Hi @karthi2809, for my knowledge, reports are static objects and you cannot pass a token to a report. Why do you want to do this? if it's to accelerate searches, use other methods as Data_nodels o...
See more...
Hi @karthi2809, for my knowledge, reports are static objects and you cannot pass a token to a report. Why do you want to do this? if it's to accelerate searches, use other methods as Data_nodels or Summary indexes. Ciao. giuseppe
Hi @whrg, probably you saw my answer because I opened a non technical case to Splunk Support and they solved my issue. Try again with Support. Ciao. Giuseppe
Try something like this <colorPalette type="expression">if(tonumber(strftime(value,"%H")) == 6 OR tonumber(strftime(value,"%H")) == 11 OR tonumber(strftime(value,"%H")) == 18 OR (tonumber(strftime(...
See more...
Try something like this <colorPalette type="expression">if(tonumber(strftime(value,"%H")) == 6 OR tonumber(strftime(value,"%H")) == 11 OR tonumber(strftime(value,"%H")) == 18 OR (tonumber(strftime(value,"%H")) == 21 AND tonumber(strftime(value,"%M")) < 35), "#A2CC3E", "#F58F39")</colorPalette>
Like the title says, I want to change the email address of my splunk.com account. Logging into splunk.com and navigating to My Dashboard, it is only possible to change the password but not the email ...
See more...
Like the title says, I want to change the email address of my splunk.com account. Logging into splunk.com and navigating to My Dashboard, it is only possible to change the password but not the email address. There are older forum posts which suggest to contact Splunk support. I wrote several emails but received no help. For any other website, changing the email address is a matter of seconds. Why is there no such option for splunk.com?
Hi All, I have a Splunk dashboard with dynamic token, Here a simplified example of my setup. In the dashboard $new_value$ and $env$ are dynamic token that user can select. I want to convert this pa...
See more...
Hi All, I have a Splunk dashboard with dynamic token, Here a simplified example of my setup. In the dashboard $new_value$ and $env$ are dynamic token that user can select. I want to convert this panel into report that can accommodate these dynamic values. Could you guide me how to achieve this ?.I need to understand. Any details steps or examples would be greatly appreciated. Base Query:
index=Test environment=$env$ applicationName=$new_value$
| stats values(content.InterfaceName) as InterfaceName values(content.payload) as payloadFile values(content.ErrorMsg) as errormsg values(content.Error) as error BY applicationName,correlationId
| table Status Timestamp InterfaceName ApplicationName CorrelationId
| search interfaceName=$new_interface$
Panel Query with dynamic tokens:
<search base="BankSearch">
<query>| where Status LIKE ("$countStatus$")|sort -Timestamp</query></search>
Thank you so much! this is actually solve the issue, i though it could be permissions issue with the virtual account and tried even domain admin but nothing was change. with local admin user running ...
See more...
Thank you so much! this is actually solve the issue, i though it could be permissions issue with the virtual account and tried even domain admin but nothing was change. with local admin user running the service it's start working. Edit: it is actually work but not through the sysmon app so i am getting pretty ugly format of sysmon. will keep investigate it. thank you again
Option 1 - If the app can send direct to HEC then that is least path of resistance, so try that first as Json and ensure it has a timestamp in the data and then create a sourcetype based on props and...
See more...
Option 1 - If the app can send direct to HEC then that is least path of resistance, so try that first as Json and ensure it has a timestamp in the data and then create a sourcetype based on props and transforms. You will need to send to the HEC/event or HEC/Raw - most likely event HEC end point - so you will need to test this out first https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/Data/HECRESTendpoints Option 2 - A possible Splunk component is to use the Splunk Add-builder, this requires you install this onto a Splunk instance such a lab / test environment or Splunk Heavy Forwarder, not onto production Splunk Servers . You then develop a custom app to poll the API and collect data for indexing purposes. See the below for reference. https://docs.splunk.com/Documentation/AddonBuilder/4.2.0/UserGuide/ConfigureDataCollection Option 3 is to write python code and pull the data and send to HEC(This obviously requires code development) Option 4 - There some API collection Apps on Splunk base, but I think those are by third-party and may require licence. https://splunkbase.splunk.com/app/1546
According to your reply and https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/WhatSplunklogsaboutitself splunk does not mange python.log rotation, but then how it is being rotated? ...
See more...
According to your reply and https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/WhatSplunklogsaboutitself splunk does not mange python.log rotation, but then how it is being rotated? I've made python.log around 100MB with stopped splunk service and the python.log was NOT rotated. Once I've started splunk, log was immediately rotated to python.log.1, additionally the newly created python.log (size only few bites) I've also made it well over 25MB and it was rotated once again.
Hi ITWhisperer, first I want to say Thanks !, now I have this with your suggestion, Now I need to compare the start time with previous right_time to set the bool field for every line, how I can...
See more...
Hi ITWhisperer, first I want to say Thanks !, now I have this with your suggestion, Now I need to compare the start time with previous right_time to set the bool field for every line, how I can do this please? Thanks you !
Sounds like you need certs on the UF You can copy them from the indexer or put them into an app and deployment them via the Deployment Server inside an app and change the config below paths. Examp...
See more...
Sounds like you need certs on the UF You can copy them from the indexer or put them into an app and deployment them via the Deployment Server inside an app and change the config below paths. Example config outputs.conf clientCert= /opt/splunkforwarder/etc/auth/mycerts/my_prepared_cert.pem
sslPassword = <IF YOU SET A PASSPHRASE> server.conf [sslConfig]
sslRootCAPath = /opt/splunkforwarder/etc/auth/mycerts/my_prepared_cert.pem
When I run the search as per your suggestion I get: Could not load lookup=LOOKUP-splunk_security_essentials. However I have noticed another issue today. Up until the last couple of days the main s...
See more...
When I run the search as per your suggestion I get: Could not load lookup=LOOKUP-splunk_security_essentials. However I have noticed another issue today. Up until the last couple of days the main search would give me no results, or results that don't make sense because the data would be pulled form a Report.csv which was few days old. I would still see the data properly indexed though, if i did: index="BBB". When I ran index="BBB" today, I noticed that the Report.csv from the last two days have not been indexed. This has never happened before, and not sure why it would suddenly stop indexing. I couldn't find any errors in the logs related to the index.
You say you have network user account - I would first start by using a local system account if you can. To me it sounds like a user permissions / access type of issue - sometimes the GPO if used can ...
See more...
You say you have network user account - I would first start by using a local system account if you can. To me it sounds like a user permissions / access type of issue - sometimes the GPO if used can prevent access or less privileges Have a look at these links, they have some information on permissions for local accounts. https://docs.splunk.com/Documentation/Forwarder/9.2.1/Forwarder/InstallaWindowsuniversalforwarderfromaninstaller https://docs.splunk.com/Documentation/Splunk/latest/Data/ConsiderationsfordecidinghowtomonitorWindowsdata https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/MonitorWMIdata
Hi @zijian, you have two choices: 1) schedule an alert adding csv as attachement, to receive the csv via email. 2) you could schedule a report adding the outputcsv command at the end. In this w...
See more...
Hi @zijian, you have two choices: 1) schedule an alert adding csv as attachement, to receive the csv via email. 2) you could schedule a report adding the outputcsv command at the end. In this way, you save your report as csv in a pre-defined folder (not changeable!). then you should create a script to copy it in the location you like. Ciao. Giuseppe
I have extracted this data with the stats command. The goal is to compare left timestamp (start time) of the second line with right timestamp of previous line (end time) and the condition will b...
See more...
I have extracted this data with the stats command. The goal is to compare left timestamp (start time) of the second line with right timestamp of previous line (end time) and the condition will be like this if (start next row > end previous row) 1:0; in this way I want to mark this lines with bool=1 if not bool=0 Please someone has some suggestion about how can I implement this? Thanks in advance