All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

i am creating a dashboard view using HTML/CSS code but after saving the dashboard is showing in text format only  below is the code and dashboard how is looking  <dashboard> <label>Manual-supress... See more...
i am creating a dashboard view using HTML/CSS code but after saving the dashboard is showing in text format only  below is the code and dashboard how is looking  <dashboard> <label>Manual-supression</label> <description>Please enter the values for your One-Time-Blackout.</description> <row> <panel> <html> <![CDATA[ <style> .container { width: 100%; max-width: 600px; margin: 0 auto; padding: 20px; background: white; border-radius: 10px; box-shadow: 0 0 10px rgba(0, 0, 0, 0.1); } .container h1 { color: #4CAF50; text-align: center; } .form-group { margin-bottom: 15px; } .form-group label { display: block; font-weight: bold; } .form-group input, .form-group select, .form-group textarea { width: 100%; padding: 10px; border: 1px solid #ccc; border-radius: 5px; } .form-group input[type="datetime-local"] { padding: 8px; } .save-button { display: block; width: 100%; padding: 10px; background-color: #4CAF50; color: white; border: none; border-radius: 5px; cursor: pointer; text-align: center; font-size: 16px; } </style> <div class="container"> <h1>One-Time-Blackout</h1> <div class="form-group"> <label for="blackoutFilter">Blackout Filter</label> <input type="text" id="blackoutFilter" placeholder="Please enter a blackout filter or a blackout filter list separated by commas."> </div> <div class="form-group"> <label for="startDate">Start Date and Time</label> <input type="datetime-local" id="startDate"> </div> <div class="form-group"> <label for="endDate">End Date and Time</label> <input type="datetime-local" id="endDate"> </div> <div class="form-group"> <label for="timeZone">Time Zone</label> <select id="timeZone"> <option value="UTC+0">UTC +0h</option> <!-- Add other time zones as needed --> </select> </div> <div class="form-group"> <label for="blackoutActive">Blackout Active</label> <select id="blackoutActive"> <option value="true">True</option> <option value="false">False</option> </select> </div> <div class="form-group"> <label for="description">Description</label> <textarea id="description" placeholder="Additional information about this entry."></textarea> </div> <button class="save-button">Save</button> </div> ]]> </html> </panel> </row> </dashboard>   O/p looks in text format:   Manual-supression Please enter the values for your One-Time-Blackout. <style> .container { width: 100%; max-width: 600px; margin: 0 auto; padding: 20px; background: white; border-radius: 10px; box-shadow: 0 0 10px rgba(0, 0, 0, 0.1); } .container h1 { color: #4CAF50; text-align: center; } .form-group { margin-bottom: 15px; } .form-group label { display: block; font-weight: bold; } .form-group input, .form-group select, .form-group textarea { width: 100%; padding: 10px; border: 1px solid #ccc; border-radius: 5px; } .form-group input[type="datetime-local"] { padding: 8px; } .save-button { display: block; width: 100%; padding: 10px; background-color: #4CAF50; color: white; border: none; border-radius: 5px; cursor: pointer; text-align: center; font-size: 16px; } </style> <div class="container"> <h1>One-Time-Blackout</h1> <div class="form-group"> <label for="blackoutFilter">Blackout Filter</label> <input type="text" id="blackoutFilter" placeholder="Please enter a blackout filter or a blackout filter list separated by commas."> </div> <div class="form-group"> <label for="startDate">Start Date and Time</label> <input type="datetime-local" id="startDate"> </div> <div class="form-group"> <label for="endDate">End Date and Time</label> <input type="datetime-local" id="endDate"> </div> <div class="form-group"> <label for="timeZone">Time Zone</label> <select id="timeZone"> <option value="UTC+0">UTC +0h</option> <!-- Add other time zones as needed --> </select> </div> <div class="form-group"> <label for="blackoutActive">Blackout Active</label> <select id="blackoutActive"> <option value="true">True</option> <option value="false">False</option> </select> </div> <div class="form-group"> <label for="description">Description</label> <textarea id="description" placeholder="Additional information about this entry."></textarea> </div> <button class="save-button">Save</button> </div>    
Hi @jacknguyen , as also @deepakc said, check if the file is corrupted, and eventually open a case to Splunk Support. Ciao. Giuseppe
You were so right @deepakc ! Thanks a lot. I had duplicate eventcode lookups created by Microsoft Windows Defender Add-on for Splunk  and Splunk_TA_microsoft_sysmon   I just removed Defender A... See more...
You were so right @deepakc ! Thanks a lot. I had duplicate eventcode lookups created by Microsoft Windows Defender Add-on for Splunk  and Splunk_TA_microsoft_sysmon   I just removed Defender Add-on which is not officially supported. I need to find some other with support that I guess will not generate this type of conflict. Do you have any suggestion for this ?      
Of course this is Splunk License I request. This is stand-alone server. My License can add with all my labs but this Server have error 500 when click Add License on WebUI
From the Error, it states "failed to parse license because: The license payload seems to be empty"  Its normally  XML format so you should be able to check it and that its not corrupted etc.  If you... See more...
From the Error, it states "failed to parse license because: The license payload seems to be empty"  Its normally  XML format so you should be able to check it and that its not corrupted etc.  If your still having lic issues then contact Splunk to ensure you have the correct license.  Follow these steps:  https://docs.splunk.com/Documentation/Splunk/9.2.1/Admin/Installalicense 
Hi @wxlcba , in addition to the checks hinted by @deepakc , did you downloaded and installed on your HFs the forwarder app from SplunkCloud? it contains the configuration for the connection. Ciao.... See more...
Hi @wxlcba , in addition to the checks hinted by @deepakc , did you downloaded and installed on your HFs the forwarder app from SplunkCloud? it contains the configuration for the connection. Ciao. Giuseppe
Hi @jacknguyen , I suppose that you used the splunk.license file, which you should have received from Splunk. how did you load the license? Did you followed the procedure at https://docs.splunk.co... See more...
Hi @jacknguyen , I suppose that you used the splunk.license file, which you should have received from Splunk. how did you load the license? Did you followed the procedure at https://docs.splunk.com/Documentation/Splunk/9.2.1/Installation/Installalicense even if it's a very simple process. Have you a distributed architecture or a singe stand-alone server? if you have a distributed architecture, you must load the license in the License Master. Ciao. Giuseppe
It could be several things blocking you. TcpOutputFd (this is normally a networking or config setting)  You have set the whitelist and disabled the FW. Other things to check: Check your netw... See more...
It could be several things blocking you. TcpOutputFd (this is normally a networking or config setting)  You have set the whitelist and disabled the FW. Other things to check: Check your network allows for the HF to route outbound to Splunk cloud Deploy the Splunk Credentials Package to the HF - https://docs.splunk.com/Documentation/Forwarder/9.2.1/Forwarder/ConfigSCUFCredentials Check you can connect – try this command:      openssl s_client -connect inputs1.MY_STACK_NAME>.splunkcloud.com:9997​      Further than that more troubleshooting is required. But it’s usually a networking that’s blocking.
| rest /servicesNS/-/-/saved/searches splunk_server=local   Getting all of your stored searches from the Search Head will be much easier with this.
Check this path in Indexer's filesystem:   /opt/splunk/var/lib/splunk/<any_index>/db  
The index  data lives on the Splunk indexer Server's . You typically  use a Splunk Universal Forwarder or Heavy forwarder or some other means to send data to the Indexers and they get stored into a b... See more...
The index  data lives on the Splunk indexer Server's . You typically  use a Splunk Universal Forwarder or Heavy forwarder or some other means to send data to the Indexers and they get stored into a bucket(folder).  So login to your Splunk indexers and go to the storage volume and see the data there.  See the table  section "What the index directories look like" this will show you the paths  https://docs.splunk.com/Documentation/Splunk/9.2.1/Indexer/HowSplunkstoresindexes  
f this is my current quey... <I am currently sending metric-data to O11y and receiving data through the splunk sim command. What I'm curious about is that I want to optimize my current query using ... See more...
f this is my current quey... <I am currently sending metric-data to O11y and receiving data through the splunk sim command. What I'm curious about is that I want to optimize my current query using base-search. Is this possible?> | sim flow query="A = data('sap.hana.connection.count', rollup='latest').sum(by=['CONNECTION_STATUS']).publish(label='A')" resolution=10 | tail 20 | stats avg(_value) as avg_val by _time, CONNECTION_STATUS <row> <panel id="connections"> <html depends="$hiddenForCSS$"> <style> #connections{ width: 15% !important; } </style> </html> <single> <title>Connections</title> <search> <query>| sim flow query="A = data('sap.hana.connection.count', rollup='latest').sum().publish(label='A')" | stats sum(_value) as host_sum by _time</query> <earliest>$global_time.earliest$</earliest> <latest>$global_time.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>$time_set$</refresh> <refreshType>delay</refreshType> </search> <option name="colorBy">value</option> <option name="colorMode">none</option> <option name="drilldown">none</option> <option name="height">151</option> <option name="numberPrecision">0</option> <option name="rangeColors">["0x555","0x118832","0x1182f3","0xf1813f","0xdc4e41"]</option> <option name="rangeValues">[0,30,50,70]</option> <option name="refresh.display">progressbar</option> <option name="showSparkline">0</option> <option name="showTrendIndicator">0</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="useThousandSeparators">1</option> </single> </panel> <panel id="Con_state"> <html depends="$hiddenForCSS$"> <style> #Con_state{ width: 34% !important; } </style> </html> <single> <title>Connections by state</title> <search> <query>| sim flow query="A = data('sap.hana.connection.count', rollup='latest').sum(by=['CONNECTION_STATUS']).publish(label='A')" resolution=10 | tail 20 | stats avg(_value) as avg_val by _time, CONNECTION_STATUS</query> <earliest>$global_time.earliest$</earliest> <latest>$global_time.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>$time_set$</refresh> <refreshType>delay</refreshType> </search> <option name="colorMode">none</option> <option name="drilldown">none</option> <option name="height">174</option> <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">1</option> <option name="trellis.scales.shared">0</option> <option name="trellis.size">medium</option> <option name="useColors">1</option> </single> </panel></row>    
Having a HF with a higher version than the Indexers is not recommended by Splunk. Obviously you can do it, and if it's just between minor versions you may get away with it, but you will probably enco... See more...
Having a HF with a higher version than the Indexers is not recommended by Splunk. Obviously you can do it, and if it's just between minor versions you may get away with it, but you will probably encounter problems that may seem "bugs" but are just compatibility problems. Check the docs: https://docs.splunk.com/Documentation/VersionCompatibility/current/Matrix/Compatibilitybetweenforwardersandindexers   I would suggest install a v7 HF as a quick fix, but then upgrade Indexers asap to current version as they are EOL.
Support would be something that comes to mind in this process. As best practice is to use indexers with versions that are the same or higher than forwarder versions as you stated. I have found th... See more...
Support would be something that comes to mind in this process. As best practice is to use indexers with versions that are the same or higher than forwarder versions as you stated. I have found that sometimes you can't always upgrade for whatever reason, and it will work, but then some features become deprecated or updated, and it may stop working or have some breaking changes. So, you take the risk.  All 7.x Splunk Enterprise are now end of support, so should you encounter problems, you have no support. See below for Splunk End Of Life Support https://www.splunk.com/en_us/legal/splunk-software-support-policy.html
HI guys, I try to add new license Splunk on WebUI and CLI, Both Failed. On CLI, I see error /opt/splunk/etc/licenses/enterprise/24.7.License: failed to parse license because: The license payload s... See more...
HI guys, I try to add new license Splunk on WebUI and CLI, Both Failed. On CLI, I see error /opt/splunk/etc/licenses/enterprise/24.7.License: failed to parse license because: The license payload seems to be empty On WebUI, when I add I get 500 Error, on search following recommend on error page  index=_internal host="monitor*" source=*web_service.log log_level=ERROR requestid=666fdcbe397fd164249e90 I get this 2024-06-17 13:50:38,231 ERROR [666fdcbe397fd164249e90] error:338 - Traceback (most recent call last): File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cprequest.py", line 628, in respond self._do_respond(path_info) File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cprequest.py", line 680, in _do_respond self.body.process() File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cpreqbody.py", line 982, in process super(RequestBody, self).process() File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cpreqbody.py", line 559, in process proc(self) File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cpreqbody.py", line 225, in process_multipart_form_data process_multipart(entity) File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cpreqbody.py", line 217, in process_multipart part.process() File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cpreqbody.py", line 557, in process self.default_proc() File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cpreqbody.py", line 717, in default_proc self.file = self.read_into_file() File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cpreqbody.py", line 731, in read_into_file fp_out = self.make_file() File "/test1/opt/splunk/lib/python3.7/site-packages/cherrypy/_cpreqbody.py", line 513, in make_file return tempfile.TemporaryFile() File "/test1/opt/splunk/lib/python3.7/tempfile.py", line 586, in TemporaryFile prefix, suffix, dir, output_type = _sanitize_params(prefix, suffix, dir) File "/test1/opt/splunk/lib/python3.7/tempfile.py", line 126, in _sanitize_params dir = gettempdir() File "/test1/opt/splunk/lib/python3.7/tempfile.py", line 294, in gettempdir tempdir = _get_default_tempdir() File "/test1/opt/splunk/lib/python3.7/tempfile.py", line 229, in _get_default_tempdir dirlist) FileNotFoundError: [Errno 2] No usable temporary directory found in ['/tmp', '/var/tmp', '/usr/tmp', '/']  Any one know why? Thank you for your time
Will filldown do the trick? E.g. | filldown catchup_updated_time
ah okay thanks gotcha.  Current output is like the table i shown and desired output is the table after that. catchup_updated_time is not populated for some as its taken from another sourcetype ... See more...
ah okay thanks gotcha.  Current output is like the table i shown and desired output is the table after that. catchup_updated_time is not populated for some as its taken from another sourcetype which is www_cattchup_Logs Please let me know if futher info is required
Start here   | rest "/servicesNS/-/-/saved/searches" splunk_server=local search="is_scheduled=1" | rename eai:* as * acl.app as app | fields title app author type search   that will give you the ... See more...
Start here   | rest "/servicesNS/-/-/saved/searches" splunk_server=local search="is_scheduled=1" | rename eai:* as * acl.app as app | fields title app author type search   that will give you the data, then do what you need to do with it  
i want to get list of scheduled saved searches with the name and the searches itself. can anybody help?
Hi Splunk We are setting up a Splunk Heavy Forwarder with version 9 for development testing and configuring it to forward data to a Splunk Indexer with version 7. and We are collecting data throug... See more...
Hi Splunk We are setting up a Splunk Heavy Forwarder with version 9 for development testing and configuring it to forward data to a Splunk Indexer with version 7. and We are collecting data through the DB Connect App. We would like to know if there will be any issues with the Heavy Forwarder sending data to the Indexer running version 7. Of course, it is best to upgrade to the same version, but we would like to first check if there are any issues in this process.  If you need more information about this Configuration, ask for me anytime.