Hi @zoe, Building on @gcusello's response, you can find the intersections by looking for sign changes in dy: | eval dy=y2-y1
| autoregress dy
| where dy==0 OR abs(dy)/dy!=abs(dy_p1)/dy_p1
| fields ...
See more...
Hi @zoe, Building on @gcusello's response, you can find the intersections by looking for sign changes in dy: | eval dy=y2-y1
| autoregress dy
| where dy==0 OR abs(dy)/dy!=abs(dy_p1)/dy_p1
| fields - dy dy_p1 The selected point depends on the sort order of the data. You can use this alone or as part of an annotation search in a dashboard. We don't know the functions that generated the lines, and we're not performing a regression, but this provide a quick estimation.
Hi @tej57, I tried below Evan condition its working when I run it in a search but when I add in the xml code it’s showing in the dropdown but values are not populating on the panels.
Your admins likely have the app your dashboard is in locked down. If you don't have write access to the app, then you won't be able to edit permissions to share within the context of the app. Priv...
See more...
Your admins likely have the app your dashboard is in locked down. If you don't have write access to the app, then you won't be able to edit permissions to share within the context of the app. Private objects while tied to the app aren't actually in the app, they're in your private directory on the backend.
Based on documentation, and posts (Who do saved scheduled searches run as? and Question about "run as" (Owner or User ) for saved searches), a saved search configured to "run as" owner, should run w...
See more...
Based on documentation, and posts (Who do saved scheduled searches run as? and Question about "run as" (Owner or User ) for saved searches), a saved search configured to "run as" owner, should run with permissions that the owner of the search has. However, I have two saved searches that do not work that way. Specifically, the searches use indexes that I (the owner) has access to but other user roles do not. The difference that I can think of is that my searches are in a Splunk Cloud instance, and my users authenticate using SAML against a IdP on premise. Any insights would be much appreciated!
You could try something like this <drilldown>
<condition field="Name">
<eval token="link">if(isnull($row.url$),"","https://$row.url|n$"</eval>
<link target=...
See more...
You could try something like this <drilldown>
<condition field="Name">
<eval token="link">if(isnull($row.url$),"","https://$row.url|n$"</eval>
<link target="_blank">$link$</link>
</condition>
</drilldown>
Hi @mohammadnreda, I would recommend following some general steps to ingest your logs via Syslog. There are multiple ways to get Syslog data into Splunk, and the current best practice is to use "S...
See more...
Hi @mohammadnreda, I would recommend following some general steps to ingest your logs via Syslog. There are multiple ways to get Syslog data into Splunk, and the current best practice is to use "Splunk Connect for Syslog (SC4S)." This is a containerized Syslog-ng server with a configuration framework designed to simplify the process of getting Syslog data into both Splunk Enterprise and Splunk Cloud. If you already have a dedicated Syslog server (such as rsyslog or Syslog-ng), you simply need to enable Syslog forwarding from your Sangfor Firewall to the Syslog collector. From there, use a Universal Forwarder instance to read and forward your Syslogs to an indexer. Some useful links: Data collection architecture - Splunk Lantern Splunk Connect for Syslog | Splunkbase Syslog - Splunk Lantern Using Syslog-ng with Splunk | Splunk There is also an older post about Sangfor Firewall (answered by gcusello) that might be helpful for you: How to Onboard a device in Splunk? - Splunk Community best regards,
Hi @mohammadnreda, I suppose that you're receivig your firewall logs by syslog. So you have to create your custom add-on to parse your logs. If you need to use them in ES or ITSI you have also to ...
See more...
Hi @mohammadnreda, I suppose that you're receivig your firewall logs by syslog. So you have to create your custom add-on to parse your logs. If you need to use them in ES or ITSI you have also to nomalize them and the Splunk Add-On Builder (https://splunkbase.splunk.com/app/2962) can help you in normalization. If instead you have only tro monitor your firewalls, you can only parse your logs to extract all the relevant fields to use in dashboards. Anyway, my hint is to normalize your logs to have a custom CIM 4.x compliant add-on. Ciao. Giuseppe
I'm not sure what your problem is, but if it's related to orphaned private object, you'll need to re-create locally the deleted account and assign the object to another user.
Hi There, We are using the JIRA service desk add-on to open JSM tickets from splunk ES correlation search alerts. I found the docs how to set up the Add-on via REST API. ( https://ta-jira-service-de...
See more...
Hi There, We are using the JIRA service desk add-on to open JSM tickets from splunk ES correlation search alerts. I found the docs how to set up the Add-on via REST API. ( https://ta-jira-service-desk-simple-addon.readthedocs.io/en/latest/configuration.html#configuring-via-rest-api ) My question is, is it possible to use the REST API to configure the response action itself for every correlation search?
Hi @karthi2809, surely dashboard performances can be improved using base search, but always the best approach to have a performant dashbaord is working to have having performant searches. If you ca...
See more...
Hi @karthi2809, surely dashboard performances can be improved using base search, but always the best approach to have a performant dashbaord is working to have having performant searches. If you can, you could use all the ways to accelerate searches: use of tstats (when possible), accelerated Data Models, use of Summary indexes, if possible use of reports (especially when the dashboard is used by many users). The way to improve performances of your searches depends on the searches themselves. Ciao. Giuseppe
Well, I finally found what was missing. There's another certificate for the web interface in /opt/splunk/etc/auth/splunkweb I did the same as the other certificate (rename it to .old and restar...
See more...
Well, I finally found what was missing. There's another certificate for the web interface in /opt/splunk/etc/auth/splunkweb I did the same as the other certificate (rename it to .old and restart the service) and it automatically recreated a new updated certificate.
Hi All, I've been working on a dashboard in Splunk and I am noticing that it takes a considerable time amount of time to load. How to optimize the performance of my dashboard. 1.created most of t...
See more...
Hi All, I've been working on a dashboard in Splunk and I am noticing that it takes a considerable time amount of time to load. How to optimize the performance of my dashboard. 1.created most of the queries in base search. 2.How to make panels as reports. If we made as report will dashboard will more effective?. And I am using dynamic search in my dashboard. Could you please provide some tips or some example to improve the speed and performance of my Splunk dashboard. Thanks, Karthi