All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello, I have a dashboard with multiselection + text input field.  I'd like to use checkbox instead of multiselect but if I modify it and click the 'Any field' option the dashboard is crashed.    ... See more...
Hello, I have a dashboard with multiselection + text input field.  I'd like to use checkbox instead of multiselect but if I modify it and click the 'Any field' option the dashboard is crashed.    <form version="1.1" theme="light"> <label>Multiselect Text</label> <init> <set token="toktext">*</set> </init> <fieldset submitButton="false"> <input type="multiselect" token="tokselect"> <label>Field</label> <choice value="Any field">Any field</choice> <choice value="category">Group</choice> <choice value="severity">Severity</choice> <default>category</default> <valueSuffix>=REPLACE</valueSuffix> <delimiter> OR </delimiter> <prefix>(</prefix> <suffix>)</suffix> <change> <eval token="form.tokselect">case(mvcount('form.tokselect')=0,"category",mvcount('form.tokselect')&gt;1 AND mvfind('form.tokselect',"Any field")&gt;0,"Any field",mvcount('form.tokselect')&gt;1 AND mvfind('form.tokselect',"Any field")=0,mvfilter('form.select'!="Any field"),1==1,'form.tokselect')</eval> <eval token="tokselect">if('form.tokselect'="Any field","REPLACE",'tokselect')</eval> <eval token="tokfilter">replace($tokselect$,"REPLACE","\"".$toktext$."\"")</eval> </change> </input> <input type="text" token="toktext"> <label>Value</label> <default>*</default> <change> <eval token="tokfilter">replace($tokselect$,"REPLACE","\"".$toktext$."\"")</eval> </change> </input> </fieldset> <row> <panel> <event> <title>$tokfilter$</title> <search> <query>| makeresults</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </event> </panel> </row> </form>    Could you please help to modify my dashboard from multiselect option to checkbox?   Thank you very much in advance!
It is currently built out in studio so studio is needed. They are different event codes in the same type of event (same field). I am comparing 200 code to 201 codes, and if they match, make it gre... See more...
It is currently built out in studio so studio is needed. They are different event codes in the same type of event (same field). I am comparing 200 code to 201 codes, and if they match, make it green, if the count differs, then red.
Are these two values in the same event, in the same field e.g.  in a multivalue field, in the same field on different events, the result of two different aggregations, values from two different time ... See more...
Are these two values in the same event, in the same field e.g.  in a multivalue field, in the same field on different events, the result of two different aggregations, values from two different time periods? Please provide more details of what you are trying to achieve. Also, does it have to be Studio or would a Classic dashboard solution meet your needs?
Hi @Narendra.Rao, Is this meant to be a feature request or are you asking if it's possible to do what you're asking?
I am using dashboard studio and i want to compare 2 values and if they are different, highlight it red. What is the best vizualization type for this, and how do i have it color based on the compariso... See more...
I am using dashboard studio and i want to compare 2 values and if they are different, highlight it red. What is the best vizualization type for this, and how do i have it color based on the comparison of the 2 values?
Essentially, yes. The value set when the multi-select is emptied should be the default value you configured. If you are changing the default from category to group, then it needs to change in the cas... See more...
Essentially, yes. The value set when the multi-select is emptied should be the default value you configured. If you are changing the default from category to group, then it needs to change in the case function too.
Thank you, that's what I thought. Small question about this part: <eval token="form.tokselect">case(mvcount('form.tokselect')=0,"category",mvcount('form.tokselect')&gt;1 AND mvfind('form.tokselect'... See more...
Thank you, that's what I thought. Small question about this part: <eval token="form.tokselect">case(mvcount('form.tokselect')=0,"category",mvcount('form.tokselect')&gt;1 AND mvfind('form.tokselect',"Any field")&gt;0,"Any field",mvcount('form.tokselect')&gt;1 AND mvfind('form.tokselect',"Any field")=0,mvfilter('form.select'!="Any field"),1==1,'form.tokselect')</eval> <eval token="tokselect">if('form.tokselect'="Any field","REPLACE",'tokselect')</eval>   If I want to modify the value of the fields at here: <choice value="Any field">Any field</choice> <choice value="category">Group</choice>   Should I modify these values in the above code as well? So e.g. if I want the category value to be group. I have to modify the 'category' to 'group' at this part like this:   <eval token="form.tokselect">case(mvcount('form.tokselect')=0,"group",mvcount   Am I correct?
I want to custom payload for webhook ,but in webhook UI,only a input box for url ,I don't know where I can configure the payload parameter . thanks  
simple as that, thank you! worked for me. 
First you need to add the "Any field" choice. Then you need to reset the form token depending on whether the last choice has been removed (use default value), whether "Any field" has been added after... See more...
First you need to add the "Any field" choice. Then you need to reset the form token depending on whether the last choice has been removed (use default value), whether "Any field" has been added after another selection (make "Any field" the only selection), whether another selection has been made after "Any field" (remove "Any field" from the selection, otherwise leave the form token as is. Then you need to reset the token if the form token is "Any field" (so that it just contains "REPLACE". Now, the existing setting of the filter token can replace "REPLACE" with the value from the text input: <form version="1.1" theme="light"> <label>Multiselect Text</label> <init> <set token="toktext">*</set> </init> <fieldset submitButton="false"> <input type="multiselect" token="tokselect"> <label>Field</label> <choice value="Any field">Any field</choice> <choice value="category">Group</choice> <choice value="severity">Severity</choice> <default>category</default> <valueSuffix>=REPLACE</valueSuffix> <delimiter> OR </delimiter> <prefix>(</prefix> <suffix>)</suffix> <change> <eval token="form.tokselect">case(mvcount('form.tokselect')=0,"category",mvcount('form.tokselect')&gt;1 AND mvfind('form.tokselect',"Any field")&gt;0,"Any field",mvcount('form.tokselect')&gt;1 AND mvfind('form.tokselect',"Any field")=0,mvfilter('form.select'!="Any field"),1==1,'form.tokselect')</eval> <eval token="tokselect">if('form.tokselect'="Any field","REPLACE",'tokselect')</eval> <eval token="tokfilter">replace($tokselect$,"REPLACE","\"".$toktext$."\"")</eval> </change> </input> <input type="text" token="toktext"> <label>Value</label> <default>*</default> <change> <eval token="tokfilter">replace($tokselect$,"REPLACE","\"".$toktext$."\"")</eval> </change> </input> </fieldset> <row> <panel> <event> <title>$tokfilter$</title> <search> <query>| makeresults</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </event> </panel> </row> </form>
Greetings !! I want a dashboard where I have put only four columns in a table visualization : ServerName Location UserName Password Server1            CA          admin           SHOW Server2    ... See more...
Greetings !! I want a dashboard where I have put only four columns in a table visualization : ServerName Location UserName Password Server1            CA          admin           SHOW Server2             LA          admin            SHOW Now, I want "Show" button in place of value in the "Password" column, so that every time I want to see the password, I will click on the show button to see then will Hide it.   Thanks for your understanding !!
Because you have a no-enforcement license, there should be no ramifications from exceeding the daily indexing limit.  However, when it comes time to renew your license, Splunk may expect you to purch... See more...
Because you have a no-enforcement license, there should be no ramifications from exceeding the daily indexing limit.  However, when it comes time to renew your license, Splunk may expect you to purchase a higher quota.
Hello,   I have a dashboard with multiselection + text input field.    <form version="1.1" theme="light"> <label>Multiselect Text</label> <init> <set token="toktext">*</set> </init> <... See more...
Hello,   I have a dashboard with multiselection + text input field.    <form version="1.1" theme="light"> <label>Multiselect Text</label> <init> <set token="toktext">*</set> </init> <fieldset submitButton="false"> <input type="multiselect" token="tokselect"> <label>Field</label> <choice value="category">Group</choice> <choice value="severity">Severity</choice> <default>category</default> <valueSuffix>=REPLACE</valueSuffix> <delimiter> OR </delimiter> <prefix>(</prefix> <suffix>)</suffix> <change> <eval token="tokfilter">replace($tokselect$,"REPLACE","\"".$toktext$."\"")</eval> </change> </input> <input type="text" token="toktext"> <label>Value</label> <default>*</default> <change> <eval token="tokfilter">replace($tokselect$,"REPLACE","\"".$toktext$."\"")</eval> </change> </input> </fieldset> <row> <panel> <event> <title>$tokfilter$</title> <search> <query>| makeresults</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </event> </panel> </row> </form>   Everything is working properly, so if I add something in the input 'Value' field then select an option from the multiselect tab 'Field' the search is looking for e.g. category="something" OR severity="something". I need help to build a plus multiselect option which is able to search for the string value defined in the text field anywhere in the event.  I can imagine like this: If I select the 'Group' and type 'something' into the input field, the search is looking for category="something", but if I select the 'Any Field' and type 'something' into the input field, the search is looking for only "something".   Could you please help to modify this dashboard in this direction?   Thank you so much in advance!
Have you tried looking in the _audit index? index="_audit" action=disable_tag
Does keep evicted help? | transaction startswith="IDJO20P" endswith="PIDZJEA" keeporphans=True keepevicted=True
I am facing an issue with,  [otel.javaagent  [signalfx-metrics-publisher] WARN com.splunk.javaagent.shaded.io.micrometer.signalfx.SignalFxMeterRegistry - failed to send metrics: Unable to send datapo... See more...
I am facing an issue with,  [otel.javaagent  [signalfx-metrics-publisher] WARN com.splunk.javaagent.shaded.io.micrometer.signalfx.SignalFxMeterRegistry - failed to send metrics: Unable to send datapoints
The search attached below gives me the events between IDJO20P and PIDZJEA on daily basis. But it doesnot give the events of the current day as end event PIDZJEA is still not reached today.  Query ... See more...
The search attached below gives me the events between IDJO20P and PIDZJEA on daily basis. But it doesnot give the events of the current day as end event PIDZJEA is still not reached today.  Query : index=events_prod_cdp_penalty_esa source="SYSLOG" (TERM(NIDF=RPWARDA) OR TERM(NIDF=SPWARAA) OR TERM(NIDF=SPWARRA) OR PIDZJEA OR IDJO20P) | rex field=TEXT "NIDF=(?<file>[^\\s]+)" | transaction startswith="IDJO20P" endswith="PIDZJEA" keeporphans=True | bin span=1d _time | stats sum(eventcount) AS eventcount BY _time file | append [ search index=events_prod_cdp_penalty_esa source="SYSLOG" (TERM(NIDF=RPWARDA) OR TERM(NIDF=SPWARAA) OR TERM(NIDF=SPWARRA) OR PIDZJEA OR IDJO20P) | rex field=TEXT "NIDF=(?<file>[^\\s]+)" | transaction startswith="PIDZJEA" endswith="IDJO20P" keeporphans=True | bin span=1d _time | stats sum(eventcount) AS eventcount BY _time | eval file="count after PIDZJEA" | table file eventcount _time] | chart sum(eventcount) AS eventcount OVER _time BY file Result :   
Hi All, I have created few tags in splunk which are getting disabled automatically. I want to check using splunk query the time they are getting disabled.  Please can anyone of you suggest me t... See more...
Hi All, I have created few tags in splunk which are getting disabled automatically. I want to check using splunk query the time they are getting disabled.  Please can anyone of you suggest me the query for this . I tried using REST but not getting exact details. I also tried below but not seeing any related logs. index=_internal sourcetype=splunk_audit action=edit status=disabled info=tags Thanks in advance, PNV
What steps did you follow when you installed the app? You should see "SA-Eventgen" listed under data inputs.
Please share your raw event in a code block </> to prevent the removal of important formatting information. Having said that, is seems unlikely that the ".*" is required in your rex. Try something l... See more...
Please share your raw event in a code block </> to prevent the removal of important formatting information. Having said that, is seems unlikely that the ".*" is required in your rex. Try something like this | rex field=_raw "Total Time taken in milliseconds: (?<totalTime>\d+)"