All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Some forum i read that all data can search in splunk indexed or not indexed is it incorrect inforamtion?
i want to use Splunk as a log server. Send any data but filter they from index which do not pass license. if data not pass in indexer i can not search this data?
Hi @gdfasdasd, only indexed data obviously! Ciao. Giuseppe
hello,   i am new in splunk. i can not understand if i not indexed data in can i search this data in Splunk? or only indexed data can i search in Splunk?
Hello, I have an alert setup which reads a lookup file (populated by another report) and if there are any records in the lookup file, emails should be triggered (one for each record).   I understand... See more...
Hello, I have an alert setup which reads a lookup file (populated by another report) and if there are any records in the lookup file, emails should be triggered (one for each record).   I understand this can be done using trigger "for each result" but I want to use some field values from each record and use it as an email subject. Example: in this case, I want 6 emails to be triggered with subject lines as, Email 1: Selfheal Alert - Cust A - Tomcat Stopped - Device A1- May-24 - Device Level Email 2: Selfheal Alert - Cust A - Tomcat Stopped - Device A2- May-24 - Device Level Email 3: Selfheal Alert - Cust B - Failed Job - Device B1- May-24 - Device Level Email 4: Selfheal Alert - Cust C - Tomcat Stopped - Device C1- May-24 - Device Level Email 5: Selfheal Alert - Cust C - Failed Job- Device C2- May-24 - Device Level Email 6: Selfheal Alert - Cust C - Failed Job - Device C3- May-24 - Device Level How can I achieve this? Thank you.
Dear All, I need help in integration an Openshift with our Splunk Enterprise I have  integrated Openshift with Splunk using HEC and the connection is successfully paired and when the test message w... See more...
Dear All, I need help in integration an Openshift with our Splunk Enterprise I have  integrated Openshift with Splunk using HEC and the connection is successfully paired and when the test message was sent from an Openshift we received on Splunk but we don't receive the logs constantly. We are able to see only test logs and after that there are no logs floating to Splunk. Can someone please guide me here.
Hi @Kaushaas, you can see your role in the top of your Splunk GUI, then you can ask to one of your Administrators which are the capabilities of your role. have you this issue only on these dashboar... See more...
Hi @Kaushaas, you can see your role in the top of your Splunk GUI, then you can ask to one of your Administrators which are the capabilities of your role. have you this issue only on these dashboards or also on other dashboards or knowledge objects? Ciao. Giuseppe
@gcusello  I am not able to see the roles .Could you please tell me how to find that ?
Your requirement is unclear and imprecise - what is "standard"? what are you trying to establish the deviation of? your current search will only return results when there are no events, so you have n... See more...
Your requirement is unclear and imprecise - what is "standard"? what are you trying to establish the deviation of? your current search will only return results when there are no events, so you have no events to establish any deviation from standard anyway! Please clarify
Hi @karthi2809, to join the content of a lookup with a search, you must have a common key, what's this key? Ciao. Giuseppe
Hi @Yashvik, good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
I'm still getting the wrong result. When I tried with a single IPv4 address, it worked, but I encountered the issue only with CIDR IP ranges. Do I need to make any changes from the backend?
iirc this part of the SimpleXML is not re-evaluated after the dashboard is loaded, therefore the tokens can't be used here. iirc, the way approached this is to use CSS where tokens are evaluated. The... See more...
iirc this part of the SimpleXML is not re-evaluated after the dashboard is loaded, therefore the tokens can't be used here. iirc, the way approached this is to use CSS where tokens are evaluated. The trick with using CSS is identifying the element you want to change the style of so depending on how dynamic your charts are or how different they are for each system, this may prove to be quite tricky!
Hi @gcusello  Need to map based on interface name with link
The best way to do this is probably by using the json functions in combination with spath. Try something like this: | spath path=log.content output=content | eval content=json_array_to_mv(content) |... See more...
The best way to do this is probably by using the json functions in combination with spath. Try something like this: | spath path=log.content output=content | eval content=json_array_to_mv(content) | mvexpand content | spath input=content path=status | eval Service=if(status="CANCELLED", "Cancelled", if(status="BAY", "Bay", null())) | where isnotnull(Service) | stats count by Service
Thanks @gcusello  will get it checked.
Hi there, This will not work. TL;DR: there is no oAuth2 in Splunk REST API.   If you want to use my EDFS https://apps.splunk.com/app/4377/ this is based on RBAC and IP access permissions. Hope t... See more...
Hi there, This will not work. TL;DR: there is no oAuth2 in Splunk REST API.   If you want to use my EDFS https://apps.splunk.com/app/4377/ this is based on RBAC and IP access permissions. Hope this helps ... MuS
Hey @A_VA, Can you try wrapping the color token in quotes as "$red|s$". I believe this should work.  Relevant document: https://docs.splunk.com/Documentation/Splunk/9.2.1/Viz/tokens#Syntax_to_consu... See more...
Hey @A_VA, Can you try wrapping the color token in quotes as "$red|s$". I believe this should work.  Relevant document: https://docs.splunk.com/Documentation/Splunk/9.2.1/Viz/tokens#Syntax_to_consume_tokens   Thanks, Tejas.   --- If the above solution helps, an upvote is appreciated.
Hi @vikas_gopal , only one detail: for my knowledge, the only app that requires to be installed on the SHC-Deployer is Splunk Enterprise Security, all the other apps (so also ESCU) don't require t... See more...
Hi @vikas_gopal , only one detail: for my knowledge, the only app that requires to be installed on the SHC-Deployer is Splunk Enterprise Security, all the other apps (so also ESCU) don't require to be installed in the SHC-Deployer, you can only copy and untar them in the $SPLUNK_HOME/etc/shcluster folder and then push them to the SHC memebers. In genetal, avoid to install an app directly on a SH member. Ciao. Giuseppe
Hi @Ash1 , if you need to exclude many hosts (like 509 from your search the best solution is the one from @burwell : a lookup containing the host list. If instead they are three or four, you can al... See more...
Hi @Ash1 , if you need to exclude many hosts (like 509 from your search the best solution is the one from @burwell : a lookup containing the host list. If instead they are three or four, you can also insert them in each search or create a macro to excude them. Ciao. Giuseppe