All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Anyone know of any examples on SplunkBase that have JavaScript-written commands using the Python SDK? I’ve written about a dozen custom commands using Python and a familiar with that process. The d... See more...
Anyone know of any examples on SplunkBase that have JavaScript-written commands using the Python SDK? I’ve written about a dozen custom commands using Python and a familiar with that process. The dev docs suggest the Splunk SDK for Python should be used for .JS commands but I’m not understanding how that’s possible without importing libraries like Flask. https://dev.splunk.com/enterprise/docs/devtools/customsearchcommands/nonpythonscscs
Hello Everyone, I downloaded "TA_Genesys_Cloud_1.0.14_export.tgz" from https://github.com/SplunkBAUG/CCA Added the inputs required and configure the Splunk with available Genesys Cloud CX (Canada R... See more...
Hello Everyone, I downloaded "TA_Genesys_Cloud_1.0.14_export.tgz" from https://github.com/SplunkBAUG/CCA Added the inputs required and configure the Splunk with available Genesys Cloud CX (Canada Region) OAuth Credentials (client ID and Client Secret) When I try to search using index="genesys cloud", it returns with empty response   Any help will be much appreciated. Thanking you in advance  
Can you share your XML or are you talking dashboard studio? I'm not quite following what you mean by type=abc or type=def for tokens and whereabouts the pie charts fit into this.
Try like this index=prod_logs app_name="abc" | rex field=_raw "account_id\\\"\:\\\"(?<accid>[^\\]+)\\\"\,\\\"activity" | where isnotnull (accid) | table accid
What if someone mistakenly disables udp input? Just first example from the top of my head.
What do you mean by "dynamic" here? Also, you might need WRITE_META = true Also also, you might want to use ingest actions.  
Hi all, I'm trying to see if logs can be send to different indexes at index time depending on regex.  Is it possible to send logs to index name that is part of Source metadata? Below are my props... See more...
Hi all, I'm trying to see if logs can be send to different indexes at index time depending on regex.  Is it possible to send logs to index name that is part of Source metadata? Below are my props.conf and transforms.conf props.conf: [test:logs] TRANSFORMS-new_index = new_index transforms.conf [new_index] SOURCE_KEY = MetaData:Source REGEX = (?<index>\w+)\-\d+  FORMAT = $1                                       #This needs to be dynamic  DEST_KEY = _MetaData:Index Thanks in advance.
I have this app setup and installed however there are a lot of Panels  which are essentially saved searches or just search string that get ran. But many of these Panels are the same  Is there a lis... See more...
I have this app setup and installed however there are a lot of Panels  which are essentially saved searches or just search string that get ran. But many of these Panels are the same  Is there a list of Panels under FISMA so that a person can combine them to less than say 5 dashboards rather that 3-4 that are the same and 1-2 off sets that are under different categories "IE AC-5 have 3 and AC-18 having 3 with 1 being different among them. Bonus seems to me like there's got to be someone who has done this already and has a their version of a how to guide that would benefit the FISMA world or RMF world. Im just talking about getting what we could to cover as many controls as we can under a few say 3-5 dashboard so we don't have to have people clicking over 20 different places for one item of interest
I was batting around the double transpose method with a peer and got a minor variation to work regardless of whether I was throwing the top5 or top40 at it.  And it doesn't muck with the column names... See more...
I was batting around the double transpose method with a peer and got a minor variation to work regardless of whether I was throwing the top5 or top40 at it.  And it doesn't muck with the column names.  Given the simplicity, I think I am going to drop the idea of going after a table subsearch following the timechart.   There is no need since the double transpose method is clean and elegant. Thank you for the suggestion and the follow ups. Tim |fields - _span* |transpose |sort - "row 5" ```uses values from the last row (latest time) ``` |transpose header_field="column" 0 |fields - column  
There are two REST endpoints you can use to get that information. This one fetches saved searches (including reports and alerts)   | rest splunk_server=local /servicesNS/-/-/saved/searches | searc... See more...
There are two REST endpoints you can use to get that information. This one fetches saved searches (including reports and alerts)   | rest splunk_server=local /servicesNS/-/-/saved/searches | search search="*You found a bug!*"   This one does the same for dashboards.   | rest splunk_server=local /services/-/-/data/ui/views | search eai:data="*You found a bug!*"  
I presume the problem is the table is very wide.  If so, try swapping the terms in the chart command index="webmethods_prd" source="/apps/WebMethods/IntegrationServer/instances/default/logs/CXMLOrde... See more...
I presume the problem is the table is very wide.  If so, try swapping the terms in the chart command index="webmethods_prd" source="/apps/WebMethods/IntegrationServer/instances/default/logs/CXMLOrders.log" | eval timestamp=strftime(_time, "%F") | chart limit=30 count as count over timestamp by TransactionType Alternatively, try the timechart command. index="webmethods_prd" source="/apps/WebMethods/IntegrationServer/instances/default/logs/CXMLOrders.log" | eval timestamp=strftime(_time, "%F") | timechart useother=0 limit=30 count by TransactionType  
Tried both the expressions, Getting same error in both regex 'account_id\\":\\"(?<account_id>[^\]+"activity)': Regex: missing terminating ] for character class.
Hi, I'm working with a dashboard where I have three rows of data. Each row is filtered based on specific conditions. I have enabled drilldown for all these rows for eg: row 1: Panel 1: token na... See more...
Hi, I'm working with a dashboard where I have three rows of data. Each row is filtered based on specific conditions. I have enabled drilldown for all these rows for eg: row 1: Panel 1: token name: r1_drill, condition: success ,  Panel 2: token name: r1_drill, condition: failed row 2 :  Panel 1: token name: r2_drill, condition: success, type: abc , Panel 2: token name: r2_drill, condition: failed, type: abc  row 3:  Panel 1: token name: r3_drill, condition: success, type: def,  Panel 2: token name: r3_drill, condition: failed, type: def The problem is while passing tokens to the piecharts:      Clicking on r3_drill works as expected.      Clicking on r2_drill sets r3_drill conditions as default, causing incorrect filtering.      I need to unset r3_drill when r2_drill is set and vice versa for all. Any guidance or examples would be greatly appreciated. Thanks  
Hello, I've been asked to provide a list of all Alerts/Reports/Dashboards that contain the value "You Found a bug!"  in the underlying Search. I have no idea how to do this :). I manually found one... See more...
Hello, I've been asked to provide a list of all Alerts/Reports/Dashboards that contain the value "You Found a bug!"  in the underlying Search. I have no idea how to do this :). I manually found one Alert that is using a Search that would match: source=bluefletch "details.package"="com.siteone.mobilepro" "details.message.environment"=PROD (event=ErrorEvent OR event=ExceptionEvent) "details.message.additionalInfo.content{}.Title"="You found a bug!" I just need to find all of the other Alerts/Reports/Dashboards that also is using this. Does anyone have any ideas how this can be done.  Thank you for any help on this. Thanks, Tom          
My Log data looks like: i am using this query: index="webmethods_prd" source="/apps/WebMethods/IntegrationServer/instances/default/logs/CXMLOrders.log" |eval timestamp=strftime(_time, "%F") ... See more...
My Log data looks like: i am using this query: index="webmethods_prd" source="/apps/WebMethods/IntegrationServer/instances/default/logs/CXMLOrders.log" |eval timestamp=strftime(_time, "%F") | chart limit=30 count as count over TransactionType by timestamp   I have to built report on transaction type, total count date wise     please help to form the query, due to space it is not showing properly TransactionType = cXML OrderRequest TransactionType = cXML ConfirmationRequest     Regards Avik      
The index name is specified on another line, similar to how the sourcetype is specified. [monitor:///var/log/snort/*alert_json.txt*] sourcetype = snort3:alert:json index = foo Read The Fine Manual ... See more...
The index name is specified on another line, similar to how the sourcetype is specified. [monitor:///var/log/snort/*alert_json.txt*] sourcetype = snort3:alert:json index = foo Read The Fine Manual at https://docs.splunk.com/Documentation/Splunk/9.2.1/Admin/Inputsconf
Ran into exact same issue going from 9.1.1 to 9.2.1. had the same errors and commented out the line "marnall" pointed out, restarted splunk ,finished the update and successfully started Splunk.. W... See more...
Ran into exact same issue going from 9.1.1 to 9.2.1. had the same errors and commented out the line "marnall" pointed out, restarted splunk ,finished the update and successfully started Splunk.. Why is this happening? and does it happen to everyone?
[monitor:///var/log/snort/*alert_json.txt*] sourcetype = snort3:alert:json   Index in monitor stanza do you mean by the path, exactly "/var/log.snort/*alert_json.txt"? Or index in the sourcetype ... See more...
[monitor:///var/log/snort/*alert_json.txt*] sourcetype = snort3:alert:json   Index in monitor stanza do you mean by the path, exactly "/var/log.snort/*alert_json.txt"? Or index in the sourcetype do you mean by this: "snort3:alert:json" ?
This has not worked for me, any ideas? here is my SSLconfig line in server.conf [sslConfig] sslPassword = $7$IVRDJa9zz5Rmt3ZehltRkIK2vnYpOPiMSSAZMNAUqdQ7hQAGf2GNXg   No other lines in the file. I... See more...
This has not worked for me, any ideas? here is my SSLconfig line in server.conf [sslConfig] sslPassword = $7$IVRDJa9zz5Rmt3ZehltRkIK2vnYpOPiMSSAZMNAUqdQ7hQAGf2GNXg   No other lines in the file. I am open to suggestions, and get this as well: WARNING: Server Certificate Hostname Validation is disabled., see server.conf, etc Thanks, EWHolzx
OK so what information have managed to ingest into Splunk from them? Essentially, you can only query information which has been ingested (with a few exceptions).