All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Dear All, I need help in integration an Openshift with our Splunk Enterprise I have  integrated Openshift with Splunk using HEC and the connection is successfully paired and when the test message w... See more...
Dear All, I need help in integration an Openshift with our Splunk Enterprise I have  integrated Openshift with Splunk using HEC and the connection is successfully paired and when the test message was sent from an Openshift we received on Splunk but we don't receive the logs constantly. We are able to see only test logs and after that there are no logs floating to Splunk. Can someone please guide me here.
Hi @Kaushaas, you can see your role in the top of your Splunk GUI, then you can ask to one of your Administrators which are the capabilities of your role. have you this issue only on these dashboar... See more...
Hi @Kaushaas, you can see your role in the top of your Splunk GUI, then you can ask to one of your Administrators which are the capabilities of your role. have you this issue only on these dashboards or also on other dashboards or knowledge objects? Ciao. Giuseppe
@gcusello  I am not able to see the roles .Could you please tell me how to find that ?
Your requirement is unclear and imprecise - what is "standard"? what are you trying to establish the deviation of? your current search will only return results when there are no events, so you have n... See more...
Your requirement is unclear and imprecise - what is "standard"? what are you trying to establish the deviation of? your current search will only return results when there are no events, so you have no events to establish any deviation from standard anyway! Please clarify
Hi @karthi2809, to join the content of a lookup with a search, you must have a common key, what's this key? Ciao. Giuseppe
Hi @Yashvik, good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
I'm still getting the wrong result. When I tried with a single IPv4 address, it worked, but I encountered the issue only with CIDR IP ranges. Do I need to make any changes from the backend?
iirc this part of the SimpleXML is not re-evaluated after the dashboard is loaded, therefore the tokens can't be used here. iirc, the way approached this is to use CSS where tokens are evaluated. The... See more...
iirc this part of the SimpleXML is not re-evaluated after the dashboard is loaded, therefore the tokens can't be used here. iirc, the way approached this is to use CSS where tokens are evaluated. The trick with using CSS is identifying the element you want to change the style of so depending on how dynamic your charts are or how different they are for each system, this may prove to be quite tricky!
Hi @gcusello  Need to map based on interface name with link
The best way to do this is probably by using the json functions in combination with spath. Try something like this: | spath path=log.content output=content | eval content=json_array_to_mv(content) |... See more...
The best way to do this is probably by using the json functions in combination with spath. Try something like this: | spath path=log.content output=content | eval content=json_array_to_mv(content) | mvexpand content | spath input=content path=status | eval Service=if(status="CANCELLED", "Cancelled", if(status="BAY", "Bay", null())) | where isnotnull(Service) | stats count by Service
Thanks @gcusello  will get it checked.
Hi there, This will not work. TL;DR: there is no oAuth2 in Splunk REST API.   If you want to use my EDFS https://apps.splunk.com/app/4377/ this is based on RBAC and IP access permissions. Hope t... See more...
Hi there, This will not work. TL;DR: there is no oAuth2 in Splunk REST API.   If you want to use my EDFS https://apps.splunk.com/app/4377/ this is based on RBAC and IP access permissions. Hope this helps ... MuS
Hey @A_VA, Can you try wrapping the color token in quotes as "$red|s$". I believe this should work.  Relevant document: https://docs.splunk.com/Documentation/Splunk/9.2.1/Viz/tokens#Syntax_to_consu... See more...
Hey @A_VA, Can you try wrapping the color token in quotes as "$red|s$". I believe this should work.  Relevant document: https://docs.splunk.com/Documentation/Splunk/9.2.1/Viz/tokens#Syntax_to_consume_tokens   Thanks, Tejas.   --- If the above solution helps, an upvote is appreciated.
Hi @vikas_gopal , only one detail: for my knowledge, the only app that requires to be installed on the SHC-Deployer is Splunk Enterprise Security, all the other apps (so also ESCU) don't require t... See more...
Hi @vikas_gopal , only one detail: for my knowledge, the only app that requires to be installed on the SHC-Deployer is Splunk Enterprise Security, all the other apps (so also ESCU) don't require to be installed in the SHC-Deployer, you can only copy and untar them in the $SPLUNK_HOME/etc/shcluster folder and then push them to the SHC memebers. In genetal, avoid to install an app directly on a SH member. Ciao. Giuseppe
Hi @Ash1 , if you need to exclude many hosts (like 509 from your search the best solution is the one from @burwell : a lookup containing the host list. If instead they are three or four, you can al... See more...
Hi @Ash1 , if you need to exclude many hosts (like 509 from your search the best solution is the one from @burwell : a lookup containing the host list. If instead they are three or four, you can also insert them in each search or create a macro to excude them. Ciao. Giuseppe
Hi @VijaySrrie , yes, you can do it, but (as also @burwell said) I could be more detailed, if you could share your search. Ciao. Giuseppe
Hi @karthi2809, in the lookup there isn't the correlationId field, how can you correlate the lookup with the results? what is the common key to use gor the correlation? Then you don't need to appen... See more...
Hi @karthi2809, in the lookup there isn't the correlationId field, how can you correlate the lookup with the results? what is the common key to use gor the correlation? Then you don't need to append the lookup to the search, you can use the lookup command to join the link to the events by the correlationId (or another field). Ciao. Giuseppe
Hi @Yashvik, as I said, check the caculated fields in your app. Ciao. Giuseppe
Hi @NC_AS, how did you create your lookup: using the Splunk App for Lookup Editing or by GUI [Settings > Lookups >Lookp File]? if the second case, which are the permissions of your lookup? usualy t... See more...
Hi @NC_AS, how did you create your lookup: using the Splunk App for Lookup Editing or by GUI [Settings > Lookups >Lookp File]? if the second case, which are the permissions of your lookup? usualy they are Global. At  least, after few minuts, can you see the lookup in the dropdown list in the lookup Definition? I usually don't need any time to see the lookups in this dropdown list. Then, use OUTPUT or OUTPUTNES when you want to define the fields to add to your search, or don't use use it, in other words, don't use empty OUTPUTNEW as you did. Last thing, the error you described, is when you asked a wrong lookup field: check the field name  you used remembering that field names are case sensitive. Ciao. Giuseppe
This is an interesting use case.  Here is an idea based on @ITWhisperer's prototype.   `notable` | search urgency IN ("high", "critical") status_label IN ("Unassigned", "New", "In Progress") NOT `s... See more...
This is an interesting use case.  Here is an idea based on @ITWhisperer's prototype.   `notable` | search urgency IN ("high", "critical") status_label IN ("Unassigned", "New", "In Progress") NOT `suppression` | lookup notable_xref_lookup event_id OUTPUT xref_id AS ID | foreach search_name ID _time `text_block_fields_default` [eval row = mvappend(row, json_object("name", "<<FIELD>>", "value", <<FIELD>>))] | table row | mvexpand row | eval column = json_extract(row, "name"), new_row = json_extract(row, "value") | fields - row   (JSON functions requires 8.1 or higher.  The same can be achieved using the traditional string concatenation method.) Using this mock data search_name ID _time bar foo UC-315 7zAt/7 13:27:17 bar1 foo1 UC-231 5Dfxdf 13:27:17 bar2 foo2 output will be: (bar, foo, of course, represents `text_block_fields_default`) column new_row search_name UC-315 ID 7zAt/7 _time 13:27:17 bar bar1 foo foo1 search_name UC-231 ID 5Dfxdf _time 13:27:17 bar bar2 foo foo2 Here is the full emulation   | makeresults format=csv data="search_name, ID, _time, foo, bar UC-315, 7zAt/7, 13:27:17, foo1, bar1 UC-231, 5Dfxdf, 13:27:17, foo2, bar2" | table search_name ID _time * ``` the above emulates `notable` | search urgency IN ("high", "critical") status_label IN ("Unassigned", "New", "In Progress") NOT `suppression` | lookup notable_xref_lookup event_id OUTPUT xref_id AS ID ``` | foreach search_name ID _time * ``` * represents `text_block_fields_default` ``` [eval row = mvappend(row, json_object("name", "<<FIELD>>", "value", <<FIELD>>))] | table row | mvexpand row | eval column = json_extract(row, "name"), new_row = json_extract(row, "value") | fields - row