All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

But this "comment" should be saved somehow or what? Where would it come from?
Contact your Splunk account team for information about your Splunk Cloud license.   They also can help ensure you have entitlement to submit support cases. If you're running heavy forwarders and a D... See more...
Contact your Splunk account team for information about your Splunk Cloud license.   They also can help ensure you have entitlement to submit support cases. If you're running heavy forwarders and a DS then you have an on-prem LM (perhaps shared with the DS).  However, I would not expect the expiration date of that license to match the expiration date of the Splunk Cloud license (it's possible, but not guaranteed).
@PickleRick Sorry for the delayed response. But my concern I am mentioning below in the screenshot. Please help to fix. Is there any setting I need to add in props.conf.  
@lorispiana Did you resolve this issue ? I am facing the same problem, can you please let me know. Thank you
Hi @deepthi5 , you have to create a lookup containing all the rows from your search, then in a dashboard you must have two panels: the first that list all the rows of your lookup, then choosing on... See more...
Hi @deepthi5 , you have to create a lookup containing all the rows from your search, then in a dashboard you must have two panels: the first that list all the rows of your lookup, then choosing one row to update, using a dropdown input you can update that row in the lookup. remember to use a kv-store and not a csv lookup. It isn't so easy, but the process is the one I described. here you can find a sample for a similar request I shared some months ago: https://community.splunk.com/t5/Dashboards-Visualizations/Dynamically-Update-a-lookup-file-on-click-of-a-field-and-showing/m-p/674922  Ciao. Giuseppe
Try something like this <my_search_index> | spath uri | regex uri="\/vehicle\/orders\/v1(.*\/processInsurance|\/.*\/validate|\/.*\/process|\/([^-]+-){4}[^-]+)$" | eval Operations=case( searchmatch("... See more...
Try something like this <my_search_index> | spath uri | regex uri="\/vehicle\/orders\/v1(.*\/processInsurance|\/.*\/validate|\/.*\/process|\/([^-]+-){4}[^-]+)$" | eval Operations=case( searchmatch("/vehicle/orders/v1*/processInsurance"),"processInsurance", searchmatch("/vehicle/orders/v1/*/validate"),"validateOrder", searchmatch("/vehicle/orders/v1/*/process"),"processOrder", searchmatch("/vehicle/orders/v1/*-*-*-*-*"),"getOrder", searchmatch("/vehicle/orders/v1"),"createOrder") | stats count as hits avg(request_time) as average perc90(request_time) as response90 by Operations | eval average=round(average,2),response90=round(response90,2)
Hello All, I have a dashboard for vulnerability tracking but i would like to add some custom changes for example  Vuln_number dv_risk_rating dv_assignment_group short_description VIT966236... See more...
Hello All, I have a dashboard for vulnerability tracking but i would like to add some custom changes for example  Vuln_number dv_risk_rating dv_assignment_group short_description VIT9662368 2 - High XYZ R7-msft-cve-2024-38077 detected on  VIT9662366 2 - High XYZ R7-msft-cve-2024-38074 detected on  VIT9662367 2 - High XYZ R7-msft-cve-2024-38076 detected on ics028159223 VIT9662265 2 - High XYZ R7-msft-cve-2024-38077 detected on  VIT9662260 2 - High XYZ R7-msft-cve-2024-38074 detected on    I need a table with comments in the status column ( The comments are static either there is no action or i have to fix in next release or exception ) so only 3 Can i give that as a dropdown and then select that Vulnerability and assign status from drop down Status   Status_dropdown No Action Fix in next release Exception Raised     dv_number dv_risk_rating dv_assignment_group short_description status VIT9662368 2 - High XYZ R7-msft-cve-2024-38077 detected on  No action VIT9662366 2 - High XYZ R7-msft-cve-2024-38074 detected on  Fix in next release  VIT9662367 2 - High XYZ R7-msft-cve-2024-38076 detected on  Exception Raised VIT9662265 2 - High XYZ R7-msft-cve-2024-38077 detected on  Fix in next release  VIT9662260 2 - High XYZ R7-msft-cve-2024-38074 detected on  No action
You can use a trick of appending a static result (the fallback) and returning only the first row. The problem is that you have multiple levels of subsearch expansion so you have to make sure that you... See more...
You can use a trick of appending a static result (the fallback) and returning only the first row. The problem is that you have multiple levels of subsearch expansion so you have to make sure that you properly return the results as string. For this you have to not just use "return" but manually craft the "search" field. | eval userid = [ | loadjob savedsearch=user:app:search      | append [ | makeresults | eval actor="default" ]      | head 1      | return "\"".actor."\"" ]
Hello Everyone, With the below query       <my_search_index> | spath uri | search uri="/vehicle/orders/v1" OR uri="/vehicle/orders/v1*/validate" OR uri="/vehicle/orders/v1*/process" OR uri="/ve... See more...
Hello Everyone, With the below query       <my_search_index> | spath uri | search uri="/vehicle/orders/v1" OR uri="/vehicle/orders/v1*/validate" OR uri="/vehicle/orders/v1*/process" OR uri="/vehicle/orders/v1*/processInsurance" | eval Operations=case( searchmatch("/vehicle/orders/v1*/processInsurance"),"processInsurance", searchmatch("/vehicle/orders/v1/*/validate"),"validateOrder", searchmatch("/vehicle/orders/v1/*/process"),"processOrder", searchmatch("/vehicle/orders/v1"),"createOrder") | stats count as hits avg(request_time) as average perc90(request_time) as response90 by Operations | eval average=round(average,2),response90=round(response90,2)        I am able to construct the table: Apart from the 4 url patterns mentioned in query I need to include following url pattern for getOrder uri: /vehicle/orders/v1/dbd20er9-g7c3-4e71-z089-gc1ga8272179 from the raw splunk log { "request_timestamp ": "02/Jan/1984:09:05:04", "response_timestamp": "01/Jan/1984:09:05:04 +0000", "kong_request_id": "my_kong_req_id", "ek-correlation-id": "my_corr_id", "ek-request-id": "my_req_id", "ek-transaction-id": "", "req_id": "", "channel_name": "", "logType": "kong", "traceparent": "0traceparent", "request_method": "GET", "remote_addr": "1.2.3.4", "server_addr": "5.5.6.6", "scheme": "https", "host": "my.host.com", "status": 200, "request_method": "GET", "uri": "/vehicle/orders/v1/dbd20er9-g7c3-4e71-z089-gc1ga8272179", "server_protocol": "HTTP/1.1", "bytes_sent": 23663, "body_bytes_sent": 23547, "request_length": 1367, "http_referer": "-", "http_user_agent": "-", "request_time": "0.010", "upstream_response_time": "0.008", "upstream_addr": "1.3.5.7", "http_content_type": "application/json", "upstream_host": "my.host.com" } Not sure how do I change my query to include the required url pattern. If I try this: /vehicle/orders/v1/*   or /vehicle/orders/v1/*-*-*-*-* it might include the count of below patterns as well: /payment/orders/v1*/processInsurance /payment/orders/v1/*/validate /payment/orders/v1/*/process /payment/orders/v1 Appreciate your help.
Understood. I will find a way to handle that, as my search does not return result everytime.   Thank you for your patience & help.
If that's core functionality throwing that error then contact support. If it's a third-party app they shouldn't be trying to use python code that attempts to access that module, basically... there... See more...
If that's core functionality throwing that error then contact support. If it's a third-party app they shouldn't be trying to use python code that attempts to access that module, basically... there's ways to make requests to URLs without calling it directly.
So if you have no events to extract the "actor" field value from, there is no value to substitute into main search hence the error because it effectively becomes | eval something=  
If you meant that if I run below only: | loadjob savedsearch="myuserid:my_app:my_saved_search" It runs & returns 0 events as last run of the search did not return any result.
  Issue is fixed by 8.2.5 and above.
Hello Tom, thank you very much for your answer. Τesting the ones you sent me I noticed that if I search for example for: eventtype=wineventlog_index_windows eventtype=wineventlog_security I do no... See more...
Hello Tom, thank you very much for your answer. Τesting the ones you sent me I noticed that if I search for example for: eventtype=wineventlog_index_windows eventtype=wineventlog_security I do not get any results, the same if I make a search for:  eventtype=wineventlog_index. But if I try for : eventtype=wineventlog_security  I am getting results. In eventtypes.conf file in DA-ITSI-CP-windows-dashboards/local folder i made the following changes  [windows_index_windows] definition= index=windows OR index=main [perfmon_index_windows] definition= index=perfmon OR index=itsi_im_metrics [wineventlog_index_windows] definition= index=wineventlog OR index=main   Do you have any idea why this is happening?    When you are writing "definition is correct and shared properly" what exactly do you mean?   Thanks in advance
Exactly that dev license I'm talking about. And I also explained that I've tried to renew already last week's Tuesday (July, 23rd) (!) as well as that I did a couple of times before. So, thx for the... See more...
Exactly that dev license I'm talking about. And I also explained that I've tried to renew already last week's Tuesday (July, 23rd) (!) as well as that I did a couple of times before. So, thx for the link but ... that's exactly the one I've tried always and nothing happened so far. And July, 23rd is slightly more than 3-5 days (which I'm aware of)...
You mean the Developer License? Not the Dev/Test license? https://dev.splunk.com/enterprise/dev_license/ "After you accept the agreement, it can take up to 3 days to review your application and gra... See more...
You mean the Developer License? Not the Dev/Test license? https://dev.splunk.com/enterprise/dev_license/ "After you accept the agreement, it can take up to 3 days to review your application and grant your license." But actually it's a manual process so there might be a slight delay depending on the team's workload, holidays and so on.
Hi @eherbst63 , in my company, we have an NFR license and every year is renewed one or two days late! let me know if I can help you more, or, please, accept one answer for the other people of Commu... See more...
Hi @eherbst63 , in my company, we have an NFR license and every year is renewed one or two days late! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Thx for the hint
Hi @eherbst63 , maybe some automatic process failed so they are late. Open a case to Splunk Support for this. Ciao. Giuseppe