All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@lorispiana Did you resolve this issue ? I am facing the same problem, can you please let me know. Thank you
Hi @deepthi5 , you have to create a lookup containing all the rows from your search, then in a dashboard you must have two panels: the first that list all the rows of your lookup, then choosing on... See more...
Hi @deepthi5 , you have to create a lookup containing all the rows from your search, then in a dashboard you must have two panels: the first that list all the rows of your lookup, then choosing one row to update, using a dropdown input you can update that row in the lookup. remember to use a kv-store and not a csv lookup. It isn't so easy, but the process is the one I described. here you can find a sample for a similar request I shared some months ago: https://community.splunk.com/t5/Dashboards-Visualizations/Dynamically-Update-a-lookup-file-on-click-of-a-field-and-showing/m-p/674922  Ciao. Giuseppe
Try something like this <my_search_index> | spath uri | regex uri="\/vehicle\/orders\/v1(.*\/processInsurance|\/.*\/validate|\/.*\/process|\/([^-]+-){4}[^-]+)$" | eval Operations=case( searchmatch("... See more...
Try something like this <my_search_index> | spath uri | regex uri="\/vehicle\/orders\/v1(.*\/processInsurance|\/.*\/validate|\/.*\/process|\/([^-]+-){4}[^-]+)$" | eval Operations=case( searchmatch("/vehicle/orders/v1*/processInsurance"),"processInsurance", searchmatch("/vehicle/orders/v1/*/validate"),"validateOrder", searchmatch("/vehicle/orders/v1/*/process"),"processOrder", searchmatch("/vehicle/orders/v1/*-*-*-*-*"),"getOrder", searchmatch("/vehicle/orders/v1"),"createOrder") | stats count as hits avg(request_time) as average perc90(request_time) as response90 by Operations | eval average=round(average,2),response90=round(response90,2)
Hello All, I have a dashboard for vulnerability tracking but i would like to add some custom changes for example  Vuln_number dv_risk_rating dv_assignment_group short_description VIT966236... See more...
Hello All, I have a dashboard for vulnerability tracking but i would like to add some custom changes for example  Vuln_number dv_risk_rating dv_assignment_group short_description VIT9662368 2 - High XYZ R7-msft-cve-2024-38077 detected on  VIT9662366 2 - High XYZ R7-msft-cve-2024-38074 detected on  VIT9662367 2 - High XYZ R7-msft-cve-2024-38076 detected on ics028159223 VIT9662265 2 - High XYZ R7-msft-cve-2024-38077 detected on  VIT9662260 2 - High XYZ R7-msft-cve-2024-38074 detected on    I need a table with comments in the status column ( The comments are static either there is no action or i have to fix in next release or exception ) so only 3 Can i give that as a dropdown and then select that Vulnerability and assign status from drop down Status   Status_dropdown No Action Fix in next release Exception Raised     dv_number dv_risk_rating dv_assignment_group short_description status VIT9662368 2 - High XYZ R7-msft-cve-2024-38077 detected on  No action VIT9662366 2 - High XYZ R7-msft-cve-2024-38074 detected on  Fix in next release  VIT9662367 2 - High XYZ R7-msft-cve-2024-38076 detected on  Exception Raised VIT9662265 2 - High XYZ R7-msft-cve-2024-38077 detected on  Fix in next release  VIT9662260 2 - High XYZ R7-msft-cve-2024-38074 detected on  No action
You can use a trick of appending a static result (the fallback) and returning only the first row. The problem is that you have multiple levels of subsearch expansion so you have to make sure that you... See more...
You can use a trick of appending a static result (the fallback) and returning only the first row. The problem is that you have multiple levels of subsearch expansion so you have to make sure that you properly return the results as string. For this you have to not just use "return" but manually craft the "search" field. | eval userid = [ | loadjob savedsearch=user:app:search      | append [ | makeresults | eval actor="default" ]      | head 1      | return "\"".actor."\"" ]
Hello Everyone, With the below query       <my_search_index> | spath uri | search uri="/vehicle/orders/v1" OR uri="/vehicle/orders/v1*/validate" OR uri="/vehicle/orders/v1*/process" OR uri="/ve... See more...
Hello Everyone, With the below query       <my_search_index> | spath uri | search uri="/vehicle/orders/v1" OR uri="/vehicle/orders/v1*/validate" OR uri="/vehicle/orders/v1*/process" OR uri="/vehicle/orders/v1*/processInsurance" | eval Operations=case( searchmatch("/vehicle/orders/v1*/processInsurance"),"processInsurance", searchmatch("/vehicle/orders/v1/*/validate"),"validateOrder", searchmatch("/vehicle/orders/v1/*/process"),"processOrder", searchmatch("/vehicle/orders/v1"),"createOrder") | stats count as hits avg(request_time) as average perc90(request_time) as response90 by Operations | eval average=round(average,2),response90=round(response90,2)        I am able to construct the table: Apart from the 4 url patterns mentioned in query I need to include following url pattern for getOrder uri: /vehicle/orders/v1/dbd20er9-g7c3-4e71-z089-gc1ga8272179 from the raw splunk log { "request_timestamp ": "02/Jan/1984:09:05:04", "response_timestamp": "01/Jan/1984:09:05:04 +0000", "kong_request_id": "my_kong_req_id", "ek-correlation-id": "my_corr_id", "ek-request-id": "my_req_id", "ek-transaction-id": "", "req_id": "", "channel_name": "", "logType": "kong", "traceparent": "0traceparent", "request_method": "GET", "remote_addr": "1.2.3.4", "server_addr": "5.5.6.6", "scheme": "https", "host": "my.host.com", "status": 200, "request_method": "GET", "uri": "/vehicle/orders/v1/dbd20er9-g7c3-4e71-z089-gc1ga8272179", "server_protocol": "HTTP/1.1", "bytes_sent": 23663, "body_bytes_sent": 23547, "request_length": 1367, "http_referer": "-", "http_user_agent": "-", "request_time": "0.010", "upstream_response_time": "0.008", "upstream_addr": "1.3.5.7", "http_content_type": "application/json", "upstream_host": "my.host.com" } Not sure how do I change my query to include the required url pattern. If I try this: /vehicle/orders/v1/*   or /vehicle/orders/v1/*-*-*-*-* it might include the count of below patterns as well: /payment/orders/v1*/processInsurance /payment/orders/v1/*/validate /payment/orders/v1/*/process /payment/orders/v1 Appreciate your help.
Understood. I will find a way to handle that, as my search does not return result everytime.   Thank you for your patience & help.
If that's core functionality throwing that error then contact support. If it's a third-party app they shouldn't be trying to use python code that attempts to access that module, basically... there... See more...
If that's core functionality throwing that error then contact support. If it's a third-party app they shouldn't be trying to use python code that attempts to access that module, basically... there's ways to make requests to URLs without calling it directly.
So if you have no events to extract the "actor" field value from, there is no value to substitute into main search hence the error because it effectively becomes | eval something=  
If you meant that if I run below only: | loadjob savedsearch="myuserid:my_app:my_saved_search" It runs & returns 0 events as last run of the search did not return any result.
  Issue is fixed by 8.2.5 and above.
Hello Tom, thank you very much for your answer. Τesting the ones you sent me I noticed that if I search for example for: eventtype=wineventlog_index_windows eventtype=wineventlog_security I do no... See more...
Hello Tom, thank you very much for your answer. Τesting the ones you sent me I noticed that if I search for example for: eventtype=wineventlog_index_windows eventtype=wineventlog_security I do not get any results, the same if I make a search for:  eventtype=wineventlog_index. But if I try for : eventtype=wineventlog_security  I am getting results. In eventtypes.conf file in DA-ITSI-CP-windows-dashboards/local folder i made the following changes  [windows_index_windows] definition= index=windows OR index=main [perfmon_index_windows] definition= index=perfmon OR index=itsi_im_metrics [wineventlog_index_windows] definition= index=wineventlog OR index=main   Do you have any idea why this is happening?    When you are writing "definition is correct and shared properly" what exactly do you mean?   Thanks in advance
Exactly that dev license I'm talking about. And I also explained that I've tried to renew already last week's Tuesday (July, 23rd) (!) as well as that I did a couple of times before. So, thx for the... See more...
Exactly that dev license I'm talking about. And I also explained that I've tried to renew already last week's Tuesday (July, 23rd) (!) as well as that I did a couple of times before. So, thx for the link but ... that's exactly the one I've tried always and nothing happened so far. And July, 23rd is slightly more than 3-5 days (which I'm aware of)...
You mean the Developer License? Not the Dev/Test license? https://dev.splunk.com/enterprise/dev_license/ "After you accept the agreement, it can take up to 3 days to review your application and gra... See more...
You mean the Developer License? Not the Dev/Test license? https://dev.splunk.com/enterprise/dev_license/ "After you accept the agreement, it can take up to 3 days to review your application and grant your license." But actually it's a manual process so there might be a slight delay depending on the team's workload, holidays and so on.
Hi @eherbst63 , in my company, we have an NFR license and every year is renewed one or two days late! let me know if I can help you more, or, please, accept one answer for the other people of Commu... See more...
Hi @eherbst63 , in my company, we have an NFR license and every year is renewed one or two days late! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Thx for the hint
Hi @eherbst63 , maybe some automatic process failed so they are late. Open a case to Splunk Support for this. Ciao. Giuseppe
Good Morning everyone, I'm working as a Developer for Apps, Dashboards, Workflows and Use Cases in Splunk since a couple of years. In this a role I've successfully requested several developer licens... See more...
Good Morning everyone, I'm working as a Developer for Apps, Dashboards, Workflows and Use Cases in Splunk since a couple of years. In this a role I've successfully requested several developer licenses.   So I did last week's Tuesday for the first time and yesterday again. Since then nothing ever happened, especially no new license was sent, nor any kind of response.   I'd be very pleased if you could make it (the dev. license) happen Thank you very much in advance.   Kind Regards Ekkehard
If you run your subsearch on its own does it return any values?
1. Please post your SPL in code block or preformatted paragraph next time - it improves readability 2. We don't know your data - maybe it's that you have duplicates in your events. Or maybe it's som... See more...
1. Please post your SPL in code block or preformatted paragraph next time - it improves readability 2. We don't know your data - maybe it's that you have duplicates in your events. Or maybe it's some search flaw. Can't tell just by looking at the search itself. 3. What do you mean by "duplicate values"? Multivalued fields with repeated value? Multiple results sharing the same value in one (all?) of the fields? 4. Typically you diagnose such things by either removing steps from the end and checking whether the intermediate results make sense or starting from the beginning and adding steps one by one and checking if the results make sense. 5. Join is usually (but not always) _not_ the way to go. In your case the joined subsearch contains a wildcard at the beginning of the search term which means that if you have a significant amount of data to search the subsearch might be siliently finalized and return incomplete/wrong results.