All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@hl  Can you confirm that data model acceleration is enabled, and that the fields you want to search are indexed fields (available in the acceleration summary)? tstats searches work on accelerated d... See more...
@hl  Can you confirm that data model acceleration is enabled, and that the fields you want to search are indexed fields (available in the acceleration summary)? tstats searches work on accelerated data models and can only access fields that are included as indexed/accelerated fields. As a quick test, run the following to see if your model is returning results. | tstats count from datamodel=Network_Sessions.All_Sessions by _time span=1h Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
@fongpen  Can you change the logging level to debug and review the logs for more detailed information? Also, please try upgrading the add-on to version 9.1.0, since some issues have been resolved i... See more...
@fongpen  Can you change the logging level to debug and review the logs for more detailed information? Also, please try upgrading the add-on to version 9.1.0, since some issues have been resolved in the latest release. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
Hi @livehybrid  These errors appear in UI.  I found the following error in "index=_internal eventtype=snow_ta_log_error":-  2025-08-06 02:03:05,305 log_level=ERROR pid=1 tid=MainThread file=snow_t... See more...
Hi @livehybrid  These errors appear in UI.  I found the following error in "index=_internal eventtype=snow_ta_log_error":-  2025-08-06 02:03:05,305 log_level=ERROR pid=1 tid=MainThread file=snow_ticket.py:_do_handle:140 | [invocation_id=O1c41b4234274435a4a54df9386ht4b8] Failed to create 1 tickets out of 1 events for account: 2025-08-06 02:03:05,300 log_level=ERROR pid=1 tid=Thread-1 file=snow_ticket.py:_get_resp_record:617 | [invocation_id=O1c41b4234274435a4a54df9386ht4b8] Failed to decode JSON: Expecting value: line 1 column 1 (char 0)
Query:  | tstats count from datamodel=Network_Sessions.All_Sessions where nodename=All_Sessions.VPN action=failure vpn.signature="WebVPN" by _time span=1h I'm not understanding something with this ... See more...
Query:  | tstats count from datamodel=Network_Sessions.All_Sessions where nodename=All_Sessions.VPN action=failure vpn.signature="WebVPN" by _time span=1h I'm not understanding something with this datamodel  but my output is always 0 but when I look at in pivot table I can see data from it. 
I hear you! We have the same issue and  with Snowflake enforcing Keypair auth in Nov 2025 someone in Splunk really needs to help!
I have events in a log file and they have different formats from event to event. I'm wondering if there is any way to use the punct field to do conditional field extraction? Let's say I have these tw... See more...
I have events in a log file and they have different formats from event to event. I'm wondering if there is any way to use the punct field to do conditional field extraction? Let's say I have these two punct formats ... ___::_---..__//:::__---_--_:______:____-___-__..._ ___::_---..__//:::__---_--_:______:___...:_-__...:   Edit: I'm specifically asking about doing it with props and transforms so that the fields are reusable.
That's correct. they're also sending sourcetype of linux_audit.  As soon as i pulled out the props.conf looking for the [linux_messages_syslog] we started receiving all logs again. 
Oh, that is odd. Just to check, the other data doesnt have a sourcetype of linux_messages_syslog?   
If you are installing this TA for monitoring DS itself then @richgalloway answer is correct. But if you are installing it for deploy it to some UF's, then you need to something else.
If its affecting things outside the dashboard then you could set it to only apply to links within your dashboard area with: div.dashboard a:focus { outline: none !important; box-shadow: none... See more...
If its affecting things outside the dashboard then you could set it to only apply to links within your dashboard area with: div.dashboard a:focus { outline: none !important; box-shadow: none !important; }  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @fongpen  Are these errors appearing in the UI or Splunk internal logs? Its worth checking in _internal for any related logs, if you're able to find the API calls in the logs then look around th... See more...
Hi @fongpen  Are these errors appearing in the UI or Splunk internal logs? Its worth checking in _internal for any related logs, if you're able to find the API calls in the logs then look around these logs for any other failures that might suggest why the ticket number cannot be returned.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @thahir  This is for Classic XML dashboard not Dashboard Studio - its not possible to add custom jquery elements to dashboard studio dashboards.  Did this answer help you? If so, please consid... See more...
Hi @thahir  This is for Classic XML dashboard not Dashboard Studio - its not possible to add custom jquery elements to dashboard studio dashboards.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @JH2  Are you able to share the JSON source for your dashboard so that I can check this for you? You should be able to edit the search and select the "Input" button (or from Dropdown in Splunk 1... See more...
Hi @JH2  Are you able to share the JSON source for your dashboard so that I can check this for you? You should be able to edit the search and select the "Input" button (or from Dropdown in Splunk 10.0) and then select your time picker from the dropdown:   Is this what you have done?  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
That command is for after making changes to serverclass.conf.  It won't help after installing an app on the DS. To reload configs, try this command http://<yoursplunkserver>:8000/en-US/debug/refres... See more...
That command is for after making changes to serverclass.conf.  It won't help after installing an app on the DS. To reload configs, try this command http://<yoursplunkserver>:8000/en-US/debug/refresh?entity=admin/transforms-lookup See also https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Configurationfilechangesthatrequirerestart#Splunk_Enterprise_changes_that_do_not_require_a_restart
@livehybrid  I checked on this today (been out for a couple days), and it IS filtering out all the Syslog that I wanted to drop, but for some reason it's dropping ALL the logs from that customer. I ... See more...
@livehybrid  I checked on this today (been out for a couple days), and it IS filtering out all the Syslog that I wanted to drop, but for some reason it's dropping ALL the logs from that customer. I undid the RULESET change for this and now I'm getting all the logs again. My only thought is that maybe the customer's HF is treating everything it's sending as syslog over the wire then unpacking it when it arrives.  Do you have any ideas? Thanks!
The issue came up again with only one alert. The app it's in had been set up with the fix to use request.ui_dispatch_app = search but when clicking the view results link in the email it was still goi... See more...
The issue came up again with only one alert. The app it's in had been set up with the fix to use request.ui_dispatch_app = search but when clicking the view results link in the email it was still going to the same app. I made the app visible and the page now loads.  In /apps/<app_name>/local/app.conf add: [ui] is_visible = true
Hi @danielbb  As mentioned by @richgalloway  config reload will be done automatically if app installed via UI, no need to explictly run the commad for config to take effect. however reload comm... See more...
Hi @danielbb  As mentioned by @richgalloway  config reload will be done automatically if app installed via UI, no need to explictly run the commad for config to take effect. however reload command for pushing apps to UF looks like below /opt/splunk/bin/splunk btool reload deploy-server -class <serverclassname>
Sounds great @richgalloway , how would the reload command would look like?
Apps are installed on a DS the same as on any standalone search head.  You can either use the reload or restart Splunk.  If you install the app from the UI then the reload is automatic, although some... See more...
Apps are installed on a DS the same as on any standalone search head.  You can either use the reload or restart Splunk.  If you install the app from the UI then the reload is automatic, although some apps require a restart (for which you will be prompted).
What would be the proper way to deploy the TA_nix on the deployment server, is the reload option available or do I need to bounce the server?