All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi At least for free/trial splunk there is no unlock license for enable those searches again. I suppose that it will be the same situation for dev and dev/test licenses too? This leads the situatio... See more...
Hi At least for free/trial splunk there is no unlock license for enable those searches again. I suppose that it will be the same situation for dev and dev/test licenses too? This leads the situation that you must remove and reinstall your splunk (or find some other hint from community, how this can solved ;-). This will remove also those over usages and licence violence information. r. Ismo
I don't know for sure, but I think that those are basically jupyter playbooks which are using python? You can easily check this by installing that TA/App into your splunk server and check if it start... See more...
I don't know for sure, but I think that those are basically jupyter playbooks which are using python? You can easily check this by installing that TA/App into your splunk server and check if it start to work after that?
Hi, I got the following error message when trying to connect to an eventhub, Error occurred while connecting to eventhub: CBS Token authentication failed. Status code: None Error: client-error CBS ... See more...
Hi, I got the following error message when trying to connect to an eventhub, Error occurred while connecting to eventhub: CBS Token authentication failed. Status code: None Error: client-error CBS Token authentication failed. Status code: None" Can someone help here? We have a HF in our network zone and want to connect to the MS eventhub via proxy. Which we configued within the app itself. We use the Add-on for MS Cloud Services version 5.2.2   Thanks
` index=myIndex sourcetype=mySourceType | fields - PROD* ` still displays events with and without `PROD*` fields.. Am I doing smtg wrong? 
SAML authenticated users are unable to access either REPORTS or ALERTS from the search app @ ./app/search/reports or from the top level menu @ Settings/Searches, reports, alerts.  When they attempt t... See more...
SAML authenticated users are unable to access either REPORTS or ALERTS from the search app @ ./app/search/reports or from the top level menu @ Settings/Searches, reports, alerts.  When they attempt to access reports from the Search app, the page stalls at "Loading Reports".  When they attempt to filter on reports or alerts from "Settings/Searches, reports, alerts" a small icon appears at the bottom stating "server error".  The reports are listed, but none are accessible.  If the user is provided a URL to any report, everything works fine.  The ability to browse the list is what is broken.  Finally, if a user goes to "Settings/Searches, reports, alerts" and DOES NOT leaves "Type:All", everything works fine.  If the selection is changed to "Type:Reports" or "Type:Alerts" the error appears at the bottom Debug logs do not reveal anything obvious The permissions used for the SAML users is the default "power" role.  I tried moving test users to Admin role, no change.  Also, all local authenticated users in the same role work fine
@Sharma21 , try adding the drill down "eventHandlers": [ { "type": "drilldown.customUrl", "options": { "u... See more...
@Sharma21 , try adding the drill down "eventHandlers": [ { "type": "drilldown.customUrl", "options": { "url": "$row.link.value$", "newTab": true } } ]   Please find a run anywhere example { "visualizations": { "viz_CIUVl7ST": { "type": "splunk.table", "options": {}, "dataSources": { "primary": "ds_rMaj17sl" }, "eventHandlers": [ { "type": "drilldown.customUrl", "options": { "url": "$row.link.value$", "newTab": true } } ] } }, "dataSources": { "ds_rMaj17sl": { "type": "ds.search", "options": { "query": "| makeresults count=5\n|streamstats count\n| eval link=\"https://community.splunk.com/t5/Splunk-Answers/ct-p/en-us-splunk-answers/page/\" + count" }, "name": "Search_1" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "latest": "$global_time.latest$", "earliest": "$global_time.earliest$" } } } } }, "inputs": { "input_global_trp": { "type": "input.timerange", "options": { "token": "global_time", "defaultValue": "-24h@h,now" }, "title": "Global Time Range" } }, "layout": { "type": "absolute", "options": { "width": 1440, "height": 960, "display": "auto" }, "structure": [ { "item": "viz_CIUVl7ST", "type": "block", "position": { "x": 0, "y": 0, "w": 1250, "h": 300 } } ], "globalInputs": [ "input_global_trp" ] }, "description": "", "title": "Studio_Link" }
Yes it looks like a reset lic,  have you sent to devinfo@splunk.com  Other links that may help  https://www.splunk.com/en_us/resources/personalized-dev-test-licenses.html?locale=en_us https:... See more...
Yes it looks like a reset lic,  have you sent to devinfo@splunk.com  Other links that may help  https://www.splunk.com/en_us/resources/personalized-dev-test-licenses.html?locale=en_us https://www.splunk.com/en_us/resources/personalized-dev-test-licenses/faq.html devinfo@splunk.com
Thanks @isoutamo  According to my url in the GUI, SH is running 8080. I will check the Splunkserver logs. The TA is not installed. However, based on the doc below for the TA is it necessary "The ... See more...
Thanks @isoutamo  According to my url in the GUI, SH is running 8080. I will check the Splunkserver logs. The TA is not installed. However, based on the doc below for the TA is it necessary "The Splunk Add-on for Microsoft Visual Studio Code provideexits support for debugging user Python code contained in apps, add-ons, custom search commands, custom REST handlers, modular visualizations, or any user Python code run within Splunk Enterprise." Is the VSC .splnb is not python code. But is it considered a custom search command? Thanks and God bless, Genesius
@iankitkumar  Yes I did get it to work.  But depends on how the disks and mount points are setup on the existing host.  If the OS disk and Splunk disk are separate with distinct Volume Groups th... See more...
@iankitkumar  Yes I did get it to work.  But depends on how the disks and mount points are setup on the existing host.  If the OS disk and Splunk disk are separate with distinct Volume Groups then a disk swap should work.   For example, on a linux host where sda is the OS disk and sdb is the Splunk disk with mountpoint /opt/splunk.   Here are the steps.   Note: I install with .tgz files not rpm.  Of course test in your dev environment 1st!! 1 install same version of Splunk on the new host with new Linux OS version (I use same username/pwd that I used to install Splunk on the existing host) 2 enable boot-start with systemd managed and verify install runs correctly 3 shut down the old and new hosts 4 swap the disk 5 rename/reIP and open required firewalld ports (if needed for your environment) to verify its working. IF you cannot do a disk swap (because the host is not configured to do so) you can always tar up /opt/splunk and untar over /opt/splunk on the new host (on top of the fresh install of splunk (same version)).  Documentation describes this method >>>  Migrate a Splunk Enterprise instance from one physical machine to another - Splunk Documentation Your Splunk Enterprise installation is on an operating system that either your organization or Splunk no longer supports, and you want to move it to an operating system that does have support. Good Luck!  
I’ve already received and loaded the new license. I still cannot search. I assumed I needed a reset license. Can you share more information?
You need to re-apply for the free dev licence - there's an email in the below link, it can take while for them to send you the new lic.  https://dev.splunk.com/enterprise/dev_license 
@anandhalagaras1  Glad it worked mate, and your welcome  
| fields - PROD*
@ITWhisperer  Many thanks, it shows all events with `PROD*` filed names How can I get all events without `PROD*` filed names please? 
search, and query are special field names which are removed from the subsearch results i.e. if the subsearch returned ( ( search="value1" ) OR ( search="value2" ) ) it would be added to the main se... See more...
search, and query are special field names which are removed from the subsearch results i.e. if the subsearch returned ( ( search="value1" ) OR ( search="value2" ) ) it would be added to the main search as ( ( "value1" ) OR ( "value2" ) )
Is this list the same for all identities? Is it static or does it vary over time?
The strftime function returns a string rather than an integer expected by defaultValue.  Try converting the string into a number. ... "options": { "query": "| makeresults | eval tok... See more...
The strftime function returns a string rather than an integer expected by defaultValue.  Try converting the string into a number. ... "options": { "query": "| makeresults | eval token_curr_date=tonumber(strftime(now(), \"%d\")) | fields token_curr_date" }, ...  
Hi @rpole , use the case function in the eval command if they are few, or use a lookup containing the association between the codes and the descriptions if they are many. Ciao. Giuseppe
I have a visualization of type splunk.table in Dashboard Studio (version 9.0.2). The source table contains columns "id" from which I have derived the column "link". sourcetype="x" | eval link = "ht... See more...
I have a visualization of type splunk.table in Dashboard Studio (version 9.0.2). The source table contains columns "id" from which I have derived the column "link". sourcetype="x" | eval link = "https://xyz.com/" + id | table id, link  I want the "link" column be visible as hyperlink (blue and underlined) in the dashboard, such that, each value of the column when clicked, opens the respective link in a new tab. I tried making below changes, not sure what am i doing wrong here:         "viz_jZKnPQQG": {             "type": "splunk.table",             "title": "x",             "dataSources": {                 "primary": "ds_GresBkrN"             },             "options": {                 "tableFormat": {                     "rowBackgroundColors": "> table | seriesByIndex(0) | pick(tableRowBackgroundColorsByTheme)"                 },                 "count": 8,                 "backgroundColor": "> themes.defaultBackgroundColor",                 "showRowNumbers": true,                 "fontSize": "small",                 "showInternalFields": false             },             "eventHandlers": [                 {                     "type": "drilldown.customUrl",                     "options": {                         "url": "$row.link$",                         "newTab": true                     }                 }             ]         },      
@gcusello  Thanks for the suggestion. This worked with only two stackIDs.  what if I have multiple stackIDs to be displayed??