All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I have a lookup table containing a list of regular expressions, and am trying see if there are matches against a field in one of my index.  I can't figure how to do it as it is not a direct comparis... See more...
I have a lookup table containing a list of regular expressions, and am trying see if there are matches against a field in one of my index.  I can't figure how to do it as it is not a direct comparison of values.  Appreciate any help on this.
So is there any fix for this. So that you can align the label  to the middle, or nudge it over a bit so that left edge of the label, aligns with the first bar of the day instead of way over on the le... See more...
So is there any fix for this. So that you can align the label  to the middle, or nudge it over a bit so that left edge of the label, aligns with the first bar of the day instead of way over on the left  
Not sure how your token can be * as there is nothing defined like that, but you DO have a mismatch between your defined token in the input and it's use <input type="dropdown" token="Index" searchWhe... See more...
Not sure how your token can be * as there is nothing defined like that, but you DO have a mismatch between your defined token in the input and it's use <input type="dropdown" token="Index" searchWhenChanged="true"> where it's upper case Index and you are using it as lower case $index$
I tried to use  as shown below: index IN ($index$)...   but my token expanded in search its taking up as  index IN (*), which is not working, can u suggest other solution.
When your token is expanded in your search, it becomes index IN ("dev_index, sit_index")... so that is actually a SINGLE value, which will never match. There are several ways, but the simplest for... See more...
When your token is expanded in your search, it becomes index IN ("dev_index, sit_index")... so that is actually a SINGLE value, which will never match. There are several ways, but the simplest for you is to just remove the quotes around your search definition, so index IN ($index$)...
Hello all, I am using steamstats with time_window=60m to calculate the moving average over the past hour.  However, when I set current=f i receive an error in the search log, "Error in 'streamstats'... See more...
Hello all, I am using steamstats with time_window=60m to calculate the moving average over the past hour.  However, when I set current=f i receive an error in the search log, "Error in 'streamstats' command:  Cannot set current to false when using a time window."  Is there a way to get around this?  Steam stats is exactly what i need to calculate the moving average, but I do not want to include the current event.  If there is not a way around this, is there another way to calculate the moving average and not including the current event?  Thanks
Hi All,  Created a drop down for index but when i added the token value in the panel query not working as expected when i select ALL option from the drop down. But when i select DEV_INDEX or SIT_IND... See more...
Hi All,  Created a drop down for index but when i added the token value in the panel query not working as expected when i select ALL option from the drop down. But when i select DEV_INDEX or SIT_INDEX its working fine. How to tweak the code to show up 2 indexes  data in the panel query when we select ALL option from the drop down??? <form version="1.1" theme="light"> <label>Dashboard</label> <fieldset submitButton="false"> <input type="time" token="timepicker"> <label>TimeRange</label> <default> <earliest>-60m@m</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="Index" searchWhenChanged="true"> <label>Indexes</label> <choice value="dev_index, sit_index">All</choice> <choice value="dev_index">DEV_INDEX</choice> <choice value="sit_index">SIT_INDEX</choice> </input> </fieldset> <row> <panel> <table> <title>Total Count</title> <search> <query>index IN ("$index$") source=application.logs |stats count by codes</query> <earliest>timepicker.earliest</earliest> <latest>timepicker.latest</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentageRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> <form>  
can anyone help on this, not knowing what is the issue.
@ITWhisperer can i created a meeting with you tomorrow? THANKS  
build a search query that captures the desired data. Assuming that the bookmarked content is logged with an event type or field that specifies when content is bookmarked (e.g., action = "bookmark"), ... See more...
build a search query that captures the desired data. Assuming that the bookmarked content is logged with an event type or field that specifies when content is bookmarked (e.g., action = "bookmark"),   here's a query you could use:   | tstats count where index="your_index" sourcetype="your_sourcetype" action="bookmark" earliest=-7d@d latest=now by content | rename content as "Content", count as "Bookmark Count" but having problem to find the exact field name.
I mean the content i have mapped in my mitre attack in the last 7 days.
What is bookmarked data? Please share some anonymised, representative sample events showing the event data you are working with, and a representation of your expected results.
Hello Can you help me Creating a dashboard that contains the following charts/data:                      Bookmarked content A chart (of tstat/ counts) of the content that was bookmarked. for the ... See more...
Hello Can you help me Creating a dashboard that contains the following charts/data:                      Bookmarked content A chart (of tstat/ counts) of the content that was bookmarked. for the past 7 days A chart with the names of the alerts/detections that were bookmarked for the past 30 days  Analso in this situation how to find your filed name in your splunk: bookmarked, bookmark I use both of them in my query but it still not working or we should use ''active'' please propose me a query.                  help me find the exact field name in order to create the exact query. Thank you. 
The print server OS is Windows Server 2019   I would like to get PrintService-Admin log to Splunk. I tried the following in the input.conf of Universal Forwarder in print server. [WinEventLog://M... See more...
The print server OS is Windows Server 2019   I would like to get PrintService-Admin log to Splunk. I tried the following in the input.conf of Universal Forwarder in print server. [WinEventLog://Microsoft-Windows-PrintService/Admin] disabled = 0 index = winps Which is found in https://community.splunk.com/t5/Getting-Data-In/Microsoft-Windows-PrintService-Operational-Logs/m-p/77633 But I cannot find any events from the index.   The log is enabled in the server, which is under Applications and Services Logs > Microsoft > Windows > PrintService   I also tried to set the data input from web console to monitor the log file in folder: C:\Windows\System32\winevt\Logs   With RegEx: Microsoft\-Windows\-PrintService.+\.evtx So i can get Microsoft-Windows-PrintService%4Admin.evtx AND Microsoft-Windows-PrintService%4Operational.evtx   But also, no event is shown for the index. Hope somebody can help with this. Thanks  
Hi, I hope all is well.   I have struggled with Data Model Concept as I seek to know why and When we use the data model and how it increases the performance? I am fine with it's structured data a... See more...
Hi, I hope all is well.   I have struggled with Data Model Concept as I seek to know why and When we use the data model and how it increases the performance? I am fine with it's structured data and has three type of data sets, also I am able to create it as How To.   But why use it? When use it?  what is the main idea behind it?
Its working with your solution. @ITWhisperer  Thanks for your help.
Two thoughts.  In classic, you can probably use JavaScript to implement mouse-over or similar. (You can produce a "hidden" column named as an internal field, e.g., _fieldname.)  Another method could ... See more...
Two thoughts.  In classic, you can probably use JavaScript to implement mouse-over or similar. (You can produce a "hidden" column named as an internal field, e.g., _fieldname.)  Another method could be to produce the column with ellipses, the use a drilldown to display the full text. Here is an example of the latter:   <dashboard version="1.1" theme="light"> <label>Very long text</label> <description>https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-dashboards/m-p/692394#M56730</description> <init> <set token="reveal_tok">init</set> </init> <search> <query> | makeresults format=csv data="reveal short" </query> </search> <row> <panel> <title>reveal = $reveal_tok$</title> <table> <search> <query>| makeresults format=csv data="fieldname not as long very very very very very very very very very very loooooooooooooooooooooog" | rename fieldname as _fieldname | eval fieldname = if(len(_fieldname) &gt; 50 AND len("$reveal_tok$") &lt; 51, substr(_fieldname, 0, 50) . " ... " , _fieldname)</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <drilldown> <set token="reveal_tok">$row._fieldname$</set> </drilldown> </table> </panel> </row> </dashboard>   When the dashboard loads, the initial value of $reveal_tok$ is set to "init". If you click that ellipses, the token's value becomes that of _fieldname (which is very long on this row).  The drilldown therefore reveals the full string. If you click on that short string, $reveal_tok$ becomes the shorter string, therefore the drilldown changes display back to ellipses for very long strings. There are other ways to do this, depending on your visualization needs and coding style.
That is not possible. What problem are you trying to solve?
The Kerio Control Admin Guide tells how to send syslog from Kerio Control.  Set-up and configuration of a syslog server is entirely separate and the details depend on which syslog server you choose. ... See more...
The Kerio Control Admin Guide tells how to send syslog from Kerio Control.  Set-up and configuration of a syslog server is entirely separate and the details depend on which syslog server you choose.  I recommend Splunk Connect for Syslog (SC4S) because it's easy to set up and configure.  See https://splunk.github.io/splunk-connect-for-syslog/main/
Thanks so much. This 10 year old post helped me resolve my issue!