Hi Team, Please let me know how to add a color to time format as below. Below one is not matching with the requirement. <colorPalette type="expression">if(strptime(value,"%H:%M:%S")>"25200", "#A...
See more...
Hi Team, Please let me know how to add a color to time format as below. Below one is not matching with the requirement. <colorPalette type="expression">if(strptime(value,"%H:%M:%S")>"25200", "#A2CC3E", "#F58F39")</colorPalette> Time expecting this color in Time field 25-05-2024 19:06 Red 25-05-2024 22:10 Red 25-05-2024 22:16 Red 26-05-2024 06:50 Green 26-05-2024 06:52 Green 26-05-2024 11:50 Green 26-05-2024 11:52 Green 27-05-2024 07:09 Red 27-05-2024 07:10 Red 27-05-2024 11:52 Green 27-05-2024 11:57 Green Thanks in Advance!
Hi, I'm trying to join two lookups based on the name field. Here's what i have,
|inputlookup abc.csv
|table name published
|lookup def.csv name as name OUTPUT releaseyear
When i run thi...
See more...
Hi, I'm trying to join two lookups based on the name field. Here's what i have,
|inputlookup abc.csv
|table name published
|lookup def.csv name as name OUTPUT releaseyear
When i run this, i get a multiple values in the field. How to get rid of these multiple values and ensure only one value per field? Thanks!
That will give you one solution, but the other is more generalized: | makeresults count=100
| streamstats count
| eval count=count-1
| rename count as x
| eval y1=pow(x-50, 2)+25, y2=-pow(x-30, 2)+1...
See more...
That will give you one solution, but the other is more generalized: | makeresults count=100
| streamstats count
| eval count=count-1
| rename count as x
| eval y1=pow(x-50, 2)+25, y2=-pow(x-30, 2)+1000
| table x y1 y2
``` end sample data ```
| eval dy=y2-y1
| autoregress dy
| where dy==0 OR abs(dy)/dy!=abs(dy_p1)/dy_p1
| fields - dy dy_p1 x y1 y2 21 866 919 60 125 100 If we find the intersections outside Splunk we get: x ~ 20.315, y ~ 906.2 x ~ 59.685, y ~ 118.8
Hi, I was able to receive notifications and alerts from AppDynamics in my Zabbix and Grafana (Minerva) console. I wanted to know if it is possible to integrate metrics between AppDynamics and Minerva...
See more...
Hi, I was able to receive notifications and alerts from AppDynamics in my Zabbix and Grafana (Minerva) console. I wanted to know if it is possible to integrate metrics between AppDynamics and Minerva and generate a Dashboard for each application.
Hi, I am completely new to splunk and have to parse field that looks like this: params="['field1: value1', 'field2: value2', 'field3: value3']" (note spaces after colons) - I have to extract field1,...
See more...
Hi, I am completely new to splunk and have to parse field that looks like this: params="['field1: value1', 'field2: value2', 'field3: value3']" (note spaces after colons) - I have to extract field1, field2, field3 to be searchable - can you help with what query should I write?
Please explain what is meant by "it is not working". What results do you get and how do they not meet your expectations? The exclude_message field will be null if the lookup fails to find a match.
I have a splunk query which returns these 2 set of events. 1) domain_name="abc" microservice_name="test" message=[WEB] ERROR RESPONSE : NO_DOCUMENTS_FOUND -> 2) domain_name="abc" microservic...
See more...
I have a splunk query which returns these 2 set of events. 1) domain_name="abc" microservice_name="test" message=[WEB] ERROR RESPONSE : NO_DOCUMENTS_FOUND -> 2) domain_name="abc" microservice_name="test" message=[WEB] ERROR RESPONSE : GUID_EXPIRED my vtest.csv lookup looks like below: domain_name; microservice_name; message abc; test; NO_DOCUMENTS_FOUND
I am using the below query to exclude 1st set of events. I have created WILDCARD(message) match_type
| lookup vtest message OUTPUT message as exclude_message
| search NOT (exclude_message="*")
But it is not working, and I don't get any fields in "exclude_message" as well. kindly help.
I want to create menu dashboard which contains 3 boxes in a row. If I click on any box it should navigate to my destination dashboard. I don't want any image just need text(other dashboards name) in ...
See more...
I want to create menu dashboard which contains 3 boxes in a row. If I click on any box it should navigate to my destination dashboard. I don't want any image just need text(other dashboards name) in the box.
@Iñigo , we finally customized the HTTP app by just using the authentication taken from Graph apps. In our opinion, there is really no doubt about what is wrong: if you can specify a payload in OAu...
See more...
@Iñigo , we finally customized the HTTP app by just using the authentication taken from Graph apps. In our opinion, there is really no doubt about what is wrong: if you can specify a payload in OAuth and if HTTP supports OAuth, it must definetely provide the option to insert a payload, otherwise we can safely say that the app does not support OAuth really. However, waiting Splunk to understand and acknowledge such thought is like a miracle so we proceeded to customize the app.
Hi @zoe, building on previous suggestions from "gcusello & tscroggins" , especially that sometimes y1 and y2 might not be exactly equal but rather close to each other, I would use the following meth...
See more...
Hi @zoe, building on previous suggestions from "gcusello & tscroggins" , especially that sometimes y1 and y2 might not be exactly equal but rather close to each other, I would use the following method to find the closest intersections: | eval diff=abs(y1 - y2)
| sort diff
| head 1
| table _time, y1, y2, diff From there, you can use another diff (if needed) to calculate the actual difference between the numbers stored in the y1 and y2 fields. Search Ref: Function: abs Command: Sort Command: Head best regards,
Hi @drew19 Did you manage to use the HTTP app with Azure authentication? We opted for the app customization path as @phanTom and it certainly is a pain to maintain if you want to keep tabs with th...
See more...
Hi @drew19 Did you manage to use the HTTP app with Azure authentication? We opted for the app customization path as @phanTom and it certainly is a pain to maintain if you want to keep tabs with the out-of-the-box app(s). In the end it's just a custom app just as if you made it from scratch with its advantages and issues. We are using more and more Power Automate since MS integrated proper authentication for their flows and for this matter we just need very simple POST and GET actions, but authenticated. Nothing more and nothing less. I got the same results as you when trying to authenticate. Creating an additional app, even if this simple, just to pass an additional parameter for OAuth seems like reinventing the wheel.
So we did a little more digging. The magic in this case is called "channelAccess". This setting basically grants access to specific event logs for "normal user" accounts. High value event logs, for e...
See more...
So we did a little more digging. The magic in this case is called "channelAccess". This setting basically grants access to specific event logs for "normal user" accounts. High value event logs, for example: security event log, are only available for higher privileged accounts. The sysmon event log is considered "high value". So when you check the "channelAccess" settings you get this by default: But Microsoft allows you to modify this setting. So we modified the "channelAccess" settings based on the "powershell operational" settings: After you set the setting, restart the SplunkForwarder Service. And voila - you have access to the sysmon event log without adding the virtual account to a specific group.
Hello friends, last week we updated a few apps based on feedback from the Upgrade Readiness App. Admittedly, the apps were forgotten about for about a year. Yet, we are receiving e-mail notificati...
See more...
Hello friends, last week we updated a few apps based on feedback from the Upgrade Readiness App. Admittedly, the apps were forgotten about for about a year. Yet, we are receiving e-mail notifications about deprecated jQuery or python version for given apps. Since all the apps are "Built by Splunk Inc.", I have a feeling this should not be the case. Is it safe to [Dismiss App Alert] in the Upgrade Readiness App? Will the alert re-appear after the next scan?
Hi @zoe, Building on @gcusello's response, you can find the intersections by looking for sign changes in dy: | eval dy=y2-y1
| autoregress dy
| where dy==0 OR abs(dy)/dy!=abs(dy_p1)/dy_p1
| fields ...
See more...
Hi @zoe, Building on @gcusello's response, you can find the intersections by looking for sign changes in dy: | eval dy=y2-y1
| autoregress dy
| where dy==0 OR abs(dy)/dy!=abs(dy_p1)/dy_p1
| fields - dy dy_p1 The selected point depends on the sort order of the data. You can use this alone or as part of an annotation search in a dashboard. We don't know the functions that generated the lines, and we're not performing a regression, but this provide a quick estimation.
Hi @tej57, I tried below Evan condition its working when I run it in a search but when I add in the xml code it’s showing in the dropdown but values are not populating on the panels.
Your admins likely have the app your dashboard is in locked down. If you don't have write access to the app, then you won't be able to edit permissions to share within the context of the app. Priv...
See more...
Your admins likely have the app your dashboard is in locked down. If you don't have write access to the app, then you won't be able to edit permissions to share within the context of the app. Private objects while tied to the app aren't actually in the app, they're in your private directory on the backend.
Based on documentation, and posts (Who do saved scheduled searches run as? and Question about "run as" (Owner or User ) for saved searches), a saved search configured to "run as" owner, should run w...
See more...
Based on documentation, and posts (Who do saved scheduled searches run as? and Question about "run as" (Owner or User ) for saved searches), a saved search configured to "run as" owner, should run with permissions that the owner of the search has. However, I have two saved searches that do not work that way. Specifically, the searches use indexes that I (the owner) has access to but other user roles do not. The difference that I can think of is that my searches are in a Splunk Cloud instance, and my users authenticate using SAML against a IdP on premise. Any insights would be much appreciated!