All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Rajiv_splunk , please try this: index=sample status=* NOT [ search index="service" earliest=-24h latest=now status IN (1,2) | table status ] don't use the search command after the... See more...
Hi @Rajiv_splunk , please try this: index=sample status=* NOT [ search index="service" earliest=-24h latest=now status IN (1,2) | table status ] don't use the search command after the main search, you'll have more performant searches. if the two searches don't match, check if the values in the subsearch are compatible with the values of the main earch. Ciao. Giuseppe
Hello I'm using Splunk cloud and i want to delete multiple alerts from list. i was trying to do it with curl but got errors that i cannot figure out. is there any other way ?
Hi @jvamplew, if you use limit=5, you'll have 5 results, so you don't need to use useother. In this way addtotals summarize only the results of the search, in other words, only the first 5 values. ... See more...
Hi @jvamplew, if you use limit=5, you'll have 5 results, so you don't need to use useother. In this way addtotals summarize only the results of the search, in other words, only the first 5 values. Ciao. Giuseppe
Hi @baiden , some check: have you administrative grants to install a new software on your system? have you an active anti-virus on your system? have you enough space in your disk? See in $SPLUNK... See more...
Hi @baiden , some check: have you administrative grants to install a new software on your system? have you an active anti-virus on your system? have you enough space in your disk? See in $SPLUNK_HOME\var\log\splunk\first_install.log if there's some message Ciao. Giuseppe
Hello, I'm trying to configure the PureStorage Unified addon, and keep getting the Something went wrong error Addon:https://splunkbase.splunk.com/app/5513   Configuration page failed to load,... See more...
Hello, I'm trying to configure the PureStorage Unified addon, and keep getting the Something went wrong error Addon:https://splunkbase.splunk.com/app/5513   Configuration page failed to load, the server reported internal errors which may indicate you do not have access to this page. Error: Request failed with status code 500 ERR0002   On checking the logs, I'm seeing the following error every time I access the configuration page 07-09-2024 11:40:38.666 +0100 ERROR AdminManagerExternal [438068 TcpChannelThread] - Unexpected error "<class 'splunktaucclib.rest_handler.error.RestError'>" from python handler: "REST Error [500]: Internal Server Error -- Traceback (most recent call last):\n File "D:\Splunk\etc\apps\TA-purestorage-unified\bin\ta_purestorage_unified\aob_py3\splunktaucclib\rest_handler\handler.py", line 124, in wrapper\n for name, data, acl in meth(self, *args, **kwargs):\n File "D:\Splunk\etc\apps\TA-purestorage-unified\bin\ta_purestorage_unified\aob_py3\splunktaucclib\rest_handler\handler.py", line 345, in _format_all_response\n self._encrypt_raw_credentials(cont["entry"])\n File "D:\Splunk\etc\apps\TA-purestorage-unified\bin\ta_purestorage_unified\aob_py3\splunktaucclib\rest_handler\handler.py", line 375, in _encrypt_raw_credentials\n change_list = rest_credentials.decrypt_all(data)\n File "D:\Splunk\etc\apps\TA-purestorage-unified\bin\ta_purestorage_unified\aob_py3\splunktaucclib\rest_handler\credentials.py", line 293, in decrypt_all\n all_passwords = credential_manager._get_all_passwords()\n File "D:\Splunk\etc\apps\TA-purestorage-unified\bin\ta_purestorage_unified\aob_py3\solnlib\utils.py", line 153, in wrapper\n return func(*args, **kwargs)\n File "D:\Splunk\etc\apps\TA-purestorage-unified\bin\ta_purestorage_unified\aob_py3\solnlib\credentials.py", line 341, in _get_all_passwords\n return self._get_clear_passwords(passwords)\n File "D:\Splunk\etc\apps\TA-purestorage-unified\bin\ta_purestorage_unified\aob_py3\solnlib\credentials.py", line 324, in _get_clear_passwords\n clear_password += field_clear[index]\nTypeError: can only concatenate str (not "NoneType") to str\n". See splunkd.log/python.log for more details.   This is a disturbed environment, running Splunk 9.2.2 on Virtual Windows 2019 Servers To confuse matters, this app works and is configurable on my test server; The only difference being the test server is a stand alone installation PureStorage Unified Add-on for Splunk 
Dislike to reply to my own comment, but I got an answer from Splunk Support. HTTP Event Collector does NOT log metrics from UF sending data over HTTP, and this is reported on internal ticket SPL-239... See more...
Dislike to reply to my own comment, but I got an answer from Splunk Support. HTTP Event Collector does NOT log metrics from UF sending data over HTTP, and this is reported on internal ticket SPL-239230 : "No metrics are sent to the http_event_collector_metrics.log"  which has been in backlog since 2023.
Hello,  Please I would like to know if there are best practices to migrate a single search head instance with ITSI to a search head cluster.  I have a deployer and the ITSI running production searc... See more...
Hello,  Please I would like to know if there are best practices to migrate a single search head instance with ITSI to a search head cluster.  I have a deployer and the ITSI running production search head should become part of the search head cluster, initially as the only existing member.  When everything will be up and running I will add other 2 servers.  I have read something about Enterprise Security migration related to bundle size limits, for example, but found few things About ITSI.  Thank you in advance and warm regards.   
Hello, I'm trying to get a full coverage of data from Azure from metrics to risky sign-ins, so I try to figured out the best ways to collect events. So far I work with both addons Cloud services ... See more...
Hello, I'm trying to get a full coverage of data from Azure from metrics to risky sign-ins, so I try to figured out the best ways to collect events. So far I work with both addons Cloud services & Microsoft Azure for my needs, based on this graphic to help myself https://jasonconger.com/splunk-azure-gdi/ But I'm facing the issue of subscriptions inputs settings for both addons, basically I understand that we have to set each subscriptions by ourselves, but it means we could miss some of them and especially the new created ones. So I was thinking of a script API based which get all the subscriptions from Azure then push an inputs in Splunkcloud. I've the feeling I'm not be the only one facing this problem, so I told me maybe someone might have found a better way to collect automatically all subscriptions.  Thanks in advance for your help ! Ben
 
When I add a limit to a timechart to reduce the number of visible series (improve dashboard performance) it changes the value of Total when using addtotals. Example:   | timechart span=1s avg(host... See more...
When I add a limit to a timechart to reduce the number of visible series (improve dashboard performance) it changes the value of Total when using addtotals. Example:   | timechart span=1s avg(host_usage) by host useother=true | addtotals   The below gives me a lower overall total than the above:   | timechart span=1s avg(host_usage) by host limit=5 useother=true | addtotals   I thought Other was supposed to be the total of all other values not explicitly displayed?
I have a scenario where events are coming from one index =sample field= status as status 1, 2, 3, 4 , and 5. I have to exclude all the status which is present in the other index =services  as status ... See more...
I have a scenario where events are coming from one index =sample field= status as status 1, 2, 3, 4 , and 5. I have to exclude all the status which is present in the other index =services  as status 1 and 2. How can i achieve it. I am trying the below query in the base query to exclude  but it is not working index=sample status=* ''''''base query"'''   |search NOT [search index="service"   earliest=-24h latest=now  |search status IN (1,2)| table  status]
Do you have a sample code on how we can do this
@zeinstein were you able to find any good solution for this
@kamlesh_vaghela, can you help me please ?
No that's not it. I want my dropdown to be powered by a search but which will be defined in a js.   Something like this?  
After further digging I have found the following 2024-07-09 08:31:23,330 log_level=ERROR pid=972253 tid=MainThread file="ModularInput.py" function="print_error" line_number="675" version="sentinelon... See more...
After further digging I have found the following 2024-07-09 08:31:23,330 log_level=ERROR pid=972253 tid=MainThread file="ModularInput.py" function="print_error" line_number="675" version="sentinelone_app_for_splunk.5.2.2b20240416" host=<redacted> sourcetype=sentinelone_app_for_splunk:error source=sentinelone:input:782b6c37-3fdb-3385-b3d5-272bf1df0837 error_message="HTTPSConnectionPool(host='<redacted>', port=443): Max retries exceeded with url: /web/api/v2.1/application-management/risks?riskUpdatedDate__gte=1719909012000&includeRemovals=True&limit=1000 (Caused by ResponseError('too many 500 error responses'))" error_type="<class 'requests.exceptions.RetryError'>" error_arguments="HTTPSConnectionPool(host='<redacted>', port=443): Max retries exceeded with url: /web/api/v2.1/application-management/risks?riskUpdatedDate__gte=1719909012000&includeRemovals=True&limit=1000 (Caused by ResponseError('too many 500 error responses'))" error_filename="s1_client.py" error_line_number="365" input_guid="782b6c37-3fdb-3385-b3d5-272bf1df0837" input_name="cves"
I want to extract the below field into two fields  i want to extract the Name and version both as two fields can some one help me on this.    
Hi @Siddharthnegi , there are two solutions: splunk cmd btool --debug savedsearches list | egrep "\[" or | rest /servicesNS/-/-/saved/searches | table title, cron_schedule next_scheduled_time ... See more...
Hi @Siddharthnegi , there are two solutions: splunk cmd btool --debug savedsearches list | egrep "\[" or | rest /servicesNS/-/-/saved/searches | table title, cron_schedule next_scheduled_time eai:acl.owner actions eai:acl.app action.email action.email.to dispatch.earliest_time dispatch.latest_time search * I prefer the second. Ciao. Giuseppe
How to get all saved searches with their names and their respective search
i have integrated virus total  app with Splunk SIEM through API key and but in the apps its not showing any results