All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @jreuter_splunk. Including @xpac, @Kyle_Jackson, @ben_leung, @tsteens, @muebel, @gjanders as well, since they were active on the "Is there a REST API call to apply shcluster-bundle with the deplo... See more...
Hi @jreuter_splunk. Including @xpac, @Kyle_Jackson, @ben_leung, @tsteens, @muebel, @gjanders as well, since they were active on the "Is there a REST API call to apply shcluster-bundle with the deployer?" post as well. This solution is fairly old (neary 10 years). Now that we're in 9.x, is there another way to do this? I still wasn't able to find it in the REST API Reference Manual.
I entered your sample table in a lookup zscalerip.csv CIDR 168.246.0.0/16 8.25.203.0/24 64.74.126.64/26 70.39.159.0/24 136.226.158.0/23 (Your original first line 168.246.*.* is... See more...
I entered your sample table in a lookup zscalerip.csv CIDR 168.246.0.0/16 8.25.203.0/24 64.74.126.64/26 70.39.159.0/24 136.226.158.0/23 (Your original first line 168.246.*.* is not a CIDR notation so I speculated it to be misspelling of 168.246.0.0/16.  This is immaterial to the problem at hand.)   [zscalerip.csv] batch_index_query = 0 case_sensitive_match = 1 filename = zscalerip.csv match_type = CIDR(CIDR)   Using the exact search I posted above, the output is src_ip Is_managed_device 10.0.0.0 false 166.226.118.0 false 136.226.158.0 true 185.46.212.0 false 2a03:eec0:1411:: false
Hello. At splunk dashboard visualization charts that display data have their background color set to white (#FFFFFF) by default and it turns to black if I change theme from Light to Dark. I want to f... See more...
Hello. At splunk dashboard visualization charts that display data have their background color set to white (#FFFFFF) by default and it turns to black if I change theme from Light to Dark. I want to find a way to get the same color behavior for Rectangle element. Currently it's default fill color is grey (#c3cbd4) and it turns to dark-grey if I change theme from light to dark. If I change background color of rectangle in settings - it stops changing color when I change the theme. How to make Rectangle element at Splunk dashboard to be white for Light theme and black for Dark theme ? Thanks!  
Could you share that bug report info?  Or a link?  I'd love to track that.  Thanks!
Is "Start Time" an epoch time? If not, you need to parse it to an epoch time before formatting to a different format. Since you are sorting, you should parse, sort, then format.
I attempted a rollback/reinstall but same result.  It appears to be related to the python version that the stack is using (in my case python2). Run the REST command and read the verbiage in the link ... See more...
I attempted a rollback/reinstall but same result.  It appears to be related to the python version that the stack is using (in my case python2). Run the REST command and read the verbiage in the link below.   https://docs.datapunctum.com/ame/ame-before-upgrading Opened a case with support to determine if the stack can be upgraded to python3.  If not, we'll need to turn in a case to have them install AME v2.0.4 which still supports python2. Hope this helps - best idea I have at the moment. 
The problem with both of those is it does not account for the 5 vs 6 hour shift between CDT and CST. That is, solutions like this that use relative_time, manually subtract 5 or 6 hours, but do not d... See more...
The problem with both of those is it does not account for the 5 vs 6 hour shift between CDT and CST. That is, solutions like this that use relative_time, manually subtract 5 or 6 hours, but do not differentiate when to make that shift (March-ish to November-ish), but Splunk has TZ awareness since the user can set their profile. Seems like there should be a way (a function?) to tap into that, but something like relative_time(epoch, "CST6CDT") doesn't seem exist. Many thanks for the great conversation as, per usual, learning!  
Hi @loganramirez , you can use the solution in the shared link or the fuction relative_time in eval. Ciao. Giuseppe
Hello! I am having an issue getting annotations to work within the Dashboard Studio column chart. I have tried a bunch of different ways, but it isn't cooperating. The chart I have is just System_Na... See more...
Hello! I am having an issue getting annotations to work within the Dashboard Studio column chart. I have tried a bunch of different ways, but it isn't cooperating. The chart I have is just System_Name on the X axis and Risk_Score on the Y axis. I'd like to be able to highlight where the System_Name in question shows up on the chart as annotation examples have demonstrated in the documentation. My current code for the chart is as follows. Does anyone have any suggestions as to what I'm doing wrong here? Chart itself: { "type": "splunk.column", "options": { "seriesColorsByField": {}, "annotationColor": "> annotation | seriesByIndex('2')", "annotationLabel": "> annotation | seriesByIndex('1')", "annotationX": "> annotation | seriesByIndex('0')", "legendDisplay": "off" }, "dataSources": { "primary": "ds_abUJLKDj", "annotation": "ds_YPQ3EYqR" }, "showProgressBar": false, "showLastUpdated": false, "context": {} }  Searches: "ds_abUJLKDj": { "type": "ds.search", "options": { "query": "`index` \n| stats latest(Risk_Score) AS Risk_Score by System_Name\n| eval Risk_Score=round(Risk_Score, 2)\n| sort Risk_Score" }, "name": "risk_score_chart" }, "ds_YPQ3EYqR": { "type": "ds.search", "options": { "query": "`index` \n| stats latest(Risk_Score) AS Risk_Score by System_Name\n| eval Risk_Score=round(Risk_Score, 2), color=\"#f44336\", Annotation_Label= (\"The risk score for $system_name$ is \" + Risk_Score) \n| sort Risk_Score\n| where System_Name = \"$system_name$\"\n| table System_Name, Annotation_Label, color" }, "name": "risk_score_chart_annotation"
Hi all, in the past I used a CLI command to disable indicators feature. do you know how can I enable it back?
Thanks, I did a reinstallation. And just to be sure, I had to save + restore \var\lib\splunk Thanks for your help, have a good day
@harishlnu  For the forwarding part: https://docs.splunk.com/Documentation/SOARonprem/6.2.1/Admin/Forwarders  The other element is just using SPL to look for things in the logs sent from SOAR to ... See more...
@harishlnu  For the forwarding part: https://docs.splunk.com/Documentation/SOARonprem/6.2.1/Admin/Forwarders  The other element is just using SPL to look for things in the logs sent from SOAR to Splunk. The Splunk app for SOAR will have docs on what sourcetypes it sends through that would include ingestd.log.  You should have enough information now to do some research and start to develop what you need.  -- Happy SOARing --
Morning, Splunkers. I've got a dashboard that gets some of it's input from an external link. The input that comes in determines which system is being displayed by the dashboard with different settin... See more...
Morning, Splunkers. I've got a dashboard that gets some of it's input from an external link. The input that comes in determines which system is being displayed by the dashboard with different settings through a <change> line in each, then shows the necessary information in a line graph. That part is working perfectly, but what I'm trying to do is set the color of the line graph based on the system chosen, and I'm trying to keep is simple for future edits. I've set the colors I'm currently using in the <init> section as follows:   <init> <set token="red">0xFF3333</set> <set token="purple">0x8833FF</set> <set token="green">0x00FF00</set> </init>   The system selection looks like this:   <input token="system" depends="$NotDisplayed$"> <change> <condition value="System-A"> <set token="index_filter">index_A</set> <set token="display_name">System-A</set> <set token="color">$purple$</set> </condition> <condition value="System-B"> <set token="index_filter">index_B</set> <set token="display_name">System-B</set> <set token="color">$green$</set> </condition> <condition value="System-C"> <set token="index_filter">index_C</set> <set token="display_name">System-C</set> <set token="color">$red$</set> </condition> </change> </input>     I now have a single query window putting up a line graph with the necessary information brought in from the eternal link. Like I said above, that part works perfectly, but what DOESN'T work is the color. Here's what my option field currently looks like:   <option name="charting.fieldColors">{"MyField":$color$}</option>     The idea here is if I add future systems, I don't have to keep punching in hex codes for colors, I just enter a color name token. Unfortunately, what ends up happening is the line graph color is black, no matter what color I use. If I take the $color$ token out of the code and put in the hex code directly it works fine. It also works if I put the hex code directly in the system selection instead of the color name token. Is there a trick to having a token reference another token in a dashboard? Or is this one of those "quit being fancy and do it the hard way" type of things? Any help will be appreciated. Running Splunk 8.2.4, in case it matters.
Hello, After upgrading from Classic to Victoria Experience on our Splunk Cloud stack, we have encountered issues retrieving data from AWS SQS-based S3. The inputs remained after the migration, but f... See more...
Hello, After upgrading from Classic to Victoria Experience on our Splunk Cloud stack, we have encountered issues retrieving data from AWS SQS-based S3. The inputs remained after the migration, but for some, it seems the SQS queue name is missing. When we try to configure these inputs, we immediately receive a 404 error in the python.log. Please see the screenshot below for reference. Furthermore, the error message indicates that the SQS queue may not be present in the given region. However, we have confirmed that the queue does exist in the specified region. Has anyone else experienced this issue and can offer assistance? Thank you.
@phanTom    could you please help me with documentation for reference    
so use eval and transform the epoch value to the desired tz? i haven't found a built in Splunk function for that, just threads like this that use the offset, but since that changes from 5 to 6 hou... See more...
so use eval and transform the epoch value to the desired tz? i haven't found a built in Splunk function for that, just threads like this that use the offset, but since that changes from 5 to 6 hours with daylight savings, do you know of one that supports 'cst6cdt'? and thank you!  overall that approach makes sense to me.  pass something (make something to pass) other than the click.value.  
Missing props could be a problem.  Try these settings. [app:json] TIME_PREFIX = ^ TIME_FORMAT = %s LINE_BREAKER = ([\r\n]+) SHOULD_LINEMERGE = FALSE MAX_TIMESTAMP_LOOKAHEAD = 10 TRUNCATE = 10000 EVE... See more...
Missing props could be a problem.  Try these settings. [app:json] TIME_PREFIX = ^ TIME_FORMAT = %s LINE_BREAKER = ([\r\n]+) SHOULD_LINEMERGE = FALSE MAX_TIMESTAMP_LOOKAHEAD = 10 TRUNCATE = 10000 EVENT_BREAKER_ENABLE = TRUE EVENT_BREAKER = ([\r\n]+) Note the change in sourcetype name.  Avoid using hyphens in identifiers since they could be mistaken for the subtraction operator. By default, Splunk will not search future times so it won't detect timestamps that were misinterpreted in that direction.  Try index=app_prod earliest=-1y latest=+1y
My current search is something like this: (index=1 sourcetype="x") OR (index=2 sourcetype="y" "some extra filters") "*(a name like RU3NDS just for testing but there are many like this one)*" | eval... See more...
My current search is something like this: (index=1 sourcetype="x") OR (index=2 sourcetype="y" "some extra filters") "*(a name like RU3NDS just for testing but there are many like this one)*" | eval joined_name = upper(coalesce(NAME, name))  NAME(upper) is from the index 1, and name(lower) from index 2 and this gave me table like this: joined_name others values from index 1 others values from index 2 H-RU3NDS_DAT_CDSD231_01   ... H-RU3NDS_DAT_CDSD231_02   ... RU3NDS ...   The first two values are from index number 2 and the third is from index number 1 And I need to join this first column as a unique value like RU3NDS, I've tried rex command too, but didn't work 
Has anyone noticed the push notifications through the Splunk Mobile app has stopped working recently. We are using Spunk on prem, Splunk Secure Gateway set up with prod.spacebridge.spl.mobi set as t... See more...
Has anyone noticed the push notifications through the Splunk Mobile app has stopped working recently. We are using Spunk on prem, Splunk Secure Gateway set up with prod.spacebridge.spl.mobi set as the Gateway but I noticed the notifications stopped appearing on my home screen of when my iPhone was locked. Other colleagues using different devices are complaining of the same issue.    I can't remember the exact date but it may have been around the 3rd May.   No changes to our config have been made but i'd be interested to know if anyone else is having this issue.
@harishlnu  If a Correlation Search is configured to send to SOAR then you just need the _internal logs for the modaction send_to_phantom to be checked for failures in sending then also use the in... See more...
@harishlnu  If a Correlation Search is configured to send to SOAR then you just need the _internal logs for the modaction send_to_phantom to be checked for failures in sending then also use the ingestd.log to look for failures to ingest on the SOAR side. The ingestd.log should be one of the DAEMON logs you can forward from SOAR to Splunk.