All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello,   I have a dashboard with multiselection + text input field.      <form version="1.1" theme="light"> <label>Multiselect Text</label> <init> <set token="toktext">*</set> </init> ... See more...
Hello,   I have a dashboard with multiselection + text input field.      <form version="1.1" theme="light"> <label>Multiselect Text</label> <init> <set token="toktext">*</set> </init> <fieldset submitButton="false"> <input type="multiselect" token="tokselect"> <label>Field</label> <choice value="category">Group</choice> <choice value="severity">Severity</choice> <default>category</default> <valueSuffix>=REPLACE</valueSuffix> <delimiter> OR </delimiter> <prefix>(</prefix> <suffix>)</suffix> <change> <eval token="tokfilter">replace($tokselect$,"REPLACE","\"".$toktext$."\"")</eval> </change> </input> <input type="text" token="toktext"> <label>Value</label> <default>*</default> <change> <eval token="tokfilter">replace($tokselect$,"REPLACE","\"".$toktext$."\"")</eval> </change> </input> </fieldset> <row> <panel> <event> <title>$tokfilter$</title> <search> <query>| makeresults</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </event> </panel> </row> </form>     Now it works like that if I choose something from 'Field' and add an optional text to 'Value' start searching like this category="*" OR severity="*". I'd like to build a free form where option where if the user choose that option from the 'Field' and add something in the 'Value', the search is only looking for the 'Value', like this "*" - except any field.   Could you please help me?   Thanks in advance!
Assuming the stanza [Reports5min] points to the right sourcetype, try placing a capture group in the regex property, like this: REGEX = ^(null,null,0,null,null,null,null,null,null,)$ Also are you s... See more...
Assuming the stanza [Reports5min] points to the right sourcetype, try placing a capture group in the regex property, like this: REGEX = ^(null,null,0,null,null,null,null,null,null,)$ Also are you sure there is ni blacnk spaces at the end of each line? The rest of the settinggs seems fine.  
Probably the files metadata/local.meta or default.meta doesn't have the proper permissions?  
Your constraints look reasonable. You appear to have an easy-to-find timestamp, which presumably will help split your log into separate events, and your field definition appears robust. I suggest you... See more...
Your constraints look reasonable. You appear to have an easy-to-find timestamp, which presumably will help split your log into separate events, and your field definition appears robust. I suggest you go with what you have.
I see some post about rules for splunk logs. But I don't find a list of rules. My applications logs a  lot of lines for splunk (100GB/day) and we prefere use the default integration in splunk (witho... See more...
I see some post about rules for splunk logs. But I don't find a list of rules. My applications logs a  lot of lines for splunk (100GB/day) and we prefere use the default integration in splunk (without transformation, extraction...) in order to save time during indexing. I propose to my developeurs to logs with these constraints. Where can I find all constraints, or the better constraints ... Please log like that : [%m-%d-%Y %H:%M:%S.%Q]key1=value1,key2=value2,... keys : not begin with number or '_' values : no spaces or commas else between quote  
Thanks @gcusello 
Hi @sanjai , please see this https://docs.splunk.com/Documentation/Splunk/9.2.1/Search/Comments Ciao. Giuseppe
Hi Splunkers, I need to know how to comment out a single line in an SPL query when working in search and reporting. Could someone please provide an example? Thanks,
Hi @woodcock @niketn  Please help me here 
Are you using XML dashboard or Dashboard Studio XML documentation is here https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML What have you got so far?
Hi abarneb , I'm also facing similar issue. Used process_host as entity but the downside you mentioned is valid. Did you try any other approach which worked for this issue?
i think its not about "permissions on /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key are too open" i tried  permission 400 and 600 and user group is both splunk. What should i do? Please hel... See more...
i think its not about "permissions on /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key are too open" i tried  permission 400 and 600 and user group is both splunk. What should i do? Please help me.
i think its not about "permissions on /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key are too open" i tried  permission 400 and 600 and user group is both splunk. What should i do? Please hel... See more...
i think its not about "permissions on /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key are too open" i tried  permission 400 and 600 and user group is both splunk. What should i do? Please help me.  
Hi Team, could someone please help in letting me know. I have a requirement to display some events based on some search criteria and I want to create a drilldown and clicking on any of the legend. T... See more...
Hi Team, could someone please help in letting me know. I have a requirement to display some events based on some search criteria and I want to create a drilldown and clicking on any of the legend. There should be drilldown based on clicked event. 
Hello, have a nice day!   I have followed the Distributed Search document and create a dshborad.xml file and push it through the deployer, and i could find it in the search heads app as below: ... See more...
Hello, have a nice day!   I have followed the Distributed Search document and create a dshborad.xml file and push it through the deployer, and i could find it in the search heads app as below: hit Edit properties  cause the below ERROR: Also, I didn't find the dashboard under the dashboard tab to view it. =========================================================  
Sweet. Thanks, @danspav. The Splunk community rocks!
Version 1.9.0 of Event Timeline Viz is up on Splunkbase now: https://splunkbase.splunk.com/app/4370   Added support for different locales, based on what you've set in Splunk. Supported locales: ... See more...
Version 1.9.0 of Event Timeline Viz is up on Splunkbase now: https://splunkbase.splunk.com/app/4370   Added support for different locales, based on what you've set in Splunk. Supported locales: English, Italian, Dutch, German, French Note that tooltips and example dashboards will still appear in English. Fixed bug where the time shown on the visualization was reflecting the time zone of the client OS, not the user preference set in Splunk. Fixed bug with the 'Disable Zoom' option where zoom could still be enabled when it was set to false.
Thank you so much for your help! Much appreciated
Search artifacts is the collection of data produced by a search.  It includes the results of the search plus the search log, telemetry, and more.  Artifacts should be replicated so they can be retrie... See more...
Search artifacts is the collection of data produced by a search.  It includes the results of the search plus the search log, telemetry, and more.  Artifacts should be replicated so they can be retrieved by other search heads in the cluster, for example if you are disconnected and reconnect to a different SH you still have access to the artifacts. The knowledge bundle is the set of information indexers need to service a search query.  It includes .conf files, lookup files, external commands, and more.  The bundle supplies data needed for search-time operations that the indexer otherwise would not have (user KOs, for example).
Hi @PATAN, Is this a Splunk-specific question or a general web and ServiceNow development question? For Splunk, start with https://dev.splunk.com/enterprise/docs/devtools/javascript/sdk-javascript/.... See more...
Hi @PATAN, Is this a Splunk-specific question or a general web and ServiceNow development question? For Splunk, start with https://dev.splunk.com/enterprise/docs/devtools/javascript/sdk-javascript/. The old Building Splunk Solutions books are still useful but quite dated at this point. Depending on your specific use case, you may already have the functionality you need available in simpler forms. For example, Splunk Add-on for ServiceNow includes commands and workflow actions to create ServiceNow events and incidents. What do you have so far?