeadTime() }, 500); setTimeout(function() { setFormatLeadTime() }, 1500); }); // Set Token listener for earliest_epoch tokens.on("change:time.earliest_epoch", function(model, value, options) { earliest = value; }); // Set Token listener for latest_epoch tokens.on("change:time.latest_epoch", function(model, value, options) { latest = value; }); // Attribute listener for date time picker $("#time div[data-test='time-range-dropdown'] button").attrchange({ trackValues: true, /* Default to false, if set to true the event object is updated with old and new value.*/ callback: function (event) { //event - event object //event.attributeName - Name of the attribute modified //event.oldValue - Previous value of the modified attribute //event.newValue - New value of the modified attribute //Triggered when the selected elements attribute is added/updated/removed if (event.attributeName == "aria-expanded" && event.newValue == "true") { $("div[data-test-panel-id='date'] > button[data-test='toggle']").click(); $("div[data-test='range-type'] button").attrchange({ trackValues: true, callback: function (event) { $("button[data-test-value='since']").click() } }); $("div[data-test-value='between'] > button[data-test='toggle']").click(); } } }); });   @bowesmana Please check the above pasted script.
I have a single value in a classic dashboard. When I click that, I would like it to navigate to another classic dashboard and show up a specific chart. Is this possible? If yes, how can this be achie... See more...
I have a single value in a classic dashboard. When I click that, I would like it to navigate to another classic dashboard and show up a specific chart. Is this possible? If yes, how can this be achieved? 
and the input is only configured in heavy forwarder B but when I put the transform.conf in HF B, it isn't working
I mean it's deployment server & Master Node.  Can I add the props.conf & transform.conf in deployment server and then run this command? /opt/splunk/bin/splunk reload deploy-server I'm sorry for as... See more...
I mean it's deployment server & Master Node.  Can I add the props.conf & transform.conf in deployment server and then run this command? /opt/splunk/bin/splunk reload deploy-server I'm sorry for asking the basic thing I'm new in Splunk.
Can you post your javascript?
Splunk can get confused by the dot operator as it can separate parts of a field name, components of a JSON field, or represent concatenation.  To help eliminate the confusion try renaming fields to n... See more...
Splunk can get confused by the dot operator as it can separate parts of a field name, components of a JSON field, or represent concatenation.  To help eliminate the confusion try renaming fields to name that do not contain dots or put single quotes around the field names.