All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

We have a stand-alone splunk instance in a closed area. We had to roll back the server to a snapshot and now the clients only phone home when we restart the splunk server. I've looked at the splunk l... See more...
We have a stand-alone splunk instance in a closed area. We had to roll back the server to a snapshot and now the clients only phone home when we restart the splunk server. I've looked at the splunk log, phonehome log, checked the outputs.conf. I've run telnet server:8089 and 9997 from the clients and the ports are open listening. Any help would be appreciated.  We are on version 9.3.1 
Yup. You're right. I keep forgetting about that option. For me it's clearer to do those two operations separately. I wonder though whether there is a performance difference.
Stats should be way faster and efficient but it won't give you other fields. So whether it's stats or dedup depends on the desired results.
No need to use html tags. You could add those into title etc. But when you have lot of those and you will set and unset those based on buttons, clicks etc. then this approach doesn’t work anymore.
The answers already given are spot on.   When I am trying to troubleshoot my correlation searches, the first thing I do is grab the query that is being used for the correlation search and validate... See more...
The answers already given are spot on.   When I am trying to troubleshoot my correlation searches, the first thing I do is grab the query that is being used for the correlation search and validate that it actually returns results.  Do a copy and paste from the search query in the correlation search to an SPL window to validate that you don't actually mistype things. If you get results from the query, than you want to validate that adaptive response is set (in ES versions before Splunk to make a notable.  In ES 8 you will want to make sure that event finding option is selected  The other type of finding goes into a risk score and will not actually create a finding for you in analyst queue.   If none of that works, I tend to copy the correlation search query off to another safe location and replace the query with something that for sure will fire index=_internal | head 1 | table index, sourcetype Then see if that search will fire off an alert, if it doesn't you know that you have a configuration setting messed up in the correlation search.   Hope this helps
The other thing you can do without installing an app is to go into the xml and create an html tag <row> <html> Value of token1 = $token1$ Value of token2 = $otken2$ </html> </row> I may ha... See more...
The other thing you can do without installing an app is to go into the xml and create an html tag <row> <html> Value of token1 = $token1$ Value of token2 = $otken2$ </html> </row> I may have shorthanded the html tags, but basically everytime the token changes the token value will be displayed in that html tag.  Really easy way to keep track of the token value.  If you need a default token value look into using the <set> function in tokens.   But @ITWhisperer was spot on when he said that when a token is not set it is neither empty nor null.  
It sounds like the user should be making choices from the first two dropdowns and that supplies the fields that will be provided in the third dropdown.   what you want to do this is to tokenize th... See more...
It sounds like the user should be making choices from the first two dropdowns and that supplies the fields that will be provided in the third dropdown.   what you want to do this is to tokenize the first two dropdowns so that the answer from them is (use better token names) $optionA$  for the first dropdown $optionB$ for the second dropdown Then in the third dropdown, fill the list from a query and use the tokens in the query so something like this index=yourindex sourceytpe=yoursourcetype valuex=$optionA$ valuey=$optionB$ Or if it is a lookup file | inputlookup yourlookupfile | search valuex=$optionA$ valuey=$optionB$ Hope that helps.  
You should also check if CM see those peers as member of indexer cluster. Then also check what errors and maybe warnings which told what has happened. 
Hello @Jasmine, Is this resolved?
index=aws but i ended up logging onto both servers and moving the whole index from "old" Splunk over to "new" Splunk
When you are playing with tokens in SXML, you should install this app https://classic.splunkbase.splunk.com/app/1603/ Then add this into your forms. <form version="1.1" theme="light" script="simple... See more...
When you are playing with tokens in SXML, you should install this app https://classic.splunkbase.splunk.com/app/1603/ Then add this into your forms. <form version="1.1" theme="light" script="simple_xml_examples:showtokens.js"> After this it shows all tokens what you have and what are their values like When I add ip, but didn't press submit After submit is pressed. https://data-findings.com/wp-content/uploads/2024/09/HSUG-20240903-Tiia-Ojares.pdf  
Hi Splunk Community, We’re currently onboarding SUSE Linux (SLES/OpenSUSE) logs into Splunk Enterprise Security (ES) and would appreciate some input. Specifically, I’m looking to understand: Wha... See more...
Hi Splunk Community, We’re currently onboarding SUSE Linux (SLES/OpenSUSE) logs into Splunk Enterprise Security (ES) and would appreciate some input. Specifically, I’m looking to understand: What log files are most relevant for SUSE Linux when it comes to security-focused use cases in Splunk ES (e.g., authentication, audit, change tracking, endpoint monitoring)? How do SUSE Linux log paths and formats differ from standard Linux distributions like RHEL, CentOS, or Ubuntu? Are there any known configurations or tuning steps required (e.g., for /var/log/secure, auditd, or firewall logs) to ensure Splunk ES use cases are fully supported? If anyone has experience with Splunk ES and SUSE integration, I’d love to hear your recommendations on best practices or common challenges. Thanks in advance!
Hey @rishabhpatel20, I believe it is the html and css styling that's blocking your headers. If there's no particular need to add CSS, I would suggest you to remove it since you'll be able to add all... See more...
Hey @rishabhpatel20, I believe it is the html and css styling that's blocking your headers. If there's no particular need to add CSS, I would suggest you to remove it since you'll be able to add all those 4 panels in the same row by just drag and drop using the double ellipses line at the top of your panel. Thanks, Tejas.
Hey @ND1, Whatever @sainag_splunk mentioned  is all correct. Additionally, you'll also need to validate if the events that should cause the notable event to be created are present in the actual inde... See more...
Hey @ND1, Whatever @sainag_splunk mentioned  is all correct. Additionally, you'll also need to validate if the events that should cause the notable event to be created are present in the actual index events/datamodel summaries or not. Also, validate the trigger condition to see if the events are present, do they qualify for the correlation search to trigger the notable creation or not. Thanks, Tejas.
If you remove the display:none completely then it should bring back your headers.  
What is it you are trying to achieve? Tables normally have headers, if you want them, don't try to use CSS to change them, unless there is a specific reason to do so, e.g. to modify their appearance ... See more...
What is it you are trying to achieve? Tables normally have headers, if you want them, don't try to use CSS to change them, unless there is a specific reason to do so, e.g. to modify their appearance in some way.
Not good with CSS , its new to me hence , not sure how to solve it
Why are you modifying it in the first place? Try not changing the style of the thead?
what shall I mention instead of none? table hearder names like port count etc?
An unset token has no value, but it is not null, either.  It's as though the token doesn't exist. Splunk will not execute a query if any of the tokens within it are undefined.