All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

It sounds like the user should be making choices from the first two dropdowns and that supplies the fields that will be provided in the third dropdown.   what you want to do this is to tokenize th... See more...
It sounds like the user should be making choices from the first two dropdowns and that supplies the fields that will be provided in the third dropdown.   what you want to do this is to tokenize the first two dropdowns so that the answer from them is (use better token names) $optionA$  for the first dropdown $optionB$ for the second dropdown Then in the third dropdown, fill the list from a query and use the tokens in the query so something like this index=yourindex sourceytpe=yoursourcetype valuex=$optionA$ valuey=$optionB$ Or if it is a lookup file | inputlookup yourlookupfile | search valuex=$optionA$ valuey=$optionB$ Hope that helps.  
You should also check if CM see those peers as member of indexer cluster. Then also check what errors and maybe warnings which told what has happened. 
Hello @Jasmine, Is this resolved?
index=aws but i ended up logging onto both servers and moving the whole index from "old" Splunk over to "new" Splunk
When you are playing with tokens in SXML, you should install this app https://classic.splunkbase.splunk.com/app/1603/ Then add this into your forms. <form version="1.1" theme="light" script="simple... See more...
When you are playing with tokens in SXML, you should install this app https://classic.splunkbase.splunk.com/app/1603/ Then add this into your forms. <form version="1.1" theme="light" script="simple_xml_examples:showtokens.js"> After this it shows all tokens what you have and what are their values like When I add ip, but didn't press submit After submit is pressed. https://data-findings.com/wp-content/uploads/2024/09/HSUG-20240903-Tiia-Ojares.pdf  
Hi Splunk Community, We’re currently onboarding SUSE Linux (SLES/OpenSUSE) logs into Splunk Enterprise Security (ES) and would appreciate some input. Specifically, I’m looking to understand: Wha... See more...
Hi Splunk Community, We’re currently onboarding SUSE Linux (SLES/OpenSUSE) logs into Splunk Enterprise Security (ES) and would appreciate some input. Specifically, I’m looking to understand: What log files are most relevant for SUSE Linux when it comes to security-focused use cases in Splunk ES (e.g., authentication, audit, change tracking, endpoint monitoring)? How do SUSE Linux log paths and formats differ from standard Linux distributions like RHEL, CentOS, or Ubuntu? Are there any known configurations or tuning steps required (e.g., for /var/log/secure, auditd, or firewall logs) to ensure Splunk ES use cases are fully supported? If anyone has experience with Splunk ES and SUSE integration, I’d love to hear your recommendations on best practices or common challenges. Thanks in advance!
Hey @rishabhpatel20, I believe it is the html and css styling that's blocking your headers. If there's no particular need to add CSS, I would suggest you to remove it since you'll be able to add all... See more...
Hey @rishabhpatel20, I believe it is the html and css styling that's blocking your headers. If there's no particular need to add CSS, I would suggest you to remove it since you'll be able to add all those 4 panels in the same row by just drag and drop using the double ellipses line at the top of your panel. Thanks, Tejas.
Hey @ND1, Whatever @sainag_splunk mentioned  is all correct. Additionally, you'll also need to validate if the events that should cause the notable event to be created are present in the actual inde... See more...
Hey @ND1, Whatever @sainag_splunk mentioned  is all correct. Additionally, you'll also need to validate if the events that should cause the notable event to be created are present in the actual index events/datamodel summaries or not. Also, validate the trigger condition to see if the events are present, do they qualify for the correlation search to trigger the notable creation or not. Thanks, Tejas.
If you remove the display:none completely then it should bring back your headers.  
What is it you are trying to achieve? Tables normally have headers, if you want them, don't try to use CSS to change them, unless there is a specific reason to do so, e.g. to modify their appearance ... See more...
What is it you are trying to achieve? Tables normally have headers, if you want them, don't try to use CSS to change them, unless there is a specific reason to do so, e.g. to modify their appearance in some way.
Not good with CSS , its new to me hence , not sure how to solve it
Why are you modifying it in the first place? Try not changing the style of the thead?
what shall I mention instead of none? table hearder names like port count etc?
An unset token has no value, but it is not null, either.  It's as though the token doesn't exist. Splunk will not execute a query if any of the tokens within it are undefined.
Hi @rishabhpatel20  It is specifically the display:none which is hiding your headers!  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the so... See more...
Hi @rishabhpatel20  It is specifically the display:none which is hiding your headers!  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
The display attribute is still none, therefore the element will not be displayed.
Hi @sandeep_A1997  Can you confirm that the Indexer itself hasnt restarted at an OS level? This might explain why the data volume unmounted. What is the uptime on the indexer? The unmounting and pe... See more...
Hi @sandeep_A1997  Can you confirm that the Indexer itself hasnt restarted at an OS level? This might explain why the data volume unmounted. What is the uptime on the indexer? The unmounting and permission changing is something which must be happening outside of Splunk, so its important to get to the bottom of what is causing this, it could be that the host crashed and rebooted or something on the AWS side (e.g. automations). I would recommend ensuring Splunk is stopped on an indexer, then run sudo chown -R splunk:splunk /opt/data This will recurisvely change the ownership to splunk. Once this is done start up the Splunk service, repeat this on the other faulty indexer(s). After some time the indexers should all be back up and the cluster manager should do its job to repair the cluster.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
If a token is not set, the dashboard will wait until the token is set before proceeding to evaluate the search. What is your usecase? Perhaps there may be a better way to approach this?
I made this correction, still same thead { visibility: visible; display: none; /* Optional, but can be more effective */ }  
You have used this CSS styling which is hiding your table headers thead { visibility: hidden; display: none; /* Optional, but can be more effective */ }