All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Try something like this <form version="1.1" theme="light"> <label>Multiselect Text</label> <init> <set token="toktext">*</set> </init> <fieldset submitButton="false"> <input type="ch... See more...
Try something like this <form version="1.1" theme="light"> <label>Multiselect Text</label> <init> <set token="toktext">*</set> </init> <fieldset submitButton="false"> <input type="checkbox" token="tokcheck"> <label>Field</label> <choice value="Any field">Any field</choice> <choice value="category">Group</choice> <choice value="severity">Severity</choice> <default>category</default> <valueSuffix>=REPLACE</valueSuffix> <delimiter> OR </delimiter> <prefix>(</prefix> <suffix>)</suffix> <change> <eval token="form.tokcheck">case(mvcount('form.tokcheck')=0,"category",isnotnull(mvfind('form.tokcheck',"Any field")),"Any field",1==1,'form.tokcheck')</eval> <eval token="tokcheck">if('form.tokcheck'="Any field","REPLACE",'tokcheck')</eval> <eval token="tokfilter">if($form.tokcheck$!="Any field" OR $toktext$!="*",replace($tokcheck$,"REPLACE","\"".$toktext$."\""),null())</eval> </change> </input> <input type="text" token="toktext"> <label>Value</label> <default>*</default> <change> <eval token="tokfilter">if($form.tokcheck$!="Any field" OR $toktext$!="*",replace($tokcheck$,"REPLACE","\"".$toktext$."\""),null())</eval> </change> </input> </fieldset> <row> <panel> <event> <title>$tokfilter$</title> <search> <query>index=* $tokfilter$</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="refresh.display">progressbar</option> </event> </panel> </row> </form>
  Hello,   I have a dashboard with checkbox and input field. If you choose the group and type 'something' into to the text input the search is looking for category="something" If you choose the ... See more...
  Hello,   I have a dashboard with checkbox and input field. If you choose the group and type 'something' into to the text input the search is looking for category="something" If you choose the Any field the search is looking for "something". I want to set that if I choose the Any field the search does not add this tag: "", only search for something. But of course remain the tag with other checkbox selection, like category="something".   The main goal would be I'd like to free to use the Any field option. So now if I type e.g. something OR anything, the search does not understand correctly because it looks like "something OR anything", so it detect like one variable. So I like to see something OR anything.   Could you please help to modify my dashboard?     <form version="1.1" theme="light"> <label>Multiselect Text</label> <init> <set token="toktext">*</set> </init> <fieldset submitButton="false"> <input type="checkbox" token="tokcheck"> <label>Field</label> <choice value="Any field">Any field</choice> <choice value="category">Group</choice> <choice value="severity">Severity</choice> <default>category</default> <valueSuffix>=REPLACE</valueSuffix> <delimiter> OR </delimiter> <prefix>(</prefix> <suffix>)</suffix> <change> <eval token="form.tokcheck">case(mvcount('form.tokcheck')=0,"category",isnotnull(mvfind('form.tokcheck',"Any field")),"Any field",1==1,'form.tokcheck')</eval> <eval token="tokcheck">if('form.tokcheck'="Any field","REPLACE",'tokcheck')</eval> <eval token="tokfilter">replace($tokcheck$,"REPLACE","\"".$toktext$."\"")</eval> </change> </input> <input type="text" token="toktext"> <label>Value</label> <default>*</default> <change> <eval token="tokfilter">replace($tokselect$,"REPLACE","\"".$toktext$."\"")</eval> </change> </input> </fieldset> <row> <panel> <event> <title>$tokfilter$</title> <search> <query>index=* $tokfilter$</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="refresh.display">progressbar</option> </event> </panel> </row> </form>     Thank you very much in advance!
I did install adguard (DNS blocker) and sees that beam.scs.splunk.com is one of the default blocked sites.
Hi @Rakeshar4u  , I've included a link to the dashboard in the body of the alert email, but it appears as plain text rather than a clickable hyperlink. I also tried using <href>, but it still shows ... See more...
Hi @Rakeshar4u  , I've included a link to the dashboard in the body of the alert email, but it appears as plain text rather than a clickable hyperlink. I also tried using <href>, but it still shows as plain text. Here's my alert configuration: My Splunk version is 9.2.1. Any insights would be appreciated.  
Hi @LearningGuy , does the query return any results when you run it on the DB directly? select * from host_ip   Also noticed you have "os_type" in your query vs "ostype" in your lookup. Could be t... See more...
Hi @LearningGuy , does the query return any results when you run it on the DB directly? select * from host_ip   Also noticed you have "os_type" in your query vs "ostype" in your lookup. Could be the issue    
Hi @pratrox could you please expand on the issue you are facing?  Are you using the Splunk Add-on for Microsoft Windows? What do you mean by "full logs are not loading"? Does it mean some WinEventL... See more...
Hi @pratrox could you please expand on the issue you are facing?  Are you using the Splunk Add-on for Microsoft Windows? What do you mean by "full logs are not loading"? Does it mean some WinEventLog events are missing in Splunk which are present on your server, or are the events partially missing/cut in half in Splunk? As a first step, check for any parsing issues from your Splunk _internal logs:  index=_internal splunk_server=* source=*splunkd.log* component IN (AggregatorMiningProcessor LineBreakingProcessor DateParserVerbose) (log_level=WARN OR log_level=ERROR) data_sourcetype=WinEventLog*
Hi @karthi2809 There could either be a network issue, some unknown routing rules, or there may be a timestamp parsing issue.  Unless you have some external network monitoring or logging when the con... See more...
Hi @karthi2809 There could either be a network issue, some unknown routing rules, or there may be a timestamp parsing issue.  Unless you have some external network monitoring or logging when the connection drops/fails to reach the endpoint, it can be tricky to pinpoint the cause of HEC issues. Do you have any such logging in the downstream Anypoint system? So, to narrow down the issue, first check the Splunk _internal logs for any obvious timestamp parsing issues: index=_internal splunk_server=* source=*splunkd.log* component=DateParserVerbose data_sourcetype=<your sourcetype> If there are no obvious timestamp parsing issues returned, next check whether a single event from the missing time period has actually been indexed to Splunk. It could be that the timestamp extraction step has actually been bypassed, so the events have been indexed under a different timestamp, meaning they won't show up in your search. Search (using time period "All time") : index=yourindex sourcetype=yoursourcetype _raw="full raw event copied from Anypoint logs"  
Hi @Be_JAR  In your first screenshot, it looks like the k8s.pod.name field is already being extracted correctly? It seems to get extracted correctly when using this run-anywhere search using the payl... See more...
Hi @Be_JAR  In your first screenshot, it looks like the k8s.pod.name field is already being extracted correctly? It seems to get extracted correctly when using this run-anywhere search using the payload you provided: | makeresults | eval _raw="{ \"deployment.environment\":\"entorno-pruebas\", \"k8s.cluster.name\":\"splunk-otel\", \"k8s.namespace.name\":\"default\", \"k8s.node.name\":\"minikube\", \"k8s.pod.name\":\"my-otel-demo-emailservice-fc5bc4c5f-jxzqz\", \"k8s.pod.uid\":\"5fe1ada8-8baa-4960-b873-381b475b2b26\", \"metric_type\":\"Gauge\", \"os.type\":\"linux\", \"metric_name:k8s.pod.filesystem.usage\":491520 }" | spath | stats values(k8s.pod.name) as k8s.pod.name  
There was some maintenance activity which blocked the page from loading. Now I am able to access the web page.
Hi @sgabriel1962 ,  What changes did you make, and how did you deploy them? Did you deploy a bundle from your cluster manager? Try running this on cluster manager:  ./bin/splunk validate cluster-bun... See more...
Hi @sgabriel1962 ,  What changes did you make, and how did you deploy them? Did you deploy a bundle from your cluster manager? Try running this on cluster manager:  ./bin/splunk validate cluster-bundle
From you query, it looks like you have already extracted TRN, tomcatget, Queue, TimeMQPut, Status, and Priority; is this correct? Is tomcatput the same as TimeMQPut? I assume a success is when Stat... See more...
From you query, it looks like you have already extracted TRN, tomcatget, Queue, TimeMQPut, Status, and Priority; is this correct? Is tomcatput the same as TimeMQPut? I assume a success is when Status is "Done" - what about non-successes, do you get a different value in Status?
We all know that Splunk Enterprise calculates license usage at index time, and the "| delete" command essentially just hides data from search so doesn't free up license usage.  My question is whet... See more...
We all know that Splunk Enterprise calculates license usage at index time, and the "| delete" command essentially just hides data from search so doesn't free up license usage.  My question is whether this works the same way for Splunk Cloud / DDAS, or whether if I run "| delete" from search,  will it free up space in my DDAS entitlement? 
This means that we can only return the standard content. Can't be customized? Will these contain log message, resource, resourceType?   And I have this post interface like this https://abc.ssnc-c... See more...
This means that we can only return the standard content. Can't be customized? Will these contain log message, resource, resourceType?   And I have this post interface like this https://abc.ssnc-corp.cloud/splunk I asked the my splunk administrator to add “ssnc-corp.cloud” to the allow list, but it didn't seem to work. Do we need to restart splunk? What if I can check the reason why it does not take effect?
Hi @Marcus-advent, The only parameter configurable via Splunk Web is the URL, which must be properly encoded. The webhook alert action uses a predefined JSON object body. The field values from the ... See more...
Hi @Marcus-advent, The only parameter configurable via Splunk Web is the URL, which must be properly encoded. The webhook alert action uses a predefined JSON object body. The field values from the first result of your alert search will be added to the body's result field. See https://docs.splunk.com/Documentation/Splunk/latest/Alert/Webhooks for more information. The webhook source code is very simple. You can view it directly in $SPLUNK_HOME/etc/apps/alert_webhook/bin/webhook.py or by downloading and extracting a copy of Splunk Enterprise for any platform if you don't have access to your Splunk instance.
/opt/splunk/bin/splunk cmd openssl x509 -enddate -noout -in <PATH TO CERTIFICATE>
Hi Team, How to check the expiry date of a certificate in splunk windows using command line User is having local admin access and not able to delete the server.pem file (is there any other way to... See more...
Hi Team, How to check the expiry date of a certificate in splunk windows using command line User is having local admin access and not able to delete the server.pem file (is there any other way to delete it)
Awesome, this works as well. Thanks again for your help on this one. 
This works! thanks man for your help on this one. 
As your policies JSON looks like it's an array, if you are saying that all events will have a 'default' policy as well as another policy, then this should work type="request" "request.path"="prod/" ... See more...
As your policies JSON looks like it's an array, if you are saying that all events will have a 'default' policy as well as another policy, then this should work type="request" "request.path"="prod/" | stats count by policies{} | sort -count | where 'policies{}' != "default" | head 10  
Put my additional SPL - AFTER your original search - you've added it in the middle