Hi you need to do basic data source onboarding process. There are lot of different instructions how to do it. Here is some links: https://lantern.splunk.com/Splunk_Success_Framework/Data_Managem...
See more...
Hi you need to do basic data source onboarding process. There are lot of different instructions how to do it. Here is some links: https://lantern.splunk.com/Splunk_Success_Framework/Data_Management/Data_onboarding_workflow https://conf.splunk.com/files/2017/slides/data-onboarding-where-do-i-begin.pdf https://data-findings.com/wp-content/uploads/2024/04/Data-OnBoarding-2024-04-03.pdf There are many many more presentations which you can easily found. r. Ismo
I want to separate events by date I want to isolate red highlights that have similar formats. I don't know how. I would appreciate it if you could tell me how.
An update: the problem was not the configuration of Splunk (so the mix of new and old versions seems to be OK in this case). The root cause was in the source data. Thanks for your help anyway Purpl...
See more...
An update: the problem was not the configuration of Splunk (so the mix of new and old versions seems to be OK in this case). The root cause was in the source data. Thanks for your help anyway PurpleRick.
Thank you for your reply, First, let me talk a little bit about my setting. I used regex101 to check the line-break in my config. About the timestamp, it matched with all the events. I just tried y...
See more...
Thank you for your reply, First, let me talk a little bit about my setting. I used regex101 to check the line-break in my config. About the timestamp, it matched with all the events. I just tried your settings, it did not work. of course, props.conf in /system/local and restart Splunk. Any other ideas, sir?
Thanks for response, but unfortunately it doesn't work - YOUR_SEARCH
| eval tlogParameters = replace(tlogParameters, "'","\"") this doesn't change anything - ie tlogParameters is still displayed i...
See more...
Thanks for response, but unfortunately it doesn't work - YOUR_SEARCH
| eval tlogParameters = replace(tlogParameters, "'","\"") this doesn't change anything - ie tlogParameters is still displayed in raw as single quotes and surrounded by double quotes as original. YOUR_SEARCH
| eval tlogParameters = replace(tlogParameters, "'","\"")
| eval _raw = tlogParameters this makes empty result (the same as full query you proposed):
It depends on what it is you are trying to achieve and what you would accept as a "solution". For example, you could try adding spaces to the end of field names so the column width increases. Basical...
See more...
It depends on what it is you are trying to achieve and what you would accept as a "solution". For example, you could try adding spaces to the end of field names so the column width increases. Basically, it is a lot of trial and error to get something close to what you want, and you might not get there, so perhaps you should ask yourself, is it worth the effort?
Hi @norbertt911 , if it's a random issue, I cannot help you. If instead is a fixed (on some defined hosts) issue, youcan have, in your syslog-ng.conf, two templates: one for the issued hosts and on...
See more...
Hi @norbertt911 , if it's a random issue, I cannot help you. If instead is a fixed (on some defined hosts) issue, youcan have, in your syslog-ng.conf, two templates: one for the issued hosts and one for the others, assigning the template by host name. Ciao. Giuseppe
@anooshac Can you please try this sample code? Please observe 2nd column width. <dashboard version="1.1" theme="dark">
<label>table column size</label>
<row>
<panel>
<table id="tab...
See more...
@anooshac Can you please try this sample code? Please observe 2nd column width. <dashboard version="1.1" theme="dark">
<label>table column size</label>
<row>
<panel>
<table id="tableColumWidth">
<search>
<query>|makeresults count=5 | eval A=random(), B=random(), status=A, action=A</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
<row>
<panel>
<html>
<style>
#tableColumWidth table th:nth-child(2),
#tableColumWidth table td:nth-child(2) {
width: 1000px !important;
overflow-wrap: anywhere !important;
}
</style>
</html>
</panel>
</row>
</dashboard> I hope this will help you. Thanks KV An upvote would be appreciated if any of my replies help you solve the problem or gain knowledge.
thank you for the quick reply my query is whenever I refresh the whole dashboard I want to set a token to its default value. SO is there a condition that i can use.
Hi @Siddharthnegi , there's an option to put in the dashboard header: <dashboard refresh="30"> to define the time (in seconds) to refresh the full dashboard. Ciao. Giuseppe
Hi @Siddharthnegi, sorry but your question isn't so clear: if you want to refresh the full dashboard, youcan click on the browser Refresh button. If you want to refresh a single panel, you can cli...
See more...
Hi @Siddharthnegi, sorry but your question isn't so clear: if you want to refresh the full dashboard, youcan click on the browser Refresh button. If you want to refresh a single panel, you can click on the panel's Refresh button (in the right bottom side of the panel). If you want to refresh a singe token, you can see some previous answer (also from me) https://community.splunk.com/t5/Dashboards-Visualizations/How-to-reset-dashboard-tokens-using-XML/td-p/504857 or https://community.splunk.com/t5/Dashboards-Visualizations/How-to-add-refresh-button-to-dashboard/m-p/587776/highlight/true Ciao. Giuseppe
Hi everyone, Is there a way to speed up the Splunk SOAR capabilities to process the events, it can't process a 100 events every 5 minutes.... I found a solution about the worker but, the file that ...
See more...
Hi everyone, Is there a way to speed up the Splunk SOAR capabilities to process the events, it can't process a 100 events every 5 minutes.... I found a solution about the worker but, the file that solution talk about doesn't exists which is "umsgi.ini"
@KendallW"c49b6a70qw" is an example transactionID in the field name "Transaction.ID" that is sent to the index in double quotes. I tried this search query but got the same error message: | tran...
See more...
@KendallW"c49b6a70qw" is an example transactionID in the field name "Transaction.ID" that is sent to the index in double quotes. I tried this search query but got the same error message: | transaction "Transaction.ID" | chart duration over _time